Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
VENON is a sophisticated Rust-based banking remote access trojan (RAT) that specifically targets 33 Brazilian financial institutions and cryptocurrency platforms, representing a significant evolution in Latin American banking malware development. This VENON banking trojan campaign targets users across Brazil’s financial services, cryptocurrency, banking, and government sectors on Windows platforms, deploying through phishing emails, fake websites that imitate legitimate portals, and sponsored online advertisements. Unlike most malware traditionally used in the Latin American cybercrime ecosystem which is typically written in Delphi, VENON represents a technological shift by being built entirely in Rust, with evidence suggesting AI-assisted development was used to rewrite classic Latin American banking Trojan functionality from legacy Delphi code into modern Rust programming language.
The VENON malware employs advanced evasion and persistence techniques including DLL sideloading via a legitimate NVIDIA binary named NVIDIANotification.exe, nine distinct anti-analysis evasion techniques to avoid detection by security software, state-of-the-art encryption for command-and-control communications, and credential-stealing banking overlays that capture login details when victims access targeted financial platforms. The targeted platforms include major Brazilian banks such as Itaú Unibanco, Santander Brasil, Caixa Econômica Federal, Banco do Brasil, and Nubank, fintech services including PicPay, Mercado Pago, and PagBank, cryptocurrency exchanges including Binance, Coinbase, Kraken, Bybit, and Mercado Bitcoin, and cryptocurrency wallets including MetaMask, Trust Wallet, Phantom, Ledger Live, and Rabby Wallet.
The VENON malware also deploys specialized VBScript-based shortcut hijacking specifically targeting the Itaú banking application, replacing legitimate desktop shortcuts with altered versions that redirect victims to attacker-controlled web pages while preserving the official bank icon to avoid suspicion. Once executed on a victim system, VENON establishes persistence through Windows Registry Run keys and scheduled tasks, communicates with command-and-control servers through encrypted WebSocket traffic over TLS using Rust networking libraries, and monitors activity across all 33 targeted banking and digital-asset platforms to deploy credential-stealing overlays when victims access these financial services.
VENON is a banking malware campaign that specifically targets users in Brazil, representing a significant departure from traditional Latin American cybercrime malware development practices. Unlike most malware used in the Latin American cybercrime ecosystem which is typically written in Delphi programming language, VENON is built entirely in Rust, demonstrating a technological evolution in regional threat actor capabilities. The malware spreads through multiple distribution vectors including phishing emails, fake websites that imitate legitimate financial institution portals, and sponsored online advertisements designed to attract victims.
Infection begins when a victim downloads a seemingly legitimate installer package containing a trusted executable named NVIDIANotification.exe. The VENON malware abuses the Windows DLL search order mechanism to load a malicious file named libcef.dll instead of the legitimate Chromium Embedded Framework library that would normally be loaded by the application. No technical vulnerability exploit is required for this attack technique, as the entire compromise relies entirely on the victim launching the malicious installer through social engineering.
Once the malicious installer is executed by the victim, a small obfuscated batch script activates that dynamically rebuilds hidden commands, file paths, and URLs during runtime to avoid signature-based detection by antivirus software. The batch script automatically restarts itself with administrator privileges using PowerShell commands, then adds a security exclusion in Microsoft Defender Antivirus to prevent the malware from being detected and removed. The script downloads a ZIP file from Amazon Web Services cloud storage, extracts the legitimate NVIDIA executable alongside the malicious DLL file, and creates a Windows Registry Run key to maintain persistence across system reboots.
Following these installation steps, the batch script deletes itself to remove evidence of the initial infection and forces an immediate system reboot within seconds. After the system restart, the Registry Run key automatically launches the NVIDIA program, the malicious DLL loads through the sideloading technique, and the original infection evidence has completely disappeared from the system, making forensic investigation more difficult.
The VENON malware then activates a sophisticated chain of defensive evasion techniques designed to avoid detection by security software and analysis by researchers. The malware bypasses the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) security mechanisms, replaces the in-memory code of the Windows library ntdll.dll with a clean version loaded from disk to avoid detection hooks, and executes system calls indirectly to avoid security monitoring and behavioral analysis.
Additional evasion capabilities include hiding threads from debuggers to prevent reverse engineering, blocking external processes from accessing its memory space to prevent analysis tools from examining the malware, performing sandbox detection checks to identify whether it is running in a virtual analysis environment, preventing screenshots of its window to avoid security documentation, and verifying whether Windows Defender security identifiers are present on the system to detect security software.
