VENON Banking Malware

Cybersecurity researchers have uncovered a new banking malware campaign targeting users in Brazil. The malware, named VENON, marks a notable shift in the regional cybercrime ecosystem because it is written in the Rust programming language rather than the traditionally used Delphi.

This change in development approach represents a significant evolution in Latin American banking malware, which has historically relied on Delphi-based frameworks. VENON specifically targets Windows environments and was initially discovered in February 2026.

Behavioral Parallels With Established Banking Trojans

Despite its modern implementation language, VENON exhibits operational behaviors consistent with well-known Latin American banking trojans such as Grandoreiro, Mekotio, and Coyote.

The malware integrates several capabilities typically associated with these threats:

• Banking overlay logic designed to impersonate legitimate financial interfaces
• Active window monitoring to detect targeted banking applications or websites
• Shortcut (LNK) hijacking mechanisms to redirect victims toward malicious infrastructure

These similarities suggest that VENON was engineered with detailed knowledge of the operational patterns used by existing banking malware campaigns in the region.

Development Clues and Possible Use of Generative AI

The campaign has not yet been formally attributed to a known threat actor or cybercriminal group. However, forensic analysis of an earlier build from January 2026 revealed traces of the developer’s environment embedded in the binary. File paths repeatedly reference a Windows user profile labeled 'byst4', such as C:\Users\byst4..., indicating potential insight into the threat actor’s development setup.

Code analysis further indicates a structure consistent with developers already familiar with Latin American banking malware techniques. At the same time, the codebase suggests the possible use of generative AI tools to refactor or expand previously established capabilities into Rust. Implementing such functionality in Rust requires substantial technical expertise, highlighting the sophistication behind the project.

Multi-Stage Infection Chain and Evasion Tactics

VENON is delivered through a carefully structured infection chain that ultimately executes a malicious dynamic link library through DLL side-loading. The campaign is believed to rely on social-engineering strategies similar to the ClickFix technique to convince victims to download a ZIP archive containing the payload.

Execution begins with a PowerShell script that retrieves and launches the malicious components. Before initiating any malicious activity, the DLL performs an extensive set of defensive evasion measures:

• Anti-sandbox checks
• Indirect system calls to bypass security monitoring
• ETW (Event Tracing for Windows) bypass techniques
• AMSI (Antimalware Scan Interface) bypass mechanisms
• Additional anti-analysis routines forming a total of nine evasion strategies

After passing these checks, the malware retrieves configuration data from a cloud-hosted resource stored on Google Cloud infrastructure. It then installs a scheduled task for persistence and establishes a WebSocket connection with its command-and-control server.

Targeted Shortcut Hijacking Against Itaú Banking Software

The malicious DLL also contains two embedded scripts written in Visual Basic Script. These scripts implement a targeted shortcut hijacking operation aimed specifically at the desktop application of Itaú Unibanco.

The mechanism replaces legitimate system shortcuts with manipulated versions that redirect victims to attacker-controlled web pages designed to capture sensitive financial credentials. This targeted approach indicates a strong focus on high-value banking platforms within Brazil.

Interestingly, the malware includes an uninstall capability that can restore the original shortcuts. This functionality implies remote operator control and enables attackers to remove evidence of compromise once an operation is complete.

Broad Financial Targeting and Credential Theft Strategy

VENON is engineered to monitor both active window titles and browser domains, enabling it to detect when users access financial services. The malware is configured to recognize activity involving 33 financial institutions and digital asset platforms.

Once a targeted application or website is detected, the malware deploys fraudulent overlay screens that mimic legitimate login interfaces. Victims interacting with these overlays unknowingly submit their credentials directly to the attackers, enabling account takeover and financial theft.