Connect with us

CyberSecurity

Venom Stealer: The Malware-as-a-Service Platform Automating Persistent Cyber Theft

Published

on

Venom Stealer: The Malware-as-a-Service Platform Automating Persistent Cyber Theft

A new and sophisticated threat has emerged in the cybercrime ecosystem. Dubbed Venom Stealer, this malware-as-a-service (MaaS) platform is shifting the goalposts for data theft by automating not just the initial breach, but also maintaining persistent, ongoing access to stolen information. This represents a significant escalation from traditional one-time credential harvesters.

Security researchers from BlackFog detailed the platform’s capabilities in a recent advisory. What sets Venom Stealer apart is its operational model and its relentless focus on continuity, ensuring that a single infection can yield a stream of data for as long as the victim remains compromised.

The Subscription-Based Cybercrime Model

Operating like a legitimate software business, Venom Stealer is sold on underground forums using a clear subscription model. Aspiring cybercriminals can pay $250 per month or opt for a lifetime access fee of $1,800. This commercial approach includes Telegram-based licensing and an affiliate program, lowering the barrier to entry for less technically skilled attackers and scaling the threat’s potential reach.

How the Venom Stealer Infection Chain Works

The attack begins with a classic yet effective social engineering trap. Victims are lured to fake webpages mimicking familiar prompts—a Cloudflare CAPTCHA, a system update notification, an SSL certificate error, or a font installation page. Crucially, the victim is then instructed to manually open a Run dialog or Terminal and paste a command themselves. This clever tactic makes the malicious activity appear user-initiated, helping it slip past many behavioral detection systems that flag automated processes.

Once executed, the malware springs into action. It immediately scours Chromium and Firefox-based browsers, extracting saved passwords, session cookies, browsing history, autofill data, and critically, information from cryptocurrency wallets. It also performs detailed system fingerprinting and collects data on installed browser extensions, building a comprehensive profile of the infected machine.

Beyond One-Time Theft: The Continuous Exfiltration Engine

This is where Venom Stealer truly differentiates itself. Unlike older infostealers that run once and exit, this malware remains resident and active. It continuously monitors the Chrome login database, capturing newly saved credentials in real-time the moment a user enters them. Consequently, common defense strategies like credential rotation become far less effective, as the malware simply harvests the new passwords as they are created.

Building on this, the platform’s financial theft capabilities are highly automated. If cryptocurrency wallets are discovered, the data is sent to a powerful server-side cracking engine running on GPU infrastructure. Once the wallet is cracked, funds are automatically liquidated and transferred across multiple blockchain networks, including tokens and decentralized finance (DeFi) positions.

Key Capabilities and Integrated Social Engineering

A particularly dangerous feature is the direct integration of ClickFix social engineering templates into the attacker’s operator panel. This allows threat actors to automate the entire attack chain from the initial lure to the final data theft, streamlining their operations. The platform’s key capabilities include:

  • Automated ClickFix delivery templates for both Windows and macOS systems.
  • Continuous, real-time credential monitoring post-infection.
  • Automated cryptocurrency wallet cracking and fund transfers.
  • File system searches for cryptocurrency seed phrases and password files.

Therefore, the platform represents a full-service cybercrime toolkit. For more insights on the social engineering tactics often paired with such malware, consider reading about the Anatomy of a Service Desk Social Engineering Attack.

Mitigation Strategies Against Venom Stealer

So, how can organizations defend against this persistent threat? BlackFog researchers recommend a multi-layered defense strategy. First, technical controls can disrupt the attack chain: restrict PowerShell execution where possible, and disable the Run dialog for standard user accounts on Windows systems.

In addition, human vigilance remains paramount. Security awareness training must evolve to help employees recognize and report ClickFix-style social engineering attempts that urge them to run suspicious commands. Furthermore, robust network monitoring is essential. Since Venom Stealer relies on immediate data exfiltration to attacker-controlled servers, monitoring for unusual outbound traffic patterns can provide a crucial detection opportunity.

This means that a combination of technical hardening, user education, and network surveillance forms the best defense. For broader strategies on securing your digital assets, explore our guide on Protecting Against Advanced Data Exfiltration.

An Actively Maintained Threat

The research indicates that Venom Stealer is not a static tool. Evidence points to an actively maintained, full-time development operation, with multiple updates observed as recently as March 2026. This commitment to development suggests the platform’s operators are intent on refining its capabilities and evading detection for the long term, making it a persistent and evolving danger in the cybersecurity landscape.

