Cybersecurity researchers have revealed details of a new banking malware targeting Brazilian users that is written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem.
The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed vennon By Brazilian cyber security company ZenoX.
What makes VENON notable is that it shares behaviors that are consistent with established banking Trojans targeting this sector such as Grandoreiro, Mecotio, and Coyote, especially when it comes to features like banking overlay logic, active window monitoring, and a shortcut (LNK) hijacking mechanism.
The malware has not been attributed to any previously documented group or campaign. However, an older version of the artifact, dating back to January 2026, has been found to expose full paths from the malware author’s development environment. The paths repeatedly reference the Windows machine username “byst4” (for example, “C:\Users\byst4\…”).
“The Rust code structure presents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who used generative AI to rewrite and extend these functionalities in Rust, a language that requires significant technical experience to use at the observed level of sophistication,” Xenox said.
VENON is distributed through a sophisticated infection chain that uses DLL side-loading to launch malicious DLLs. It is suspected that the campaign leverages social engineering tricks like ClickFix to trick users into downloading a ZIP archive containing the payload via a Powershell script.
Once the DLL is executed, it performs nine evasion techniques, including anti-sandbox check, indirect syscall, ETW bypass, AMSI bypass, before actually initiating any malicious action. It also accesses the Google Cloud Storage URL to retrieve the configuration, install the scheduled task, and establish a WebSocket connection to the command-and-control (C2) server.
Two Visual Basic script blocks have also been extracted from the DLL that implement shortcut hijacking mechanisms specifically targeting the Itau banking application. The components work by replacing legitimate system shortcuts with compromised versions that redirect the victim to a web page under the control of the threat actor.
The attack also supports an uninstall step to undo modifications, suggesting that the operation could be controlled remotely by the operator to restore shortcuts to cover tracks.
In total, the banking malware is equipped to target 33 financial institutions and digital asset platforms by monitoring window titles and active browser domains, activating only when a targeted application or website is opened to facilitate credential theft by serving fake overlays.
The disclosure comes amid a string of campaigns where threat actors are taking advantage of the ubiquity of WhatsApp in Brazil to distribute a worm called SORVEPOTEL through the desktop web version of the messaging platform. The attack is based on abusing pre-authenticated chats to directly deliver malicious lures to victims, ultimately resulting in the deployment of banking malware such as Maverick, Casabaneiro or Astaroth.
BlackPoint Cyber said, “A single WhatsApp message delivered through a hijacked SORVEPOTEL session was enough to draw the victim into a multi-stage chain that ultimately resulted in the Astaroth implant running completely out of memory.”
“The combination of local automation tooling, untested browser drivers, and user-writable runtime created an unusually permissive environment, allowing both the worm and the final payload to establish themselves with minimal friction.”
