Executive Summary

A newly identified banking malware, VENON, written in the Rust programming language, is actively targeting 33 Brazilian banks and digital asset platforms. This malware represents a significant technical leap from the traditional Delphi-based Latin American banking trojans, leveraging advanced evasion techniques, credential-stealing overlays, and shortcut hijacking to compromise victims and exfiltrate sensitive banking credentials. The campaign is notable for its use of Rust, a language rarely seen in this malware family, and for its sophisticated infection chain, which includes social engineering, multi-stage payload delivery, and persistent mechanisms. The threat is currently being distributed in the wild, primarily via WhatsApp desktop campaigns, and poses a critical risk to financial institutions and their customers in Brazil.

Threat Actor Profile

Attribution for the VENON malware remains inconclusive. The malware was first identified in February 2026 by the Brazilian cybersecurity firm ZenoX, but no established Advanced Persistent Threat (APT) group has claimed responsibility. Artifacts within the malware reference the developer username byst4, and code analysis suggests the use of generative AI to port and enhance capabilities from existing Latin American banking trojans. The campaign demonstrates a high degree of technical sophistication, particularly in its use of Rust and its integration of advanced anti-analysis and evasion techniques. The threat actors behind VENON are leveraging social engineering and worm-like propagation via the SORVEPOTEL malware to maximize infection rates, indicating a well-resourced and adaptive adversary.

Technical Analysis of Malware/TTPs

VENON is a modular banking trojan written in Rust, a language known for its memory safety and performance, which complicates reverse engineering and detection. The infection chain begins with social engineering campaigns, such as "ClickFix," which lure users into downloading a ZIP archive. This archive contains a PowerShell script that initiates the infection process. Upon execution, the script leverages DLL side-loading to launch a malicious DLL, which in turn executes a series of nine evasion techniques. These include anti-sandbox checks, indirect syscalls, ETW (Event Tracing for Windows) bypass, and AMSI (Antimalware Scan Interface) bypass, all designed to thwart analysis and detection by security solutions.

Once established, VENON connects to a Google Cloud Storage URL to retrieve its configuration and installs a scheduled task for persistence. It then establishes a WebSocket connection to its command-and-control (C2) infrastructure. Post-exploitation, the malware extracts and executes Visual Basic Script blocks to hijack system shortcuts, particularly those associated with the Itaú banking application. This shortcut hijacking replaces legitimate shortcuts with malicious ones that redirect users to attacker-controlled web pages, facilitating credential theft.

The core credential theft mechanism relies on overlay attacks. VENON monitors window titles and active browser domains, activating only when a targeted banking application or website is detected. It then presents a fake overlay designed to capture user credentials. The malware supports remote uninstall functionality, allowing attackers to remove traces of infection and evade forensic analysis.

Observed Tactics, Techniques, and Procedures (TTPs) mapped to the MITRE ATT&CK framework include:

T1059.001 (PowerShell for initial execution), T1218.011 (DLL Side-Loading), T1566.001 (Spearphishing Attachment via ZIP archive), T1027 (Obfuscated Files or Information for evasion), T1071.001 (Web Protocols for C2 via WebSocket), T1547.001 (Registry Run Keys/Startup Folder for persistence), T1204.002 (Malicious File for user execution), T1556.002 (Credentials from Web Browsers via overlay attack), and T1036.005 (Masquerading: Match Legitimate Name or Location through shortcut hijacking).

Exploitation in the Wild

VENON is being actively distributed through WhatsApp desktop web campaigns, utilizing the SORVEPOTEL worm to propagate malicious payloads. SORVEPOTEL exploits authenticated chats to deliver lures, which lead to multi-stage infection chains. Victims receive ZIP archives containing PowerShell scripts, which, when executed, initiate the VENON infection process. The final payload may also include other banking malware such as Maverick, Casbaneiro, or Astaroth, indicating a broader ecosystem of financially motivated malware targeting Brazilian users.

The malware's use of shortcut hijacking is particularly insidious, as it allows attackers to persistently redirect users to credential-stealing overlays even after system reboots. The campaign has been observed targeting major Brazilian financial institutions, with Itaú confirmed as a primary target. The full list of affected banks and platforms remains undisclosed, but the scale and sophistication of the campaign suggest a high level of operational capability.

Victimology and Targeting

The primary victims of the VENON campaign are customers of 33 Brazilian banks and digital asset platforms. The malware specifically targets users who access these institutions via desktop applications or web browsers, leveraging overlay attacks to capture credentials at the point of login. The infection vector relies heavily on social engineering, with lures tailored to Brazilian users and distributed via popular communication platforms such as WhatsApp. The campaign demonstrates a clear focus on the Brazilian financial sector, exploiting local user behaviors and application usage patterns to maximize effectiveness.

Mitigation and Countermeasures

To defend against VENON and similar threats, organizations should implement a multi-layered security strategy. Blocking the execution of PowerShell scripts from untrusted sources is critical, as is monitoring for suspicious scheduled tasks and modifications to shortcut files. Network monitoring should be configured to detect unusual WebSocket connections and access to Google Cloud Storage URLs, which may indicate C2 communication.

User education is paramount; employees and customers should be trained to recognize and avoid social engineering and phishing campaigns, particularly those targeting financial operations. Endpoint Detection and Response (EDR) solutions capable of detecting DLL side-loading, anti-analysis evasion techniques, and unauthorized shortcut modifications should be deployed. Regular audits of system shortcuts and scheduled tasks can help identify and remediate infections before credential theft occurs.

Organizations should also maintain up-to-date threat intelligence feeds and collaborate with industry peers to share indicators of compromise (IOCs) and best practices. In the event of a suspected compromise, immediate incident response actions should be taken, including isolating affected systems, collecting forensic evidence, and notifying relevant stakeholders.

References

The Hacker News: Rust-Based VENON Malware Targets 33 Brazilian Banks, NetManageIT Blog: Rust-Based VENON Malware, [ZenoX (original discoverer, referenced in THN article)], [Blackpoint Cyber: SORVEPOTEL WhatsApp Worm Campaign (quoted in THN)], MITRE ATT&CK Framework

About Rescana

Rescana is a leader in Third-Party Risk Management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities and respond to emerging threats. For more information or to discuss how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.