A false Avast webpage that mimics a virus scan is used to coax users into downloading Venom Stealer, a credential, cookie and cryptocurrency wallet data stealer. The payload is delivered as Avast_system_cleaner.exe, which copies itself to C:\Program Files\Google\Chrome\Application\v20svc[.]exe and uses a 64‑bit, ~2 MB binary with the MD5 hash 0a32d6abea15f3bfe2a74763ba6c4ef5.
This trojan masquerades as legitimate Chrome software and is identified by YARA as Venom Stealer, a descendant of the Quasar RAT framework that has been sold on clandestine forums since at least 2020. Venom Stealer exfiltrates data via unencrypted HTTP to app-metrics-cdn[.]com, using the IP 104.21.14[.]89 and a four-step sequence that includes uploading a screenshot, wallet data and cookies, followed by a JSON payload and a final upload-complete signal.
The operation also delays analysis, checks for debugging, and uses direct system calls to evade detection, with heartbeat messages continuing to a listener endpoint. DomainTools documented a similar, older campaign in May 2025 in which attackers cloned security brands to distribute Venom alongside data-stealer StormKitty, suggesting a repeatable pattern of abuse of trusted security brands to prompt hurried action.
According to Malwarebytes, users should download software only from official sites and search for indicators such as the v20svc[.]exe file path to determine if a system is compromised.