Researchers in cybersecurity have revealed information about a new piece of banking malware that targets Brazilian users and is written in Rust This article explores malware code venon. . This is a big change from other known Delphi-based malware families that are part of the Latin American cybercrime ecosystem.
Brazilian cybersecurity company ZenoX has given the malware the code name VENON. It is meant to infect Windows systems and was first found last month. No known group or campaign has been linked to the malware. A previous version of the artifact, from January 2026, has been found to show full paths from the malware author's development environment.
The paths keep mentioning a Windows machine username called "byst4" (for example, "C:\Users\byst4\...").
ZenoX said, "The Rust code structure shows signs of a developer who knows how existing Latin American banking trojans work, but who used generative AI to rewrite and add to these features in Rust, a language that requires a lot of technical knowledge to use at the level of sophistication we saw." A complex infection chain spreads VENON by using DLL side-loading to run a harmful DLL. People think that the campaign uses social engineering tricks like ClickFix to get people to download a ZIP file with the payloads using a PowerShell script.
The DLL runs nine ways to avoid detection, such as anti-sandbox checks, indirect syscalls, ETW bypass, and AMSI bypass, before it actually does anything bad.
It also connects to a Google Cloud Storage URL to get a configuration, set up a scheduled task, and make a WebSocket connection to the command-and-control (C2) server. There are also two Visual Basic Script blocks in the DLL that use a shortcut hijacking method that only works with the Itaú banking app. The components work by replacing the real system shortcuts with fake ones that send the victim to a web page that the threat actor controls.
The attack also has an uninstall step that lets the operator undo the changes. This means that the operator can remotely control the operation to put the shortcuts back to how they were originally to hide the evidence.
The banking malware can attack 33 financial institutions and digital asset platforms by keeping an eye on the window title and active browser domain. It only activates when one of the targeted apps or websites is opened, allowing it to steal credentials by showing fake overlays. The news comes out at the same time as campaigns where hackers are using the fact that WhatsApp is so popular in Brazil to spread a worm called SORVEPOTEL through the desktop web version of the messaging platform.
The attack is based on using chats that have already been authenticated to send harmful links directly to victims. This leads to the installation of banking malware like Maverick, Casbaneiro, or Astaroth.
Blackpoint Cyber said, "A single WhatsApp message sent through a hacked SORVEPOTEL session was enough to pull a victim into a multi-stage chain that ended with an Astaroth implant running fully in memory." "The combination of local automation tools, browser drivers that don't need supervision, and runtimes that users can write to made for an unusually open environment, which made it easy for both the worm and the final payload to set up."
