惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
Spread Privacy
Spread Privacy
I
InfoQ
V
V2EX
S
Schneier on Security
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
L
Lohrmann on Cybersecurity
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Attack and Defense Labs
Attack and Defense Labs
云风的 BLOG
云风的 BLOG
The Hacker News
The Hacker News
S
SegmentFault 最新的问题
C
Cybersecurity and Infrastructure Security Agency CISA
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
GbyAI
GbyAI
Latest news
Latest news
S
Secure Thoughts
Project Zero
Project Zero
MongoDB | Blog
MongoDB | Blog
I
Intezer
Security Latest
Security Latest
Apple Machine Learning Research
Apple Machine Learning Research
Vercel News
Vercel News
N
Netflix TechBlog - Medium
V2EX - 技术
V2EX - 技术
量子位
T
Threatpost
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
T
Tor Project blog
A
Arctic Wolf
Microsoft Security Blog
Microsoft Security Blog
T
The Exploit Database - CXSecurity.com
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Check Point Blog
博客园 - Franky
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
The GitHub Blog
The GitHub Blog
L
LINUX DO - 热门话题

darkreading

Vidar Rises to Top of Chaotic Infostealer Market Fresh Wave of GlassWorm VS Code Extensions Slices Through Supply Chain UNC6692 Combines Social Engineering, Malware, Cloud Abuse Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation 20-Year-Old Malware Rewrites History of Cyber Sabotage Parsing Agentic Offensive Security's Existential Threat Helping Romance Scam Victims Require a Proactive, Empathic Approach US Busts Myanmar Ring Targeting US Citizens in Financial Fraud Glasswing Secured the Code. The Rest of Your Stack Is Still on You AI Phishing Is No. 1 With a Bullet for Cyberattackers North Korea's Lazarus Targets macOS Users via ClickFix Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets China-Backed Hackers Are Industrializing Botnets Bad Memories Still Haunt AI Agents 'Zealot' Shows What AI's Capable of in Staged Cloud Attack Africa Relinquishes Cyberattack Lead to Latin America — For Now 'The Gentlemen' Rapidly Rises to Ransomware Prominence DPRK Fake Job Scams Self-Propagate in 'Contagious Interview' Ransomware Negotiator Pleads Guilty to BlackCat Scheme Exploits Turn Windows Defender into Attacker Tool Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool Chinese APT Targets Indian Banks, Korean Policy Circles Vercel Employee's AI Tool Access Led to Data Breach Serial-to-IP Devices Hide Thousands of Old & New Bugs WhatsApp Leaks User Metadata to Attackers How NIST's Cutback of CVE Handling Impacts Cyber Teams Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing Every Old Vulnerability Is Now an AI Vulnerability Coast Guard's New Cybersecurity Rules Offers Lessons for CISOs NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities North Korea Uses ClickFix to Target macOS Users' Data 'Harmless' Global Adware Transforms Into an AV Killer Two-Factor Authentication Breaks Free from the Desktop Microsoft's Original Windows Secure Boot Certificate Is Expiring 6-Year Ransomware Campaign Targets Turkish Homes & SMBs Critical MCP Integration Flaw Puts NGINX at Risk Navigating the Unique Security Risks of Asia's Digital Supply Chain Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now Audit: Big Tech Often Ignores CA Privacy Law Opt-Out Requests Microsoft, Salesforce Patch AI Agent Data Leak Flaws Microsoft Bets $10B to Boost Japan's AI, Cybersecurity Privilege Elevation Dominates Massive Microsoft Patch Update EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses War Game Exercise Demonstrates How Social Media Manipulation Works Why Orgs Need to Test Networks to Withstand DDoS Attacks During Peak Loads CSA: CISOs Should Prepare for Post-Mythos Exploit Storm Adobe Patches Actively Exploited Zero-Day That Lingered for Months Empty Attestations: OT Lacks the Tools for Cryptographic Readiness APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials Hims Breach Exposes the Most Sensitive Kinds of PHI Your Next Breach Will Look Like Business as Usual FINRA Launches Financial Intelligence Fusion Center to Combat Cybersecurity and Fraud Threats Orange