The VENON malware establishes long-term persistence by creating a scheduled task named “NVIDIA Notification Service” that runs at user logon with elevated privileges, ensuring the malware continues operating even after system restarts. Communication with the attacker’s command-and-control server occurs through encrypted WebSocket traffic over TLS 1.3 using Rust networking libraries, providing secure and resilient communications that blend with legitimate encrypted web traffic. Each infected system is uniquely identified through a hardware fingerprint derived from the computer name and disk serial number, allowing threat actors to track individual victims across their infrastructure.
VENON focuses specifically on financial theft by monitoring user activity across 33 Brazilian banking and digital-asset platforms. The malware continuously watches active window titles and browser domain names to detect when victims access targeted financial services. When a victim navigates to a targeted banking site or launches a targeted banking application, VENON deploys credential-stealing overlays designed to capture login credentials including usernames, passwords, and authentication tokens.
The VENON campaign also includes a specialized attack module specifically targeting the Itaú banking application. Two embedded VBScript files work together to replace legitimate desktop shortcuts for the Itaú banking application with altered versions that redirect victims to attacker-controlled web pages designed to steal credentials, while preserving the official bank icon to avoid raising suspicion. A remote restoration script allows threat operators to revert the system back to normal later, helping conceal the compromise and extend the operational lifespan of the malware.
Deploy detection rules to identify NVIDIANotification.exe or renamed variants, particularly those using Unicode characters like the registered trademark symbol, executing from non-standard directories such as C:\ProgramData\USOShared. Alert on any instance of libcef.dll being loaded from ProgramData paths rather than legitimate Chromium or NVIDIA installation directories, as this indicates potential VENON malware activity.
Regularly review and audit Windows Defender exclusion paths configured via the Add-MpPreference PowerShell cmdlet. Flag any security exclusions under C:\ProgramData\USOShared\ or similar paths that mimic legitimate Windows Update directories. Unauthorized exclusions should be immediately removed and investigated as potential indicators of compromise.
Monitor the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key for newly created entries, especially those referencing executables with Unicode characters in their filenames or located in non-standard directories. Correlate registry modifications with process creation events for enhanced detection confidence and faster incident response.
Deploy network monitoring capabilities capable of identifying WebSocket connections to unknown or recently registered domains. Since VENON uses WebSocket over TLS 1.3 for command-and-control communication, TLS inspection or DNS-based detection of command-and-control domains is critical for achieving visibility into malware communications that would otherwise be completely encrypted.
Implement endpoint detection and response rules to detect AMSI bypass attempts, ETW patching activities, ntdll .text section overwrites from disk, indirect syscall construction, and ThreadHideFromDebugger flag usage. These specific behaviors are strong indicators of advanced malware evasion activity and warrant immediate investigation.
For organizations with Brazilian banking exposure or Brazilian employees, monitor for unauthorized modifications to .lnk shortcut files associated with Itaú banking application across user desktops, Start Menu directories, and public desktop directories. Alert on VBScript execution via wscript.exe that accesses or modifies shortcut files targeting banking applications, as this indicates potential VENON shortcut hijacking activity.
The threat advisory includes comprehensive indicators of compromise associated with the VENON banking trojan campaign, including malicious domains, command-and-control URLs hosted on Amazon Web Services and Google Cloud Platform storage, IPv4 addresses of attacker infrastructure, file paths used for malware installation in the C:\ProgramData\USOShared\ directory, registry keys used for persistence, filenames including libcef.dll and VBScript files, MD5 hashes, and SHA256 hashes of malware samples. Organizations should integrate these indicators into their security monitoring systems, endpoint detection platforms, and network security devices to identify potential VENON activity.
The VENON banking trojan campaign employs multiple tactics and techniques mapped to the MITRE ATT&CK framework, including initial access through phishing, execution via PowerShell and Visual Basic command and scripting interpreters alongside malicious file user execution, persistence through registry run keys and scheduled tasks, privilege escalation through bypassing user account control, defense evasion through DLL hijacking, impairing defenses by disabling security tools, obfuscated files and information, masquerading with legitimate names and locations, indicator removal through file deletion, debugger evasion, virtualization and sandbox evasion, and native API abuse, command and control using application layer protocols over web protocols with encrypted channels using symmetric cryptography and web service abuse with dead drop resolvers and dynamic resolution, collection of clipboard data and screen captures, and impact through data manipulation of transmitted data.
The threat advisory references authoritative security research from Zenox AI documenting VENON as the first Brazilian banking RAT built in Rust programming language. This reference provides additional technical depth and analysis for security teams investigating VENON activity or implementing defensive measures against Brazilian banking trojans.
Get through updates and upcoming events, and more directly in your inbox