Infostealers (malware specifically designed to steal sensitive information) have become one of the most dangerous cybersecurity threats and a major concern for companies and researchers, according to various analyses in recent months.
Now a new player has emerged, showing the rapid evolution of these tools. It is called Venom Stealer and has been discovered and analyzed by the firm Black Frog.
While traditional infostealers tend to “come, take data, and leave,” this tool is designed to stay and continuously steal information.
Thus, instead of merely extracting data found at the time of infection, the malware maintains a background process that monitors and captures new details as they are saved or used on the affected device. This is known as ‘continuous credential harvesting’ or ‘persistent credential harvesting.’
Venom Stealer is distributed through fake sites that mimic legitimate tools, fraudulent security alerts, or phishing campaigns that induce the user to execute a malicious file.
Once executed, the malware can scan installed browsers (such as Chrome or Firefox) and extract data like saved passwords, login cookies, browsing history, autocomplete data, and cryptocurrency wallet vaults from each profile.
“Chrome v10 and v20 password encryption is bypassed through a silent privilege escalation that extracts the decryption key without triggering any UAC dialog, leaving no forensic traces,” the researchers report.
To make matters worse, this infostealer is capable of bypassing the operating system’s own protection mechanisms, accessing encrypted keys without triggering the usual security alerts.
A monthly rental
The tool is distributed as a kit and a malware-as-a-service (MaaS) for anyone wishing to use it. It is not sold but offered under a license through Telegram for $250 per month or $1800 for lifetime use. This also includes updates.
Each operator who has acquired a license configures their own custom domain through Cloudflare DNS. In this way, the spy’s URL never appears in the issued commands. The rest is carried out automatically.
Although Venom is targeted at Windows, it is operated through an Internet domain and can be acquired and used by both Windows and macOS systems, as reported by SecurityWeek.