Business Reimagines Enterprise Voice Communications With Trust and AI Industrial Controllers Still Vulnerable As Conflicts Move to Cyber Can Anthropic Keep Its Exploit-Writing AI Out of the Wrong Hands? Russia's 'Fancy Bear' APT Continues Its Global Onslaught 'BlueHammer' Windows Zero-Day Exploit Signals Microsoft Bug Disclosure Issues Do Ceasefires Slow Cyberattacks? History Suggests Not Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers Threat Actors Get Crafty With Emojis to Escape Detection AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties Fraud Rockets Higher in Mobile-First Latin America Full Sail University to Open IBM Cyber Defense Range Powered by AWS and Cloud Range on Campus Niobium Introduces The Fog Pluralsight Launches SecureReady to Help Organizations Build Job-Ready Cybersecurity Teams Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs Storm-1175 Deploys Medusa Ransomware at 'High Velocity' Grafana Patches AI Bug That Could Have Leaked User Data RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever Human vs. AI: Debates Shape RSAC 2026 Cybersecurity Trends Lies, Damned Lies, and Cybersecurity Metrics Focusing on the People in Cybersecurity at RSAC 2026 Conference AI-Assisted Supply Chain Attack Targets GitHub Axios Attack Shows How Complex Social Engineering Is Industrialized Fortinet Issues Emergency Patch for FortiClient Zero-Day Automated Credential Harvesting Campaign Exploits React2Shell Flaw Shadow AI in Healthcare Is Here to Stay OWASP GenAI Security Project Gets Update, New Tools Matrix Inconsistent Privacy Labels Don't Tell Users What They Are Getting Apple Breaks Precedent, Patches DarkSword for iOS 18 Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting Picking Up 'Skull Vibrations'? Could Be XR Headset Authentication Claude Source Code Leak Highlights Big Supply Chain Missteps Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry Geopolitics, AI, and Cybersecurity: Insights From RSAC 2026 Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate Security Bosses Are All in on AI: Here's Why RSAC 2026: AI Dominates, But Community Remains Key to Security Bank Trojan 'Casbaneiro' Worms Through Latin America Ransomware Will Hit Hospitals. Rehearsals Are Key to Defense LatAm's Self-Taught Cyber Talent Overlooked Amid Cyberattack Glut Cyberattacks Intensify Pressure on Latin American Governments Are We Training AI Too Late? The Forgotten Endpoint: Security Risks of Dormant Devices Axios NPM Package Compromised in Precision Attack Google's Vertex AI Is Over-Privileged. That's a Problem TeamPCP Breaches Cloud, SaaS Instances With Stolen Credentials
Venom Stealer MaaS Platform Commoditizes ClickFix Attacks
2026-04-01 · via darkreading

The head of a green snake with three black stripes on it

Source: Gerry Pearce via Alamy Stock Photo

Developing ClickFix-style attacks has just gotten much easier, thanks to a newly distributed malware-as-a-service (MaaS) platform that automates every step of the social engineering technique for would-be attackers, researchers have found.

A developer operating under the name "VenomStealer" is selling a MaaS platform of the same name on cybercriminal forums and networks, researchers from BlackFog revealed in a report published Tuesday. Venom Stealer allows attackers to create a persistent, multistage pipeline from initial infection to credential theft, cryptocurrency wallet access, and data exfiltration based on the initial ClickFix interaction.

"Venom stands out from commodity stealers like Lumma, Vidar, and RedLine because it goes beyond credential harvesting," BlackFog founder and CEO Darren Williams wrote in the report. "It builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running."

Related:Two-Factor Authentication Breaks Free from the Desktop

Touted on cybercriminal forums as "the Apex Predator of Wallet Extraction," the platform is sold on a subscription basis for $250 a month, or $1,800 for lifetime access, according to Williams. There a vetted application process, Telegram-based licensing, and a 15% affiliate program for Venom Stealer, which delivers a native C++ binary payload compiled per-operator from the web panel. 

