VENOM is a name used in the provided content for multiple distinct malicious or dual-use tools. Most prominently, VENOM is described as a closed-access phishing platform discovered by Abnormal AI in April 2026 that targets Microsoft 365 executives, with 60% of observed targets holding C-level or board titles. This VENOM uses adversary-in-the-middle (AiTM) phishing as its primary access method to steal valid sessions after MFA and can establish persistence by silently registering an attacker-controlled authenticator on the victim’s Microsoft 365 account during an active stolen session. The content notes that password resets or session revocation alone do not remove this persistence and that administrators must manually remove unknown authentication devices in Microsoft Entra ID. The content also separately lists Venom as one of the major cryptocurrency drainer families active in 2024, in the broader drainer-as-a-service ecosystem that uses phishing sites and malicious smart-contract approval flows to steal funds from victims’ wallets. In addition, the content refers to Venom as a Go-based proxy tool used by threat actors including Blue Mockingbird and Lotus Blossom to establish SOCKS proxy connections, and as common tooling for MERCURY/Mango Sandstorm; Talos states Lotus Blossom customized the tool and hardcoded destination IP addresses. Because the source material conflates these separate uses under the same name, attribution of a single unified malware family called VENOM is not possible from the provided content alone.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Tooling: MERCURY’s tools of choice tend to be Venom proxy tool, Ligolo reverse tunneling, and home-grown PowerShell programs.
Blue Mockingbird has used frp, ssf, and Venom to establish SOCKS proxy connections.
15 distinct techniques documented for this family, organized by ATT&CK tactic.
...the surge of account takeover accounts facilitated by OAuth 2.0 Device Authorization Grant flow exploitation...
Drainers are a type of phishing attack... The hacker wants to trick you into granting a smart contract permission to interact with your funds.
The attacks begin with an email lure... The email contains a QR code constructed in HTML using Unicode characters rather than an image file... When the victim scans the QR code... they are met with a page that performs several checks to ensure they are the intended target and not a security scanner.
...the surge of account takeover accounts facilitated by OAuth 2.0 Device Authorization Grant flow exploitation...
The attacker then registers a new MFA device on the victim’s account for persistent access... The researchers noted that MFA devices registered through this campaign will appear in Entra ID logs as “SoftwareTokenActivated” events with the display name “NO_DEVICE.”
...the surge of account takeover accounts facilitated by OAuth 2.0 Device Authorization Grant flow exploitation...
The page performs several checks to ensure they are the intended target and not a security scanner... a user-agent screening is performed to detect headless browsers, automation frameworks and other signs of security tools... followed by a human-interaction gate... The last check is a proof-of-work challenge.
The attacker then registers a new MFA device on the victim’s account for persistent access... The researchers noted that MFA devices registered through this campaign will appear in Entra ID logs as “SoftwareTokenActivated” events with the display name “NO_DEVICE.”
The device code version of the phishing attack presents the target with a verification prompt to access a Docusign document. This page abuses the device code authentication flow... The victim is directed to a legitimate Microsoft page where they submit the code and log in, unknowingly giving the attacker’s device access to their account.
The VENOM platform panel gives licensed users the ability to manage their phishing and credential harvesting campaigns, test and keep track of their live session tokens, and preserve raw OAuth server responses, potentially enabling the re-derivation of expired tokens.
The attacker then registers a new MFA device on the victim’s account for persistent access... The researchers noted that MFA devices registered through this campaign will appear in Entra ID logs as “SoftwareTokenActivated” events with the display name “NO_DEVICE.”
The page performs several checks to ensure they are the intended target and not a security scanner... a user-agent screening is performed to detect headless browsers, automation frameworks and other signs of security tools... followed by a human-interaction gate... The last check is a proof-of-work challenge.
Throughout the attack, the threat actor used different methods to communicate with their command-and-control (C2) server, including... Tunneling tool called vpnui.exe, a unique version of the open-source tool Ligolo
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named crypto drainer active in 2024, associated with phishing campaigns that trick users into authorizing malicious transfers.
A closed-access adversary-in-the-middle phishing platform targeting executives. It steals active sessions by proxying real Microsoft logins and can use the stolen session to silently register an attacker-controlled authenticator on the victim’s Microsoft 365 account for persistence.
Referenced as an existing stealer used for comparison against Noobsaibot; no further functional detail is provided in the content.
A Go-based proxy tool (legitimate pentest utility) customized by the actor to provide connectivity (e.g., bridging restricted networks) by hardcoding destination IPs.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.