Venom Stealer MaaS infostealer with persistent credential harvesting
Malware Activity
Summary
Hide ▲
Show ▼
The Venom Stealer infostealer now ships as malware-as-a-service (MaaS), expanding access to a persistent credential-theft tool and raising risk for Windows users. It steals browser passwords, session cookies, autofill data, and cryptocurrency wallet vaults. March 2026 updates added a silent background listener that keeps checking for newly saved passwords and wallet activity. The kit also uses ClickFix social engineering lures and automated exfiltration and cracking steps to speed theft and fund sweeping.
Related Happenings
Rust-based clipboard hijacker that swaps wallet addresses
Malware Activity
H score10
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Rust-based clipboard hijacker that swaps wallet addresses
Malware ActivityAbout this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
OnyxC2 stealer remote-access and credential-theft activity
Malware Activity
H score23
First: 11.06.2026 16:00
Last: 11.06.2026 16:00
Sources 1
About this happening:
The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...
OnyxC2 stealer remote-access and credential-theft activity
Malware ActivityAbout this happening: The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/Service
H score10
First: 15.05.2026 17:49
Last: 15.05.2026 17:49
Sources 1
About this happening:
**Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/ServiceAbout this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/Mitigation
H score34
First: 07.05.2026 21:00
Last: 07.05.2026 21:00
Sources 1
About this happening:
The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/MitigationAbout this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware Activity
H score24
First: 05.05.2026 13:03
Last: 05.05.2026 13:03
Sources 1
About this happening:
The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware ActivityAbout this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
Timeline
-
31.03.2026 17:51 2 articles · 3mo ago
BlackFog discloses Venom Stealer MaaS
Initial DisclosureBlackFog analyzes Venom Stealer, a malware-as-a-service infostealer sold via Telegram under the VenomStealer handle, and details Cloudflare DNS-backed custom domains, pre-built ClickFix lures, Windows targeting, cross-browser credential theft, wallet theft, and March 2026 updates that added a silent background listener plus Chrome v10/v20 password-encryption bypass support.
Show sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51