A new Windows banking trojan dubbed VENON has emerged in the Latin American cybercrime ecosystem, targeting primarily users in Brazil. The malware stands out by being written in Rust, diverging from the long‑standing regional preference for Delphi, and by combining advanced evasion techniques with cloud infrastructure and social‑engineering campaigns delivered via WhatsApp.
Rust-based VENON banking trojan: evolution of Latin American malware families
Researchers from Brazilian security company ZenoX classify VENON as an evolution of well‑known Latin American banking trojan families, including Grandoreiro, Mekotio, and Coyote. Its core capabilities mirror those of earlier strains: overlay windows on top of banking sites and apps, monitoring of the active window title and browser tabs, and shortcut hijacking (LNK hijacking) to redirect users to attacker‑controlled resources.
Attribution to a specific threat group has not yet been established. Analysis of an earlier VENON sample from January 2026 revealed full development paths embedded in the binary, including a Windows username “byst4”. ZenoX assesses that the Rust code structure reflects a developer familiar with existing Latin American banking malware who likely used generative AI to rewrite and extend functionality in Rust. Industry reporting from 2023–2024 had already highlighted growing attacker interest in Rust because its performance, memory safety, and compilation model make reverse engineering and static analysis more difficult.
Multi-stage Windows infection chain and advanced evasion techniques
VENON propagates through a multi‑stage Windows compromise chain built around DLL side-loading. Victims are lured into downloading a ZIP archive masquerading as a “fix” or “update” package, similar to the ClickFix-style campaigns frequently observed in the region. The archive bundles a legitimate application alongside a malicious DLL, whose execution is triggered via a PowerShell script.
Before performing its core banking‑fraud functions, the malicious DLL executes at least nine evasion techniques. These include sandbox and virtual machine checks, the use of indirect syscalls to bypass user‑mode hooks, disabling ETW (Event Tracing for Windows), and bypassing AMSI (Antimalware Scan Interface), which inspects scripts such as PowerShell. By neutralizing common telemetry and behavioral monitoring points, VENON significantly reduces the effectiveness of traditional antivirus and entry‑level EDR tools that depend on these signals.
Once its environment is deemed safe, VENON retrieves its configuration from a Google Cloud Storage URL, creates a scheduled task for persistence, and establishes a WebSocket-based connection to a command‑and‑control (C2) server. Leveraging large cloud providers allows attackers to blend malicious connections with legitimate cloud traffic, complicating detection and network‑level blocking.
Targeting banks, crypto services and Itaú customers with overlays and shortcut hijacking
After configuration download, VENON transitions into the active attack phase. The trojan continuously inspects window titles and active browser domains, activating only when it detects one of 33 targeted financial organizations and digital‑asset platforms. The list includes traditional banks as well as cryptocurrency exchanges and digital‑asset services, reflecting the convergence of banking and crypto fraud in the region.
When a targeted application or website is opened, VENON displays a fraudulent overlay—a fake window or web form designed to be visually indistinguishable from the legitimate banking interface. Users are tricked into entering credentials, one‑time passwords, and 2FA codes, which are immediately exfiltrated to the C2 server for real‑time abuse.
One notable feature is the shortcut hijacking mechanism aimed specifically at customers of Brazilian bank Itaú. Analysts extracted two VBScript blocks from the DLL responsible for replacing legitimate system shortcuts with modified versions. As a result, users who believe they are launching the official Itaú client are silently redirected to attacker‑controlled resources. A dedicated uninstall routine can restore the original shortcuts and remove traces of the compromise, hindering incident response and post‑incident forensics.
WhatsApp Web as an attack vector: SORVEPOTEL worm campaigns
The discovery of VENON coincides with other campaigns targeting Brazilian users via WhatsApp, which is widely used as a primary communications channel. Researchers are tracking the spread of the SORVEPOTEL worm through WhatsApp Web on desktop systems. Threat actors hijack already authenticated browser sessions and send malicious messages across existing conversations, significantly increasing the likelihood that recipients will trust and open the payload.
These infection chains frequently culminate in the installation of well‑known Latin American banking trojans such as Maverick, Casbaneiro, or Astaroth. According to Blackpoint Cyber, a single message sent from a compromised SORVEPOTEL session was sufficient to initiate a multi‑stage attack leading to the deployment of the memory‑resident Astaroth implant. Investigators describe the combination of local automation tools, “headless” browser drivers, and user‑writable runtime environments as creating an “unusually permissive” environment in which both the worm and final loader can persist with minimal resistance from endpoint defenses.
Key trends and practical defense recommendations
The VENON campaign illustrates several important trends in modern banking malware and Latin American financial cybercrime:
- Shift to system-level languages like Rust: Attackers increasingly adopt Rust for malware development to gain performance and hinder reverse engineering and static detection.
- Use of generative AI in malware creation: Developers appear to leverage AI tools to refactor existing Delphi-based codebases into Rust and expand capabilities more quickly.
- Abuse of cloud infrastructure: Hosting configuration and C2 endpoints on platforms such as Google Cloud Storage allows malicious traffic to hide among legitimate services.
- Exploitation of everyday communication tools: WhatsApp Web and similar platforms provide high‑trust channels for delivering multi‑stage financial malware campaigns.
For organizations and users in Brazil and other affected regions, several measures can reduce exposure to Rust‑based banking trojans and WhatsApp‑borne threats:
- Avoid downloading “updates” or “fixes” from links received via email or messaging apps, even when sent from known contacts.
- Restrict and log the use of PowerShell and other script interpreters on workstations, applying constrained language mode and application control where possible.
- Deploy modern EDR/XDR solutions capable of detecting ETW/AMSI tampering, indirect syscall abuse, and suspicious interactions with cloud storage services.
- Separate business and personal WhatsApp Web sessions, regularly closing inactive sessions and monitoring for unusual messaging activity.
- Enable multi-factor authentication and prefer hardware security keys over SMS or app‑based OTPs for critical banking and administrative accounts.
- Conduct regular security awareness training focused on phishing, social engineering, and malicious “support” or “update” scenarios.
The emergence of VENON and concurrent WhatsApp‑driven campaigns confirms that banking trojans are rapidly adapting to defensive controls and user behavior. As attackers move to Rust, cloud platforms, and ubiquitous messaging apps, effective defense increasingly depends on behavioral analytics, strong endpoint hardening, and continuous user education rather than signatures alone. Organizations that invest in monitoring high‑risk tools like PowerShell, scrutinize cloud‑bound traffic, and routinely train staff and customers will be far better positioned to prevent account takeover and protect sensitive financial data.
