Venom Stealer MaaS Platform Automates Continuous Credential and Crypto Theft
Researchers at BlackFog have identified Venom Stealer, a malware-as-a-service platform that uses ClickFix social engineering to automate continuous credential theft and cryptocurrency wallet cracking.
A new malware-as-a-service (MaaS) platform dubbed Venom Stealer has been discovered by cybersecurity researchers at BlackFog, offering cybercriminals an automated tool for continuous credential theft and cryptocurrency wallet cracking. Sold on underground networks for $250 per month or $1,800 for lifetime access, the platform integrates ClickFix social engineering directly into its operator panel, enabling attackers to automate the entire infection chain from initial compromise to data exfiltration.
The infection begins when a victim lands on a fake webpage—such as a fraudulent Cloudflare CAPTCHA, OS update prompt, SSL certificate error, or font installation page. Victims are instructed to open a Run dialog or Terminal, paste a command, and execute it themselves. This user-initiated action helps bypass traditional detection systems, as the activity appears legitimate. Once executed, Venom Stealer extracts saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet information from Chromium and Firefox-based browsers. It also performs system fingerprinting and collects browser extension data, creating a detailed profile of the infected system.
Unlike traditional infostealers that run once and exit, Venom Stealer remains active and continuously monitors Chrome's login database to capture newly saved credentials in real time. This persistent monitoring makes credential rotation less effective as a response strategy and extends the window during which data can be stolen. If cryptocurrency wallets are found, the data is sent to a server-side cracking engine running on GPU infrastructure. Once cracked, funds are automatically transferred across multiple blockchain networks, including tokens and decentralized finance positions.
Key capabilities of the malware include automated ClickFix delivery templates for Windows and macOS, continuous credential monitoring after infection, cryptocurrency wallet cracking with automatic fund transfers, and file system searches for seed phrases and password files. The platform operates on a subscription model with Telegram-based licensing and an affiliate program, indicating a professional development operation. BlackFog noted that the platform is actively maintained, with multiple updates released in March 2026.
BlackFog recommends several mitigations to disrupt the attack chain, including restricting PowerShell execution, disabling the Run dialog for standard users, and training employees to recognize ClickFix-style social engineering attempts. Monitoring outbound network traffic is also critical, as the malware relies on immediate data exfiltration to attacker-controlled servers. The research highlights the growing sophistication of MaaS platforms, which are increasingly automating complex attack chains to lower the barrier for entry for less skilled cybercriminals.
The emergence of Venom Stealer underscores a broader trend in the cybercrime ecosystem toward automation and specialization. By combining social engineering with persistent data theft and cryptocurrency cracking, the platform represents a significant evolution in infostealer capabilities. As MaaS offerings become more accessible and feature-rich, organizations must adapt their defenses to address both the initial infection vector and the continuous monitoring that follows.