- A new Rust-based banking Trojan named VENON is targeting Brazilian users, departing from the region’s typical Delphi-based malware.
- The malware is sophisticated, using nine evasion techniques and shortcut hijacking to steal credentials from 33 financial and crypto platforms.
- The code suggests the developer used generative AI to translate known banking Trojan capabilities into the Rust language.
- Its discovery coincides with a separate WhatsApp-based worm campaign distributing other banking malware like Astaroth in Brazil.
Brazilian cybersecurity firm ZenoX revealed in March 2026 that a new Windows banking Trojan, codenamed VENON, has emerged, written in the Rust programming language. This discovery marks a significant shift from the Delphi-based malware families traditionally linked to Latin American cybercrime.
The malware first appeared last month and shares key behaviors with established regional Trojans like Grandoreiro. VENON features banking overlay logic, active window monitoring, and a mechanism for hijacking system shortcuts.
ZenoX said the Rust code structure suggests a developer familiar with existing threats possibly used generative AI to rewrite functionalities. The campaign is suspected to use social engineering lures, like ClickFix, to deliver its payload via a multi-stage PowerShell infection chain.
VENON employs nine sophisticated evasion techniques before activating. It then retrieves a configuration from a Google Cloud Storage URL and establishes a WebSocket connection to its command server.
Its hijacking mechanism specifically targets Brazil’s Itaú banking application by replacing legitimate shortcuts. Consequently, this redirects victims to attacker-controlled pages designed for credential theft.
The malware monitors for 33 targeted financial institutions and digital asset platforms. It springs into action only when a victim accesses one of these services, deploying fake overlays to capture login data.
Meanwhile, a separate but related threat exploits the ubiquity of WhatsApp in Brazil. A worm named SORVEPOTEL is delivered via the platform’s desktop web version, as detailed by Blackpoint Cyber.
Blackpoint Cyber said a single hijacked WhatsApp message could draw victims into a chain deploying malware like Astaroth. This combination of local automation and permissive environments allowed the threats to establish themselves with minimal friction.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
