A newly identified malware-as-a-service platform dubbed Venom Stealer is drawing attention from cyber defenders because it does more than harvest passwords in a single burst. Researchers say the tool remains on infected Windows systems and continues watching for newly saved browser credentials, session data and cryptocurrency wallet activity, giving attackers an ongoing stream of fresh information rather than a one-off cache of stolen files. The platform has been described by analysts as part of a broader evolution in the infostealer market, where operators are packaging credential theft, persistence and automated crypto theft into subscription-based criminal services. SecurityWeek, citing analysis by BlackFog, reported that access to Venom Stealer is offered on a licence basis at about $250 a month or $1,800 for lifetime use, with updates pushed to users and an affiliate model promoted through Telegram. That commercial structure matters because it lowers the entry barrier for cybercriminals while ensuring the malware continues to evolve after deployment.
What sets Venom Stealer apart is the claim that it continuously monitors Chrome login data and silently captures credentials saved after the initial infection. Traditional infostealers often raid a device, exfiltrate what they find and leave. Venom, by contrast, is built to linger. Security researchers say a background listener can report back twice a day with any newly stored passwords and fresh wallet activity, potentially undermining one of the first steps taken after a breach: changing compromised credentials.
The malware is also designed to be highly automated. According to the published analysis, each operator can configure a custom domain through Cloudflare-backed infrastructure, after which the service handles much of the workflow. Pre-built social-engineering pages are used to trick victims into infecting themselves. Those lures include fake Cloudflare CAPTCHA checks, sham operating system updates, false SSL certificate warnings and bogus font-install prompts, all aimed at persuading users to open the Windows Run dialogue or a terminal window and paste malicious commands.
That delivery mechanism fits into the wider spread of so-called ClickFix campaigns, which rely less on software exploits and more on manipulating users into launching the attack themselves. Malwarebytes reported another Venom Stealer campaign last week in which a counterfeit Avast webpage pretended to scan a computer for malware, then offered a supposed fix that instead installed the stealer. Security researchers say such brand impersonation remains effective because it combines urgency, fear and the appearance of technical authority.
Once active, Venom Stealer appears to cast a wide net. Researchers say it targets Chromium-based browsers and Firefox, pulling saved passwords, cookies, browsing histories, autofill data and browser-extension information from multiple profiles. BlackFog’s findings, as cited by SecurityWeek, also say the malware can bypass Chrome’s v10 and v20 password protections through silent privilege escalation, extracting decryption material without prompting the user through standard account-control warnings.
The cryptocurrency angle is equally significant. Analysts say the malware targets locally stored wallet data and feeds stolen material into a server-side cracking system using GPU infrastructure. Reported targets include MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero and Tonkeeper. One March update highlighted in the research added auto-crack support for Tonkeeper across several Chromium-based browsers, while another tied stolen wallet information to an engine capable of rapidly sweeping assets across multiple blockchain networks.
Independent malware telemetry has also lent weight to the reporting. Public sandbox analyses on ANY. RUN flagged network activity linked to venom-stealer. com and identified behaviour associated with data upload functions and command-and-control communications. Those sandbox records do not, by themselves, provide the full strategic picture, but they do support the view that the infrastructure has been observed in live samples and that the malware’s operational footprint extends beyond a theoretical proof of concept.
For businesses, the appearance of tools such as Venom Stealer is another warning that identity theft and session hijacking remain central to modern cybercrime. Stolen logins are routinely used as the first step toward fraud, business email compromise and ransomware deployment. A persistent infostealer raises the pressure on defenders because the danger does not end with the initial compromise; it can continue as employees save fresh credentials or access digital wallets after the infection is already in place.
Topics
Technology