Global C-Suite credential theft campaign leverages undocumented Venom PhaaS with AiTM bypass

First reported

03.04.2026 11:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A credential theft campaign from November 2025 to March 2026 targeted C-suite executives and senior personnel at major organizations worldwide using a previously undocumented phishing-as-a-service (PhaaS) platform named Venom. The campaign used SharePoint-themed lures with embedded QR codes to deliver a multi-stage phishing workflow designed to harvest credentials and bypass multifactor authentication (MFA). Email content included randomized HTML, fabricated email threads, and personalized sender impersonation to evade detection. Victims who passed automated checks were routed to credential harvesters that mimicked legitimate login portals via adversary-in-the-middle (AiTM) techniques, including pre-filled email fields, corporate branding, and identity provider integration. Compromised sessions maintained persistence even after password resets due to valid refresh tokens, unless administrators manually revoked active sessions.

Timeline

03.04.2026 11:00 1 articles · 7h ago

C-Suite credential theft campaign powered by Venom PhaaS identified (Nov 2025–Mar 2026)
A previously undocumented phishing-as-a-service (PhaaS) platform named Venom was used in a credential theft campaign targeting C-suite executives and senior personnel from November 2025 to March 2026. The campaign used SharePoint-themed lures with embedded QR codes and multi-layer evasion techniques, including randomized HTML, fabricated email threads, and personalized sender impersonation. Victims passing automated validation checks were routed to credential harvesters that leveraged adversary-in-the-middle (AiTM) portals to relay credentials and MFA codes to live systems, while maintaining persistent access via valid refresh tokens.
Show sources

New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
Open in new tab

Information Snippets

A credential theft campaign targeting C-suite executives and senior personnel ran from November 2025 to March 2026, spanning over 20 industry verticals globally.
First reported: 03.04.2026 11:00

1 source, 1 article
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
The campaign used a previously undocumented phishing-as-a-service (PhaaS) platform called Venom, which functioned as the campaign’s backend infrastructure.
First reported: 03.04.2026 11:00

1 source, 1 article
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
Phishing lures were SharePoint document-sharing notifications with embedded QR codes, themed around financial reports to prompt scanning.
First reported: 03.04.2026 11:00

1 source, 1 article
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
Email content included randomized HTML elements, fabricated five-message email threads, and personalized sender details (real name, email, company website, and fake phone number) to evade spam filters.
First reported: 03.04.2026 11:00

1 source, 1 article
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
A validation checkpoint via landing page filtered non-human traffic (security scanners, sandboxes, automated tools) from real targets before presenting the credential harvester.
First reported: 03.04.2026 11:00

1 source, 1 article
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
Credential harvesting used two methods: adversary-in-the-middle (AiTM) portals that relayed credentials and MFA codes to live Microsoft systems, and device code attacks that retained validity even after password resets unless sessions were manually revoked.
First reported: 03.04.2026 11:00

1 source, 1 article
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
The AiTM portals mimicked victims’ real login portals with company branding, pre-filled email addresses, and actual identity providers, while silently registering secondary MFA devices on compromised accounts.
First reported: 03.04.2026 11:00

1 source, 1 article
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
Venom PhaaS included licensing, activation models, token storage, and full campaign management interfaces, and had not been previously observed in public threat intelligence or underground forums.
First reported: 03.04.2026 11:00

1 source, 1 article
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00

Summary

Timeline

C-Suite credential theft campaign powered by Venom PhaaS identified (Nov 2025–Mar 2026)

Information Snippets