CyberSecurity

Fake CAPTCHA Pages Deliver SCMBANKER Malware to Mexican Banking Users

Published

on

SCMBANKER malware

Fake CAPTCHA Pages Are the Hook

Cybercriminals are running a fresh campaign that preys on customers of Mexican banks, fintech platforms, payment processors, and even cryptocurrency exchanges. The method is deceptively simple: a fake CAPTCHA verification page that tricks users into copying and running a malicious command. Once executed, it installs a PowerShell-based toolkit known as SCMBANKER malware.

Security researchers at Elastic Security Labs are tracking this activity cluster under the name REF6045. The campaign relies on what the industry calls ClickFix lures — social engineering tricks that make victims believe they need to complete a security check. Instead of a harmless verification, they end up infecting their own machine.

This isn’t a spray-and-pray operation. The attackers are being selective about who they target. The lure pages are localized in Spanish and reference well-known Mexican financial institutions. That level of specificity suggests the group behind REF6045 has done its homework on the local banking ecosystem.

How the Infection Chain Works

The attack starts when a user lands on a compromised or malicious website. A pop-up appears, mimicking a standard CAPTCHA challenge. The page instructs the visitor to press a specific key combination — often Windows Key + R — then paste a provided script into the Run dialog and hit Enter.

Here’s the kicker: the script is not a CAPTCHA solver. It’s a PowerShell command that reaches out to a remote server, downloads the SCMBANKER malware, and executes it silently in the background. The victim sees nothing unusual — the page might even show a fake “Verification Successful” message — while the malware burrows into the system.

Elastic’s analysis shows the toolkit is modular. It can steal credentials, intercept SMS-based two-factor authentication codes, log keystrokes, and take screenshots. That’s a dangerous combination for anyone doing online banking.

Why Mexican Users Are in the Crosshairs

Mexico has seen a rapid shift toward digital payments and mobile banking over the past few years. That growth has caught the attention of cybercriminal groups. SCMBANKER malware is specifically designed to hook into banking sessions, read account balances, and initiate unauthorized transfers.

The campaign also targets users of cryptocurrency exchanges. That’s a notable development. Criminals are increasingly blending traditional banking fraud with crypto theft, siphoning funds from both fiat and digital wallets in a single sweep.

Elastic Security Labs notes that the infrastructure behind REF6045 is still active. New domains and command-and-control servers are being spun up regularly. This isn’t a one-off — it’s an ongoing threat that’s likely to evolve.

ClickFix: A Growing Social Engineering Trend

The ClickFix lure technique has been gaining traction across multiple malware families. It exploits a basic human tendency: people follow instructions when they think they’re solving a problem. By wrapping the infection chain inside a fake security check, attackers bypass many traditional defenses.

Static antivirus engines often miss these attacks because the initial payload is not a file — it’s a command typed directly by the user. That’s a blind spot. No email attachment to scan, no link to inspect. Just a few keystrokes, and the damage is done.

For users of WhatsApp HD photo sending or other everyday apps, this kind of social engineering can feel indistinguishable from a legitimate prompt. The attackers invest in good design — the fake CAPTCHA pages look polished, with proper logos and color schemes.

Protecting Yourself from CAPTCHA-Based Malware

Defense starts with skepticism. No legitimate CAPTCHA will ever ask you to open a Run dialog or paste a script. If a website demands that, close the tab immediately.

Organizations can also deploy application whitelisting and PowerShell execution policies to block unauthorized scripts. For individuals, using a standard (non-administrator) user account limits what the malware can do after installation.

Elastic Security Labs recommends monitoring for unusual PowerShell activity and outbound connections to unknown IPs. Their full report on REF6045 includes indicators of compromise — domains, hashes, and command patterns — that security teams can use for detection.

What Comes Next

The SCMBANKER malware campaign is a reminder that banking trojans are not a relic of the 2010s. They’ve adapted. They now use modern social engineering, modular code, and multi-target strategies that span both traditional banks and crypto platforms.

As Mexican financial institutions continue to digitize, the attack surface will only widen. Security awareness training, especially around unusual CAPTCHA prompts, is no longer optional — it’s a frontline defense.

For users who want to stay safe, the rule is simple: if a page asks you to paste code into a Run box, don’t. That’s not a verification. That’s an infection.

Continue Reading

CyberSecurity

Four Security Vendors Rush Patches for Critical and High-Severity Product Bugs

Published

on

Trend Micro Tanium ESET Tenable patches

July has been a busy month for security teams inside four major cybersecurity vendors. Trend Micro, Tanium, ESET, and Tenable all shipped product updates targeting vulnerabilities that range from critical down to medium severity. No active exploitation has been reported for any of these bugs — but as recent attacks on Palo Alto Networks and Trend Micro itself have shown, security products are a prime target for sophisticated threat actors.