Unlike traditional stealers that simply execute once, exfiltrate data, and exit, Venom Stealer continuously scans the system to harvests credentials, session cookies, and browser data; targets cryptocurrency wallets and stored secrets; and automates wallet cracking and fund draining, according to BlackFog's report.

Moreover, despite its relatively new presence on the commodity MaaS market, the operation behind Venom Stealer already appears to be a thriving business, Williams noted. So far in the month of March alone, its developer has already shipped multiple updates to the platform.

Step-By-Step ClickFix by Design

An attack built with Venom Stealer begins when a prospective victim lands on a ClickFix page hosted by the operator. The platform ships four templates per platform (Windows and macOS), a fake Cloudflare CAPTCHA, a fake OS update, a fake SSL certificate error, and a fake font install page. Each one asks the target to open a Run dialog or Terminal, copy and paste a command, and hit Enter.

"Because the target initiates execution themselves, the process appears user-initiated and bypasses detection logic built around parent-child process relationships," Williams explained. 

Related:Microsoft's Original Windows Secure Boot Certificate Is Expiring

Windows payloads available in the kit include .exe, .psi (or fileless via PowerShell), .hta, and .bat options, while macOS templates use bash and curl, he said. The platform also gives operators the capability to configure custom domains through Cloudflare DNS, so the panel URL never appears in the command.

Once the payload executes, it sweeps every Chromium and Firefox-based browser on the machine, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile.

Moreover, there are evasion capabilities built into the execution mode, with the password encryption in versions 10 and 20 of Chrome bypassed using a silent privilege escalation that extracts the decryption key without triggering any user account control (UAC) dialog, thus leaving no forensic artifacts, Williams noted. The attack chain also captures system fingerprinting and browser extension inventories alongside the credentials, giving cybercriminals a complete profile of each target, he added.

"All of this data leaves the infected device immediately, with little or no local staging or delay," Williams wrote. "Without adequate visibility into outbound traffic, detecting this activity becomes significantly more difficult."

Related:Orange Business Reimagines Enterprise Voice Communications With Trust and AI

Persistent Data-Theft Pipeline

The attack transfers any discovered wallet data to a server-side, GPU-powered cracking engine that auto-cracks crypto wallets such as MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero, and Tonkeeper. Additionally, a March 9 update to Venom Stealer also added a File Password and Seed Finder, which search the filesystem for locally saved seed phrases, feeding anything found into the cracking pipeline. 

"Even targets who avoid saving credentials in their browser are at risk if seed phrases exist anywhere on the machine," Williams wrote.

And while some newer infostealer variants do have some persistence capability, Venom goes further than them all by staying active after the initial compromise and continuously monitoring Chrome’s Login Data, capturing newly saved credentials in real-time, he added.

"This undermines credential rotation as an incident response measure and extends the exfiltration window beyond the initial infection," Williams observed. "As a result, determining the full scope of the ongoing compromise becomes more difficult."

How to Reduce ClickFix Exposure

Researchers from Proofpoint first spotted ClickFix attacks about two years ago, and the technique has taken off with the cybercriminal community since then. The attack instills urgency among targets by telling them something is wrong that they must fix or update, and then uses otherwise benign CAPTCHA-style prompts to lure them into a false sense of security. The aim is to trick a user into executing malicious prompts against themselves. 

Organizations can reduce exposure to threats like Venom Stealer by restricting PowerShell execution, disabling the Run dialog for standard users via Group Policy, and training employees to recognize ClickFix-style social engineering, Williams advised.

"Once the payload is running, the attack chain depends on data leaving the device," he wrote. "Monitoring and controlling outbound traffic become important at this point, because it provides an opportunity to detect or prevent exfiltration activity and limit the impact of credential theft and subsequent actions."

About the Author

Elizabeth Montalbano

Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.