Find notable cyber news and cases, enriched with sources, timelines, and signals.

Venom Stealer subscription and affiliate malware-service ecosystem

Threat Actor Meta
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

Venom Stealer is being run as a subscription-based malware service with Telegram licensing and an affiliate program, signaling a more organized cybercrime ecosystem and increasing the scale of credential theft. The model makes it easier for operators to buy access, distribute attacks, and keep monetizing stolen data over time.

Related Happenings

OnyxC2 developers commercialize stealer as tiered MaaS with support

Threat Actor Meta
H score23 First: 11.06.2026 16:00 Last: 11.06.2026 16:00 Sources 1

About this happening: **OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...

DriveSurge as an initial access broker on a pay-per-install model

Threat Actor Meta
H score41 First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

About this happening: DriveSurge has shifted into an **initial access broker** role built around a **pay-per-install (PPI)** model, expanding monetized access delivery and increasing downstream intrusi...

Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans

Threat Actor Meta
H score20 First: 29.05.2026 17:32 Last: 29.05.2026 17:32 Sources 1

About this happening: Underground DDoS sellers are shifting from scattered tools to **packaged, resellable services**, lowering the barrier for disruptive attacks and widening the buyer pool. Listings...

Lucifer DaaS’s evolution into a commission-based drainer service platform

Threat Actor Meta
H score19 First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...

REMUS underground ecosystem shift changes threat-actor operations

Threat Actor Meta
H score6 First: 15.05.2026 17:02 Last: 15.05.2026 17:02 Sources 1

About this happening: The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...

Timeline

  1. 01.04.2026 16:30 2 articles · 3mo ago

    Venom Stealer subscription-based MaaS ecosystem identified

    Initial Disclosure

    BlackFog researchers identified Venom Stealer as a malware-as-a-service platform sold on cybercrime networks that automates credential theft and continuous data exfiltration, integrates ClickFix social engineering into its operator panel, and uses a subscription model with Telegram-based licensing and an affiliate program; the platform was described as actively maintained with multiple updates released in March 2026.

    Show sources