Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
Venom Stealer is being run as a subscription-based malware service with Telegram licensing and an affiliate program, signaling a more organized cybercrime ecosystem and increasing the scale of credential theft. The model makes it easier for operators to buy access, distribute attacks, and keep monetizing stolen data over time.
Related Happenings
OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor Meta
H score23
First: 11.06.2026 16:00
Last: 11.06.2026 16:00
Sources 1
About this happening:
**OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...
OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor MetaAbout this happening: **OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...
DriveSurge as an initial access broker on a pay-per-install model
Threat Actor Meta
H score41
First: 02.06.2026 01:14
Last: 02.06.2026 01:14
Sources 1
About this happening:
DriveSurge has shifted into an **initial access broker** role built around a **pay-per-install (PPI)** model, expanding monetized access delivery and increasing downstream intrusi...
DriveSurge as an initial access broker on a pay-per-install model
Threat Actor MetaAbout this happening: DriveSurge has shifted into an **initial access broker** role built around a **pay-per-install (PPI)** model, expanding monetized access delivery and increasing downstream intrusi...
Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans
Threat Actor Meta
H score20
First: 29.05.2026 17:32
Last: 29.05.2026 17:32
Sources 1
About this happening:
Underground DDoS sellers are shifting from scattered tools to **packaged, resellable services**, lowering the barrier for disruptive attacks and widening the buyer pool. Listings...
Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans
Threat Actor MetaAbout this happening: Underground DDoS sellers are shifting from scattered tools to **packaged, resellable services**, lowering the barrier for disruptive attacks and widening the buyer pool. Listings...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
H score19
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
**Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor MetaAbout this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
REMUS underground ecosystem shift changes threat-actor operations
Threat Actor Meta
H score6
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...
REMUS underground ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...
Timeline
-
01.04.2026 16:30 2 articles · 3mo ago
Venom Stealer subscription-based MaaS ecosystem identified
Initial DisclosureBlackFog researchers identified Venom Stealer as a malware-as-a-service platform sold on cybercrime networks that automates credential theft and continuous data exfiltration, integrates ClickFix social engineering into its operator panel, and uses a subscription model with Telegram-based licensing and an affiliate program; the platform was described as actively maintained with multiple updates released in March 2026.
Show sources
- New Venom Stealer MaaS Platform Automates Continuous Data Theft — www.infosecurity-magazine.com — 01.04.2026 16:30
- New Venom Stealer MaaS Platform Automates Continuous Data Theft — www.infosecurity-magazine.com — 01.04.2026 16:30