Find notable cyber news and cases, enriched with sources, timelines, and signals.

VenomStealer ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

VenomStealer is being run as a licensed underground service with an affiliate program, shifting it from a single malware kit into a repeatable operator ecosystem that can scale credential theft. That matters because the Telegram-based sales model and ongoing updates suggest a full-time criminal operation with broader reach and faster adoption.

Related Happenings

OnyxC2 developers commercialize stealer as tiered MaaS with support

Threat Actor Meta
H score23 First: 11.06.2026 16:00 Last: 11.06.2026 16:00 Sources 1

About this happening: **OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...

Vidar infostealer market rise and distribution expansion

Malware Activity
H score30 First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
H score57 First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...

REF6598 Obsidian social-engineering campaign targeting finance and crypto users

Campaign
H score35 First: 16.04.2026 14:02 Last: 16.04.2026 14:02 Sources 1

About this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...

CrystalRAT Telegram-promoted malware-as-a-service

Malware Activity
H score28 First: 02.04.2026 02:17 Last: 02.04.2026 02:17 Sources 1

About this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...

Timeline

  1. 31.03.2026 17:51 2 articles · 3mo ago

    VenomStealer ecosystem shift changes threat-actor operations

    Initial Disclosure

    The operation is currently being marketed through **Telegram** as a **licensed service** with an **affiliate program**, showing a service-style monetization phase rather than a one-off sale. This phase matters because it indicates an expanding underground distribution model around **VenomStealer**.

    Show sources