Corrosion-Based VENON Malware Targets 33 Brazilian Banks With Credential Theft Overlays
Cybersecurity researchers have disclosed details of a new malware targeting Brazilian users codenamed Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American Cybercrime ecosystem.
The malware, designed to infect Windows systems and first discovered last month, has been codenamed VENON is the Brazilian internet security company ZenoX.
What makes VENON notable is that it shares common behavior with well-known banking trojans targeting the region, such as Grandoreiro, Mekotio, and Coyote, especially when it comes to features such as bank overlay visibility, active window monitoring, and a shortcut hijacking (LNK) method.
The malware has not been attributed to any previously documented group or campaign. However, an earlier version of the artifact, dating from January 2026, was found to expose full paths from the malware author’s development environment. Paths refer repeatedly to the Windows machine user name “byst4” (eg, “C:Usersbyst4…”).
“The structure of Rust’s code shows patterns that suggest a developer who knows the capabilities of Latin American banking trojans, but who used generative AI to rewrite and extend these functions in Rust, a language that requires significant technical knowledge to use at a recognized level of complexity,” ZenoX said.
VENON is distributed through a sophisticated infection chain that uses DLL sideloading to launch a malicious DLL. It is suspected that the campaign uses social engineering tactics similar to ClickFix to trick users into downloading a ZIP archive containing the payload via a PowerShell script.
Once the DLL is extracted, it performs nine evasion techniques, including anti-sandbox checks, indirect syscalls, ETW bypass, AMSI bypass, before starting any malicious actions. It also accesses the Google Cloud Storage URL to retrieve the configuration, install the scheduled task, and establish a WebSocket connection to the command and control server (C2).
Also extracted from the DLL are two Visual Basic Script blocks that implement a hacking shortcut that specifically targets the Itaú banking application. The components work by replacing legitimate system shortcuts with obfuscated versions that redirect the victim to a web page under the control of the threat actor.
The attack also supports the removal step to undo the changes, which suggests that the function can be controlled by the remote control of the user to restore the shortcuts to what they were originally to close the tracks.
In total, the banking malware is equipped to target 33 financial institutions and digital asset platforms by monitoring the window title and background of the active browser, starting the action only when opening any target applications or websites to facilitate the theft of information by providing a fake overlay.
The disclosure comes amid campaigns where malicious actors are exploiting WhatsApp’s availability in Brazil to spread a worm called SORVEPOTEL through the desktop web version of the messaging platform. This attack relies on abusing pre-authorized conversations to deliver malicious traps directly to victims, leading to the use of banking malware such as Maverick, Casbaneiro, or Astaroth.
“A single WhatsApp message delivered through a hijacked SORVEPOTEL session was enough to drag the victim through a series of multiple stages that eventually led to Astaroth being fully encrypted,” Blackpoint Cyber said.
“The combination of automated local tools, unattended browser drivers, and user-readable runtimes have created an unusually enabling environment, allowing both the worm and the final payload to find themselves with minimal friction.”