Here is what got patched, who is affected, and why these fixes matter now.

Tenable Agent: Critical Path Traversal Opens Door to RCE

The most severe of the bunch is a critical-severity path traversal vulnerability in the Tenable Agent, tracked as CVE-2026-15265. Tenable notified customers this week that the flaw could let an attacker achieve remote code execution on an affected system.

Path traversal bugs are a classic but still dangerous class of vulnerability. They allow an attacker to break out of restricted directories and write or execute files in places they should not have access to. When that happens inside a security agent — software designed to run with elevated privileges — the consequences can be severe. In this case, Tenable rates the bug as critical, meaning organizations should prioritize updating their agents immediately.

The advisory does not specify a CVSS score, but the critical designation alone signals urgency. Tenable has not published any workaround; the fix is the update itself.

ESET Inspect Connector: Local Privilege Escalation via ALPC

ESET disclosed a high-severity local privilege escalation vulnerability in its Inspect Connector for Windows on Tuesday. The company explained that an attacker with local access could send specially crafted Advanced Local Procedure Call (ALPC) requests to the vulnerable process’s interface.

“Without proper authentication or origin validation in place, this message would be accepted and processed,” ESET wrote in its advisory. That means the attacker could access restricted functionality — essentially, they could elevate their privileges on the machine.

This is not a remote exploit. An attacker would need to already have some foothold on the system. But once inside, this bug makes lateral movement and deeper compromise much easier. ESET also published a separate advisory for a medium-severity denial-of-service (DoS) vulnerability affecting its security products for Linux.

Tanium Server: Unauthenticated DoS from the Network

Tanium informed customers last week about a high-severity flaw in the Tanium Server that could allow an unauthenticated, network-based attacker to launch a denial-of-service attack. The company’s advisory is characteristically sparse on technical details, but the risk is clear: an attacker who can reach the Tanium Server over the network does not need valid credentials to knock it offline.

For organizations that rely on Tanium for endpoint management and incident response, a DoS on the server could blind them to threats across the fleet. The update is recommended for all supported versions.

Trend Micro Cleaner One Pro: Local Privilege Escalation

Trend Micro warned users of Cleaner One Pro last week about a high-severity local privilege escalation vulnerability. The company said the bug could allow an attacker to delete privileged Trend Micro files — essentially letting a low-privileged user tamper with security software.

Cleaner One Pro is a system optimization tool, not a core security product like Apex One. Still, any vulnerability that lets an attacker delete files belonging to a Trend Micro application is concerning. It could be used to disable protections or corrupt logs.

Why Security Product Vulnerabilities Are a Bigger Deal

None of these vulnerabilities are known to have been exploited in the wild — yet. But there is a reason security teams pay close attention when a vendor like Trend Micro or ESET issues a patch. Security products run with high privileges by design. They have deep access to the operating system, the file system, and network traffic. A successful exploit against a security agent can give an attacker a beachhead that is extremely hard to detect.

Recent history bears this out. In June 2026, both Palo Alto Networks and Trend Micro confirmed that attackers had exploited vulnerabilities in their products in the wild. Those incidents served as a reminder that threat actors actively hunt for bugs in the very tools meant to stop them.

What Organizations Should Do Now

The message from all four vendors is the same: update now. For Tenable Agent, that means applying the latest version as soon as possible. For ESET Inspect Connector and Tanium Server, the same. For Trend Micro Cleaner One Pro, users should check for updates through the application or the vendor’s download portal.

If your organization uses any of these products, this is not a patch cycle to delay. The vulnerabilities are real, the fixes are available, and the window of opportunity for attackers is only getting wider.

For more context on recent security product vulnerabilities, see our coverage of Fortinet, Ivanti, and ServiceNow patches and the recent CrowdStrike and Tenable fixes.

Continue Reading

CyberSecurity

Vidar Infostealer Targets SMBs in Malvertising Blitz: Cracked Software Lures Deliver Double Payload

Published

on

Vidar infostealer malvertising

Malvertising Delivers More Than Users Bargained For

A fresh wave of malvertising is battering small and medium-sized businesses, and the culprit is a familiar name in the cybercrime underworld: the Vidar infostealer. Researchers have tracked a financially motivated campaign that dangles cracked or pirated software as bait — but the catch is a nasty two-for-one payload that both steals sensitive data and hijacks system resources for cryptomining.

