VENON Malware Emerges: First Rust-Based Brazilian Banking Trojan Targets Banks and Crypto Platforms

CyberDefender 16 mins0

In February 2026, analysts from the ZenoX Threat Intelligence Team discovered a previously undocumented malware strain during proactive threat-hunting operations. The malware was internally named VENON, based on strings found inside the binary that referenced the name using the spelling “VENON”.

Initial behavioral observations suggested similarities with Latin American banking trojans, particularly malware families such as Grandoreiro and Mekotio. The sample demonstrated features commonly used by these threats, including:

  • Banking page overlays
  • Monitoring of active application windows
  • Interaction with financial websites and banking sessions

However, deeper static analysis revealed a key technical difference. Unlike most banking trojans operating in Latin America, VENON is not written in Delphi. Instead, the entire binary is compiled in Rust, using 88 external crates identified through dependency analysis.

This report provides a full technical overview of the malware, including:

  • Infection chain
  • Command-and-control architecture
  • Malware capabilities
  • Anti-analysis techniques
  • Infrastructure indicators

The analysis required custom tooling, including a reimplementation of the Argon2id + XChaCha20-Poly1305 cryptographic pipeline used to protect the malware’s remote configuration.

During the investigation, analysts proposed the possibility that VENON represents a Rust-based rewrite of an existing LATAM banking trojan, potentially Grandoreiro. The malware reproduces behavioral patterns historically seen in Delphi malware families, such as overlay logic and window monitoring. These similarities suggest the developer may have used AI-assisted code generation (“vibe coding”) to translate known attack logic into Rust.

Source : zenox

Evidence supporting AI-assisted development was also found in the command-and-control panel, which shows structural patterns consistent with AI-generated code.

At the time of publication, VENON appears to be the first Brazilian banking RAT implemented entirely in Rust, with a level of complexity approaching tooling typically associated with advanced threat groups.

Analysis Complexity

Compared to traditional Latin American banking trojans, VENON presents significantly greater reverse-engineering difficulty.

Malware families written in Delphi, such as Grandoreiro or Mekotio, typically contain:

  • Readable strings
  • Runtime type information (RTTI)
  • GUI resources

These elements make initial analysis relatively straightforward.

VENON, by contrast, introduces several layers of protection designed to complicate reverse engineering.

Table 1 – Key Analysis Barriers

Protection LayerDescription
Modified UPX packerPrevents automated unpacking; requires manual reconstruction of headers
Native Rust compilationSymbol mangling, lack of RTTI, no debug symbols
XOR string encryption95 individual functions derive keys independently
Argon2id + XChaCha20-Poly1305Advanced encryption protecting configuration data
ChaCha20-Poly1305 for C2 trafficSession-based encryption prevents passive monitoring
Anti-analysis mechanismsAMSI bypass, ETW bypass, indirect syscalls, anti-sandbox, screenshot blocking

Because no single analysis tool could bypass all protections, researchers created a multi-stage analysis pipeline.

Table 2 – Analysis Workflow

PhaseMethodOutcome
Phase 1PE analysis + manual UPX unpackingExtracted 9.3 MB DLL
Phase 2FLOSS string extraction130k+ strings identified
Phase 3Ghidra reverse engineering17k functions mapped
Phase 4Python + Capstone scriptsDecrypted 92 XOR blocks
Phase 5Custom crypto implementationRemote configuration decrypted
Phase 6Functional classification70+ features documented

The effort required to fully analyze VENON indicates a high level of development maturity. Malware requiring custom analysis tooling usually reflects a skilled developer and deliberate evasion strategy.

Infection Chain Overview

VENON uses an 11-stage infection process combining social engineering with layered evasion techniques.

Each stage is designed to bypass different security controls before executing the final payload.

Initial Access

The malware is delivered through DLL sideloading using a legitimate NVIDIA executable called:

NVIDIANotification.exe

The malicious DLL (libcef.dll) replaces the legitimate Chromium Embedded Framework library. Windows loads the malicious DLL because the executable directory is prioritized in the DLL search order.

The method used to place the executable and DLL on the victim’s system could not be confirmed with certainty. However, researchers observed concurrent ClickFix campaigns distributing the same file pair.

Possible delivery vectors include:

  • phishing emails
  • fake websites imitating trusted services
  • sponsored advertisements

Execution of the dropper requires user interaction, meaning the attack relies on social engineering rather than software vulnerabilities.

Installation Stage

The dropper executes a heavily obfuscated batch script (~1.6 KB).

Important strings such as URLs, file paths, and commands are reconstructed at runtime through fragmented variables, preventing simple signature detection.

If the script does not have administrative privileges, it relaunches itself using PowerShell RunAs.

Defender Evasion

Before downloading the payload, the script adds a Windows Defender exclusion:

C:\ProgramData\USOShared\NuPLihaOH\

The directory name resembles Update Session Orchestrator, a legitimate Windows component. A space within the folder name further complicates command-line detection.

Payload Download

The installer retrieves a ZIP archive from an AWS S3 bucket using PowerShell.

Inside the archive are:

  • NVIDIANotification.exe – legitimate signed NVIDIA binary
  • libcef.dll – malicious payload

The executable is renamed to: ®mjtgr.exe

The Unicode ® prefix complicates referencing the file through command-line tools or forensic scripts.

Persistence

Persistence is established through the Windows registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

An additional Defender exclusion is created for the renamed executable.

The script then deletes itself and forces a system reboot to activate the persistence mechanism.

DLL Sideloading Execution

After reboot, the registry entry launches ®mjtgr.exe, which loads the malicious libcef.dll.

The process appears legitimate in Task Manager because the executable retains NVIDIA’s digital signature.

