Ddos 
A new Malware-as-a-Service (MaaS) platform is making waves in the cybercrime underground, promising operators an automated pipeline for draining cryptocurrency wallets. BlackFog researchers have identified the threat, known as Venom Stealer, which distinguishes itself from commodity malware through its aggressive automation and “ClickFix” social engineering integration.
Operating under a professionalized business model, the developer known as “VenomStealer” sells access through a tiered subscription service, ranging from $250 per month to $1,800 for a lifetime license. The platform even includes a vetted application process and a 15% affiliate program to expand its reach.
The payload itself is a native C++ binary, custom-compiled for each operator to ensure maximum stealth and a lack of external dependencies. As the developers boast in their marketing:
“Venom doesn’t just harvest credentials it actively cracks encrypted wallets, derives keys across every major chain, automatically sweeps the funds to your address, and keeps listening for new logins long after the initial run”.
The pace of development for Venom Stealer is rapid, with multiple significant updates released in March 2026 alone. These upgrades have introduced features that allow the malware to bypass modern security prompts and maintain a persistent foothold:
- Chrome v10/v20 Bypass: Fully breaks Chrome encryption to extract saved passwords automatically.
- Silent UAC Elevation: Gains administrative privileges without triggering user prompts, allowing it to operate undetected.
- Session Listener: A background process that “phones home” twice a day with newly saved passwords and wallet activity, requiring no traditional startup entry to persist.
In a move to capture emerging crypto markets, the developers recently added “full auto-crack support” for the Tonkeeper TON wallet extension. The malware can now automatically extract and crack Tonkeeper vaults across Chrome, Edge, Brave, and Opera browsers, recovering full seed phrases and checking balances directly via the TON blockchain.
While Venom Stealer is engineered for maximum impact, researchers note that the attack chain has several points of failure that organizations can exploit. The malware often relies on PowerShell execution and the Run dialog to initiate its social engineering lures.
As BlackFog researchers conclude:
“Organizations can reduce exposure to threats like Venom by restricting PowerShell execution, disabling the Run dialog for standard users via Group Policy, and training employees to recognize ClickFix-style social engineering”.
Because the attack eventually depends on data leaving the device, monitoring outbound traffic remains a critical last line of defense to prevent exfiltration and limit the impact of credential theft.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