The operation, active since at least early 2025, relies on malicious ads that appear in search results for popular business tools. Think project management suites, accounting software, and design apps — all offered for free. Click one of these ads, and you’re not downloading a freebie. You’re inviting Vidar straight onto your network.

This isn’t a lone actor. The campaign shows signs of professional organization, with multiple ad accounts and constantly refreshed domains. For SMBs already stretched thin on IT security, it’s a brutal reminder that free software rarely comes without a cost.

How the Vidar Infostealer Campaign Works

The infection chain starts with a search. An employee at a small business types “free [popular software] download” into a search engine. A sponsored ad appears, looking legitimate — complete with a convincing logo and landing page. The user clicks, downloads what appears to be an installer, and runs it.

Inside that installer is a multi-stage dropper. It unpacks Vidar infostealer first, which immediately begins scraping credentials, browser cookies, cryptocurrency wallet files, and even two-factor authentication tokens. Then, almost as an afterthought, it deploys a cryptominer that eats CPU cycles in the background.

The result? Data exfiltration happens fast — often within minutes. And the cryptominer runs quietly, draining electricity and slowing systems until someone notices the fan noise or a spike in the power bill.

Why SMBs Are the Prime Target

Large enterprises have robust security stacks, endpoint detection, and dedicated threat-hunting teams. SMBs? Not so much. A 2024 report from the Ponemon Institute found that 60% of small businesses that suffer a cyberattack go out of business within six months. Attackers know this. They also know SMBs are more likely to search for cheap or free software alternatives.

“SMBs are the sweet spot for malvertising,” says one threat analyst who tracks Vidar. “They have valuable data but not the budget for top-tier defenses. Cracked software is an easy hook.”

The campaign’s use of legitimate ad networks makes it even harder to block. Malicious ads slip through automated review systems, and by the time they’re flagged, the damage is often done.

The Double Payload: Data Theft Meets Cryptomining

Vidar has been around since 2018, marketed on Russian-language cybercrime forums as an off-the-shelf infostealer. It’s known for its speed — it can grab browser data, email client credentials, and cryptocurrency wallets in under a minute. In this campaign, it’s paired with a cryptominer that targets Monero (XMR), a privacy coin favored by attackers because transactions are harder to trace.

The combination is ruthless. First, Vidar exfiltrates everything it can. Then the miner establishes persistence, running as a background process that survives reboots. The victim loses both data and computing power. For an SMB with limited IT staff, detecting the miner might take weeks. By then, credentials stolen by Vidar could already be sold on dark web forums or used in follow-up attacks like ransomware.

Security firm Proofpoint first flagged the uptick in Vidar activity tied to malvertising in late 2024. Since then, the volume has only grown. In one observed cluster, attackers registered over 40 domains in a single week, each mimicking a legitimate software vendor.

Protecting Your Business From Malvertising and Infostealers

There’s no silver bullet, but a few practical steps can dramatically reduce risk. Start with the basics:

  • Ban cracked software outright. Write a clear policy. No exceptions. Free or pirated versions of paid tools are the #1 delivery mechanism for infostealers like Vidar.
  • Use ad-blocking or DNS filtering. Tools like uBlock Origin or a DNS filter (e.g., NextDNS) can block malicious ad domains before they load.
  • Deploy endpoint detection and response (EDR). Free options exist for small businesses, like Microsoft Defender for Business. EDR can catch the unusual process behavior of a cryptominer.
  • Train employees to spot malvertising. Show them what a malicious sponsored ad looks like. Teach them to hover over links before clicking. A skeptical eye is still one of the best defenses.
  • Monitor for unusual CPU usage. A sudden, sustained spike in processor load — especially on idle machines — is a telltale sign of cryptomining.

For SMBs that rely on cloud services, enabling multi-factor authentication on every account is critical. Vidar often steals session cookies that bypass MFA, but it’s still a strong layer of defense. Also consider endpoint security best practices that include application whitelisting to block unauthorized installers.

The Bottom Line on Vidar and Malvertising

This campaign isn’t revolutionary in technique — malvertising and cracked software lures are old tricks. What’s new is the scale and the double payload. Vidar’s operators have industrialized the process, buying ads at scale and rotating infrastructure faster than most blocklists can keep up.

For SMB owners, the takeaway is simple: if an ad promises free access to expensive software, it’s almost certainly a trap. The Vidar infostealer campaign proves that the cost of “free” can be your company’s data — and your bottom line.

Continue Reading

Trending