The DLL exports standard COM functions:

  • DllMain
  • DllRegisterServer
  • DllUnregisterServer
  • DllGetClassObject
  • DllCanUnloadNow

The malicious logic executes inside the DLL_PROCESS_ATTACH stage of DllMain.

Evasion Techniques

Before performing malicious operations, the malware activates nine anti-analysis techniques, including:

  • AMSI bypass
  • ETW bypass
  • NTDLL unhooking
  • indirect syscalls
  • thread hiding
  • anti-sandbox checks
  • anti-screenshot protection

One notable technique overwrites the .text section of ntdll.dll in memory using the clean version from disk. This removes security hooks installed by monitoring tools.

For sensitive API calls, the malware constructs indirect system calls by reading syscall numbers directly from the disk version of ntdll.

Additional protections include:

  • ThreadHideFromDebugger
  • process DACL modification
  • black-screen screenshots using SetWindowDisplayAffinity

Remote Configuration Retrieval

The malware retrieves its configuration from: hxxps://storage.googleapis[.]com/mydns2026/startabril2026

If unavailable, it falls back to: hxxps://pluginsafeguard[.]help/ipv4/config.enc

Google Cloud Storage is used because enterprise networks rarely block it.

The configuration file is decrypted through three stages:

  1. Base64 decoding
  2. Argon2id key derivation
  3. XChaCha20-Poly1305 decryption

Key parameters include:

Password: L0@D_S3CR3T_K3Y_X9F2_PR0D_2024!
Salt: LOAD_SALT_2024!!

The decrypted JSON reveals the command-and-control domain.

Command and Control

After obtaining the configuration, the malware creates a scheduled task named: NVIDIA Notification Service

The trigger runs at logon with maximum privileges.

The malware connects to the C2 server via WebSocket over TLS 1.3, using ChaCha20-Poly1305 encryption.

Each infected system receives a unique identifier calculated as: SHA-256(ComputerName + VolumeSerial)

Banking Attack Mechanisms

VENON implements several banking attack techniques:

  • browser overlay injection
  • clipboard monitoring
  • cryptocurrency wallet targeting
  • banking website detection

A specific attack module targets the Itaú banking application.

Two VBScript modules embedded in the malware manipulate Windows shortcuts to redirect victims to attacker-controlled websites while keeping the original bank icon.

One script installs the malicious shortcut, while the second script restores it when commanded by the operator.

Monitored Financial Targets

VENON monitors 33 financial platforms, including:

Traditional Banks

  • Itaú Unibanco
  • Santander Brasil
  • Caixa Econômica Federal
  • Banco do Brasil
  • Nubank
  • Banco Inter
  • Sicredi
  • Banco Safra

Fintech Services

  • PagBank
  • PicPay
  • Mercado Pago

Cryptocurrency Platforms

  • Binance
  • Coinbase
  • Kraken
  • Bybit
  • Gemini
  • Mercado Bitcoin

Cryptocurrency Wallets

  • MetaMask
  • Trust Wallet
  • Phantom
  • Ledger Live

The malware activates attack routines when these services are detected through browser domains or window titles.

Rust-Based Banker RAT

The most unusual characteristic of VENON is its complete implementation in Rust.

While some malware families have experimented with Rust loaders, VENON is fully written in Rust from start to finish.

Key statistics:

  • 17,765 functions
  • 88 Rust crates
  • 9.3 MB packed binary

This architecture differs from earlier malware such as Casbaneiro, which used Rust only for download components.

Latin American Banking Trojan Landscape

Latin America remains a major hotspot for banking malware.

According to ESET (2024):

  • 11 of the 30 most detected banking trojans originate from Brazil
  • Brazil accounts for 61% of detections in the region

Historically, most banking trojans in this ecosystem are written in Delphi, due to its ease of GUI development for overlay attacks.

VENON represents a significant shift toward modern programming languages.

Attribution Assessment

Attribution remains low confidence.

Although the malware shares operational patterns with known families such as Grandoreiro and Mekotio, the architecture is substantially different.

Hypothesis: AI-Assisted Malware Development

One notable theory proposed during the analysis is that the malware may have been developed with significant AI assistance.

The code structure shows a mixture of:

  • highly advanced cryptography
  • relatively simple control logic

The malware also reproduces behavioral patterns common in Delphi banking trojans but implemented in Rust.

This pattern is consistent with AI-assisted “vibe coding”, where developers use generative AI tools to translate existing logic into new languages.

If confirmed, VENON may represent one of the earliest cases of AI-assisted banking malware development in Latin America.

Developer Exposure

During analysis of an earlier malware sample, analysts discovered unremoved compilation paths.

These paths contained the username: byst4

Example path extracted from the binary: C:\Users\byst4\.cargo\registry\src\

The repeated presence of this username suggests the malware was compiled on a development system belonging to a user named byst4.

Indicators of Compromise (IOCs)

Domains

  • brasilmotorsvs14[.]com
  • lazybearpottery[.]net
  • digitalmoineyp[.]com
  • portalhondihs[.]com

Infrastructure

  • storage.googleapis[.]com (dead-drop configuration hosting)

Key Files

  • libcef.dll
  • NVIDIANotification.exe
  • ®mjtgr.exe
  • Itau_swap_install.vbs

Key Paths

C:\ProgramData\USOShared\NuPLihaOH\

Registry Persistence

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

VENON represents a significant technical development within the Latin American banking malware ecosystem.

Key characteristics include:

  • complete Rust implementation
  • advanced encryption and evasion mechanisms
  • complex anti-analysis techniques
  • targeting of both traditional banks and cryptocurrency platforms

The malware demonstrates a level of sophistication rarely observed in regional banking trojans and may signal a shift toward modern programming languages and AI-assisted development in cybercrime operations.

CyberDefender