Cybersecurity researchers have disclosed particulars of a brand new banking malware concentrating on Brazilian customers that is written in Rust, marking a big departure from different recognized Delphi-based malware households related to the Latin American cybercrime ecosystem.
The malware, which is designed to contaminate Home windows methods and was first found final month, has been codenamed VENON by Brazilian cybersecurity firm ZenoX.
What makes VENON notable is that it shares behaviors which are in keeping with established banking trojans concentrating on the area, resembling Grandoreiro, Mekotio, and Coyote, particularly in the case of options like banking overlay logic, lively window monitoring, and a shortcut (LNK) hijacking mechanism.
The malware has not been attributed to any beforehand documented group or marketing campaign. Nonetheless, an earlier model of the artifact, courting again to January 2026, has been discovered to reveal full paths from the malware writer’s improvement surroundings. The paths repeatedly reference a Home windows machine username “byst4” (e.g., “C:Usersbyst4…”).
“The Rust code construction presents patterns suggesting a developer conversant in the capabilities of current Latin American banking trojans, however who used generative AI to rewrite and broaden these functionalities in Rust, a language that requires vital technical expertise to make use of on the noticed stage of sophistication,” ZenoX mentioned.
VENON is distributed by the use of a classy an infection chain that makes use of DLL side-loading to launch a malicious DLL. It is suspected that the marketing campaign leverages social engineering ploys like ClickFix to trick customers into downloading a ZIP archive containing the payloads by the use of a PowerShell script.
As soon as the DLL is executed, it performs 9 evasion methods, together with anti-sandbox checks, oblique syscalls, ETW bypass, AMSI bypass, earlier than truly initiating any malicious actions. It additionally reaches out to a Google Cloud Storage URL to retrieve a configuration, set up a scheduled job, and set up a WebSocket connection to the command-and-control (C2) server.
Additionally extracted from the DLL are two Visible Fundamental Script blocks that implement a shortcut hijacking mechanism solely concentrating on the Itaú banking software. The elements work by changing the legit system shortcuts with tampered variations that redirect the sufferer to an internet web page below the menace actor’s management.
The assault additionally helps an uninstall step to undo the modifications, suggesting that the operation could be remotely managed by the operator to revive the shortcuts to what they initially have been to cowl up the tracks.
In all, the banking malware is provided to focus on 33 monetary establishments and digital asset platforms by monitoring the window title and lively browser area, springing into motion solely when any of the focused functions or web sites are opened to facilitate credential theft by serving pretend overlays.
The disclosure comes amid campaigns the place menace actors are exploiting the ubiquity of WhatsApp in Brazil to distribute a worm named SORVEPOTEL by way of the messaging platform’s desktop internet model. The assault hinges on abusing beforehand authenticated chats to ship malicious lures on to victims, finally ensuing within the deployment of banking malware resembling Maverick, Casbaneiro, or Astaroth.
“A single WhatsApp message delivered by means of a hijacked SORVEPOTEL session was ample to attract a sufferer right into a multi-stage chain that finally resulted in an Astaroth implant working totally in reminiscence,” Blackpoint Cyber mentioned.
“The mix of native automation tooling, unsupervised browser drivers, and user-writable runtimes created an unusually permissive surroundings, permitting each the worm and the ultimate payload to ascertain themselves with minimal friction.”
