VenomStealer ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
VenomStealer is being run as a licensed underground service with an affiliate program, shifting it from a single malware kit into a repeatable operator ecosystem that can scale credential theft. That matters because the Telegram-based sales model and ongoing updates suggest a full-time criminal operation with broader reach and faster adoption.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
REF6598 Obsidian social-engineering campaign targeting finance and crypto users
Campaign
First: 16.04.2026 14:02
Last: 16.04.2026 14:02
Sources 1
About this happening:
The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...
REF6598 Obsidian social-engineering campaign targeting finance and crypto users
CampaignAbout this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...
CrystalRAT Telegram-promoted malware-as-a-service
Malware Activity
First: 02.04.2026 02:17
Last: 02.04.2026 02:17
Sources 1
About this happening:
The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...
CrystalRAT Telegram-promoted malware-as-a-service
Malware ActivityAbout this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Timeline
-
31.03.2026 17:51 2 articles · 1mo ago
VenomStealer ecosystem shift changes threat-actor operations
Initial DisclosureThe operation is currently being marketed through **Telegram** as a **licensed service** with an **affiliate program**, showing a service-style monetization phase rather than a one-off sale. This phase matters because it indicates an expanding underground distribution model around **VenomStealer**.
Show sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51