Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
Summary
Hide ▲
Show ▼
The Venom Stealer malware-as-a-service platform has been identified as a credential-theft threat that keeps exfiltrating data after infection, extending the window for account takeover and crypto theft. It folds ClickFix social engineering into its operator panel so attackers can automate the path from lure to data theft. The malware targets Chromium and Firefox-based browsers for saved passwords, session cookies, autofill data, browsing history, and wallet information. The platform is also sold on cybercrime networks and was described as actively maintained with multiple updates in March 2026.
Related Happenings
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
ClickFix attacks with PySoxy scheduled-task persistence
Malware Activity
First: 12.05.2026 15:00
Last: 12.05.2026 15:00
Sources 1
About this happening:
Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
ClickFix attacks with PySoxy scheduled-task persistence
Malware ActivityAbout this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware Activity
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware ActivityAbout this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/Mitigation
First: 07.05.2026 21:00
Last: 07.05.2026 21:00
Sources 1
About this happening:
The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/MitigationAbout this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
Timeline
-
31.03.2026 03:00 2 articles · 1mo ago
BlackFog identifies Venom Stealer MaaS
Initial DisclosureBlackFog researchers identify Venom Stealer, a malware-as-a-service platform sold on cybercrime networks that integrates ClickFix social engineering into its operator panel, automates credential theft and continuous data exfiltration, and steals saved passwords, session cookies, browsing history, autofill data and cryptocurrency wallet information from Chromium and Firefox-based browsers while continuously monitoring Chrome's login database for newly saved credentials.
Show sources
- New Venom Stealer MaaS Platform Automates Continuous Data Theft — www.infosecurity-magazine.com — 01.04.2026 16:30
- New Venom Stealer MaaS Platform Automates Continuous Data Theft — www.infosecurity-magazine.com — 01.04.2026 16:30