VenomStealer ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
VenomStealer is being run as a licensed underground service with an affiliate program, shifting it from a single malware kit into a repeatable operator ecosystem that can scale credential theft. That matters because the Telegram-based sales model and ongoing updates suggest a full-time criminal operation with broader reach and faster adoption.
Related Happenings
OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor Meta
H score23
First: 11.06.2026 16:00
Last: 11.06.2026 16:00
Sources 1
About this happening:
**OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...
OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor MetaAbout this happening: **OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
REF6598 Obsidian social-engineering campaign targeting finance and crypto users
Campaign
H score35
First: 16.04.2026 14:02
Last: 16.04.2026 14:02
Sources 1
About this happening:
The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...
REF6598 Obsidian social-engineering campaign targeting finance and crypto users
CampaignAbout this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...
CrystalRAT Telegram-promoted malware-as-a-service
Malware Activity
H score28
First: 02.04.2026 02:17
Last: 02.04.2026 02:17
Sources 1
About this happening:
The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...
CrystalRAT Telegram-promoted malware-as-a-service
Malware ActivityAbout this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...
Timeline
-
31.03.2026 17:51 2 articles · 3mo ago
VenomStealer ecosystem shift changes threat-actor operations
Initial DisclosureThe operation is currently being marketed through **Telegram** as a **licensed service** with an **affiliate program**, showing a service-style monetization phase rather than a one-off sale. This phase matters because it indicates an expanding underground distribution model around **VenomStealer**.
Show sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51