Venom Stealer Raises Stakes With Continuous Credential Harvesting

Summary

Venom Stealer is a licensed malware-as-a-service infostealer available for $250/month or $1,800 lifetime, sold via Telegram by developer VenomStealer. The kit features built-in persistence, continuous credential monitoring across Chrome and Firefox, Chrome v10/v20 password encryption bypass, and automated GPU-powered cryptocurrency wallet cracking and fund sweeping across nine blockchain networks. Unlike traditional infostealers that rapidly exfiltrate and vanish, Venom Stealer maintains a persistent background listener that phones home twice daily to report newly saved passwords and wallet activity, effectively defeating victim password rotation efforts.

Full text

Stolen credentials are the primary access route for cybercriminals. The use of infostealers to supply those credentials is the basis of modern cybercrime. Infostealers continuously improve in both sophistication and use. Venom Stealer is a newly discovered kit available through malware-as-a-service (MaaS) to anybody wishing to use it. It is not sold but provided on license at $250 per month or $1,800 for lifetime usage. This provides use and updates. The Venom Stealer kit, discovered and analyzed by BlackFog, demonstrates both the improving sophistication of infostealers and the ongoing efficiency of the MaaS marketplace. Under the handle of VenomStealer, the developer sells both licensing and an affiliate program via Telegram. Frequent updates to the kit show the value of licensing over outright purchase, and suggest this is a full-time operation for the developer. Each licensed operator configures their own custom domain via Cloudflare DNS. This way, the infostealer URL never appears in any issued commands. Once this domain is configured with Venom Stealer’s operating panel, everything else is automatic. A range of pre-built, professional social engineering ClickFix lures are available to install the Windows targeting payload. These can be selected from the kit’s operating panel. Although Venom Stealer targets Windows, it is operated via an internet domain and can be acquired and used by both Windows and macOS systems. Venom Stealer remains active after the initial compromise and continuously monitors Chrome’s login data, capturing newly saved credentials in real-time. (Image Credit: BlackFog) The pre-built ClickFix templates include a fake Cloudflare CAPTCHA, a fake OS update, a fake SSL certificate error, and a fake font install page. Each lure asks the target to open a Run dialog or Terminal, paste a command, and press Enter. If successful, the Venom Stealer payload is installed and executed. It sweeps every Chromium and Firefox browser on the system. It extracts saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile. “Chrome’s v10 and v20 password encryption is bypassed using a silent privilege escalation that extracts the decryption key without triggering any UAC dialog, leaving no forensic artifacts,” report the researchers.Advertisement. Scroll to continue reading. System fingerprinting and browser extension inventories are also captured alongside the credentials, giving cybercriminals a complete profile of each target. All this data is immediately exfiltrated with little or no local staging or delay. It is at this point that traditional infostealers generally leave the victim as quietly and quickly as they arrived. But the current infostealer will remain, demonstrating the value of an ongoing license over a one-off purchase. Venom Stealer is built for persistence rather than the usual rapid steal and depart. Persistence itself is not entirely new to infostealers, but Venom Stealer goes further – it remains in operation. A session listener now runs silently and continuously in background. The listener phones home twice each day with information on any newly saved passwords. This would defeat password rotation by the victim, whether it is instigated by standard company policy or as an incident response to learning that details have become available on the dark web. The listener also reports new wallet activity. The listener was added to Venom Stealer in one of the updates provided in March 2026, demonstrating the adversarial advantage of an ongoing license rather than a one-off purchase. Other updates that arrived in March included the Chrome v10/v20 bypass, and auto-crack support for the Tonkeeper TON wallet extension that recovers the full seed phrase and TON address across Chrome, Edge, Brave and Opera. Stolen wallet data is passed to a server-side cracking engine running on GPU infrastructure. This auto-cracks MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero, and Tonkeeper. Once cracked, say the researchers, “the auto-transfer engine sweeps funds immediately across nine chains including ERC-20/SPL tokens, liquid staking positions, and DeFi protocol positions.” Although more sophisticated than earlier infostealers, Venom Stealer (like all other stealers) is not an automatic slam dunk for the attacker. Exposure can be reduced by restricting PowerShell execution, disabling the Run dialog for standard users, and improving employee social engineering recognition. If these fail and the stealer is installed and operational, continuous monitoring of and control over outbound traffic provides an opportunity to detect or prevent exfiltration activity: the existence of the stealer’s payload can be detected and theft of the information mother lode halted. Related: Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer Related: ‘Arkanix Stealer’ Malware Disappears Shortly After Debut Related: Sophisticated ClickFix Campaign Targeting Hospitality Sector Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Silent Drift: How LLMs Are Quietly Breaking Organizational Access ControlAI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest LinkDoE Publishes 5-Year Energy Security PlanIran Readied Cyberattack Capabilities for Response Prior to Epic FuryHacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEOThe Collapse of Predictive Security in the Age of Machine-Speed AttacksShadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches Latest News Censys Raises $70 Million for Internet Intelligence PlatformThe Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t TrustStolen Logins Are Fueling Everything From Ransomware to Nation-State CyberattacksTeamPCP Moves From OSS to AWS EnvironmentsCrewAI Vulnerabilities Expose Devices to HackingGoogle Slashes Quantum Resource Requirements for Breaking Cryptocurrency EncryptionExploitation of Critical Fortinet FortiClient EMS Flaw BeginsStrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Ve

Indicators of Compromise

• malware — Venom Stealer
• malware — VenomStealer
• malware — ClickFix
• mitre_attack — T1555.003
• mitre_attack — T1056.004
• mitre_attack — T1547.001
• mitre_attack — T1005