Cybersecurity researchers have uncovered a new banking malware strain targeting users in Brazil, signaling an evolution in the Latin American cybercrime ecosystem. The malware, named VENON, represents a significant shift from traditional Delphi-based banking trojans commonly used in the region, as it is developed in the Rust programming language – an approach that highlights the growing technical sophistication of modern cyber threats.
Security analysts from Brazilian cybersecurity firm ZenoX discovered the malware last month after identifying unusual activity targeting Windows systems. While VENON shares behavioral similarities with well-known Latin American banking trojans such as Grandoreiro, Mekotio, and Coyote, its Rust-based architecture distinguishes it from previous malware families that have historically relied on Delphi frameworks.
Researchers note that VENON retains many classic banking trojan capabilities commonly seen in attacks targeting financial institutions in the region. These include banking overlay logic, active window monitoring, and shortcut (LNK) hijacking mechanisms that enable attackers to intercept credentials when victims access financial platforms.
Cyber Technology Insights: Why Zscaler Warns Boards to Tighten AI Governance Immediately
Although the malware has not yet been linked to a known cybercrime group, investigators uncovered evidence suggesting that the developer may have left traces within the build environment. File paths extracted from an early January 2026 version of the malware repeatedly referenced a Windows username labeled “byst4,” potentially providing clues about the development environment used to build the malicious code.
Security experts believe that the malware’s structure suggests familiarity with existing Latin American banking trojan frameworks, but also indicates the possible use of generative AI tools during development. According to ZenoX researchers, the malware appears to replicate established attack logic while expanding and rewriting its functionality using Rust, a programming language that requires advanced technical expertise to implement at this level of complexity.
VENON is delivered through a multi-stage infection chain that leverages DLL side-loading techniques to execute a malicious dynamic-link library on infected machines. The campaign likely relies on social engineering methods such as the ClickFix technique, which manipulates victims into downloading ZIP archives containing malicious payloads executed through PowerShell scripts.
Before initiating its malicious activities, the malware performs a series of advanced evasion techniques designed to bypass security defenses. These include anti-sandbox detection, indirect system calls, Event Tracing for Windows (ETW) bypass, and Anti-Malware Scan Interface (AMSI) bypass mechanisms. Once active, the malware retrieves configuration data from a Google Cloud Storage endpoint, installs a scheduled task, and establishes a WebSocket communication channel with its command-and-control server.
Cyber Technology Insights: How Cybercriminals Trick Us Into Clicking – And How to Fight Back
Further analysis revealed embedded Visual Basic Script components designed to hijack shortcuts associated with the Itaú banking application. The malware replaces legitimate shortcuts with malicious versions that redirect users to attacker-controlled web pages, allowing threat actors to capture login credentials and other sensitive information.
Interestingly, the attack also includes an uninstall mechanism that restores modified shortcuts to their original state, suggesting that attackers can remotely erase evidence of the compromise once operations are completed.
In total, VENON is capable of targeting at least 33 financial institutions and digital asset platforms. The malware continuously monitors active window titles and browser domains, activating only when a targeted banking application or website is detected. Once triggered, it deploys fake overlays designed to steal user credentials and financial information.
The discovery of VENON comes amid other cybercrime campaigns targeting Brazilian users. Researchers have also observed a worm known as SORVEPOTEL spreading through WhatsApp’s desktop web platform. The worm abuses authenticated chat sessions to send malicious messages to victims, eventually leading to the deployment of banking trojans such as Maverick, Casbaneiro, or Astaroth.
Security analysts warn that the combination of automated browser tools, permissive runtime environments, and social engineering techniques creates an environment where such malware can spread rapidly. As cybercriminals increasingly experiment with AI-assisted development and advanced programming languages like Rust, the global cybersecurity community is likely to face more sophisticated and adaptable banking malware threats in the near future.
Cyber Technology Insights: Top Cyber Fraud Trends 2025: What You Need to Know Before the Holidays
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
