Emergence of VENON: A Rust-Based Banking Trojan Targeting Brazilian Financial Institutions
Cybersecurity experts have recently identified a sophisticated banking malware named VENON, which is specifically targeting Brazilian users. Notably, VENON is developed using the Rust programming language, marking a significant shift from the traditionally observed Delphi-based malware families prevalent in Latin America’s cybercrime landscape.
VENON is engineered to infiltrate Windows operating systems, with its initial detection occurring in February 2026. The Brazilian cybersecurity firm ZenoX has been at the forefront of analyzing this malware. VENON exhibits behaviors akin to established banking trojans such as Grandoreiro, Mekotio, and Coyote. These behaviors include implementing banking overlay techniques, monitoring active windows, and employing shortcut (LNK) hijacking mechanisms.
As of now, VENON has not been linked to any previously documented cybercriminal groups or campaigns. However, an earlier variant of the malware, dating back to January 2026, revealed development paths referencing a Windows machine username byst4 (e.g., C:\Users\byst4\…). This detail provides a potential lead into the malware’s origin.
ZenoX’s analysis suggests that the Rust code structure of VENON indicates a developer well-versed in the functionalities of existing Latin American banking trojans. It appears that this developer utilized generative AI to rewrite and enhance these functionalities in Rust—a language known for its complexity and requiring substantial technical expertise.
Infection Mechanism:
VENON employs a sophisticated infection chain that utilizes DLL side-loading to execute a malicious DLL. The campaign is believed to leverage social engineering tactics, such as the ClickFix ploy, to deceive users into downloading a ZIP archive containing the payloads via a PowerShell script.
Upon execution, the DLL implements nine evasion techniques, including anti-sandbox checks, indirect system calls, Event Tracing for Windows (ETW) bypass, and Antimalware Scan Interface (AMSI) bypass. These measures are designed to evade detection before initiating any malicious activities. The malware then connects to a Google Cloud Storage URL to retrieve configuration data, installs a scheduled task, and establishes a WebSocket connection to its command-and-control (C2) server.
Shortcut Hijacking and Credential Theft:
A notable feature of VENON is its use of Visual Basic Script blocks to implement a shortcut hijacking mechanism, specifically targeting the Itaú banking application. This technique involves replacing legitimate system shortcuts with altered versions that redirect victims to a web page controlled by the attackers.
The malware also includes an uninstall function, allowing operators to remotely restore the original shortcuts, thereby covering their tracks and reducing the likelihood of detection.
VENON is capable of targeting 33 financial institutions and digital asset platforms. It monitors window titles and active browser domains, activating only when targeted applications or websites are accessed. This behavior facilitates credential theft by presenting fake overlays to unsuspecting users.
Broader Context:
The discovery of VENON coincides with campaigns where threat actors exploit the widespread use of WhatsApp in Brazil to distribute a worm named SORVEPOTEL via the messaging platform’s desktop web version. This attack method involves abusing previously authenticated chats to deliver malicious lures directly to victims, ultimately leading to the deployment of banking malware such as Maverick, Casbaneiro, or Astaroth.
In one instance, a single WhatsApp message delivered through a hijacked SORVEPOTEL session was sufficient to initiate a multi-stage chain, culminating in an Astaroth implant running entirely in memory.
Implications and Recommendations:
The emergence of VENON underscores the evolving tactics of cybercriminals targeting the financial sector. The use of Rust—a language known for its performance and safety features—indicates a strategic shift aimed at enhancing malware resilience and evasion capabilities.
Financial institutions and users are advised to exercise heightened vigilance. Implementing robust security measures, such as regular software updates, employee training on phishing tactics, and the use of advanced threat detection systems, is crucial in mitigating the risks posed by sophisticated malware like VENON.
As cyber threats continue to evolve, staying informed and proactive is essential in safeguarding sensitive financial information and maintaining trust in digital banking platforms.
