Rust-Built VENON Trojan Targets 33 Brazilian Banks via Credential-Stealing Overlays

A banking trojan written in Rust is actively targeting 33 Brazilian financial institutions, using credential-stealing overlays and shortcut hijacking to drain victims' accounts before they realize anything is wrong. Brazilian cybersecurity firm ZenoX, which codenamed the malware VENON, says the threat stands apart from the region's typical Delphi-based trojan families, and the choice of Rust is not incidental.

VENON operates on Windows and pursues a straightforward but layered attack: it monitors active banking windows, waits for a target application to come into focus, then throws a fake overlay on screen to harvest credentials. The shortcut hijacking component is particularly direct. The malware replaces legitimate LNK files, specifically targeting Itaú's desktop shortcuts, with malicious substitutes that redirect users to attacker-controlled pages. Itaú is one of Brazil's largest banks, and its customers represent a dense, high-value target pool.

The infection chain starts with suspected ClickFix social engineering, tricking users into downloading a ZIP archive. Inside, a PowerShell script kicks off the payload delivery. From there, DLL side-loading executes the malicious DLL. Once running, VENON pulls its configurations from Google Cloud-hosted storage and maintains a WebSocket connection to its command-and-control server. The malware incorporates nine evasion techniques, including anti-sandbox checks and AMSI bypasses, according to SC World's reporting on ZenoX's findings.

Behavioral overlap with Grandoreiro, Mekotio, and Coyote, three established Latin American banking trojans, is significant across the overlay logic, window monitoring, and LNK hijacking components. But the Rust implementation is what caught ZenoX's attention. "The Rust code structure presents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who used generative AI to rewrite and expand these functionalities in Rust, a language that requires significant technical experience to use at the observed level of sophistication," ZenoX said.

That generative AI assessment is an analytic observation rather than a proven fact, and ZenoX frames it as such. What is concrete is the January 2026 artifact that ZenoX found while tracing the malware's development history. That earlier sample exposed full file paths from the author's build environment, with the Windows machine username "byst4" appearing repeatedly, as in the path "C:\Users\byst4\...". That kind of operational slip is the sort of detail that eventually threads a real identity back to a malware author, though as of now, VENON has not been attributed to any previously documented group or campaign.

Some outlets also include digital asset platforms among the 33 targeted institutions, expanding the scope beyond traditional banks. No file hashes, C2 IP addresses, or full lists of targeted institutions have been published from ZenoX's research as yet. The full technical report, including all nine documented evasion techniques and the complete target list, remains the clearest gap in the public picture of VENON's reach.