Researchers disclosed VENON, a Rust-written banking trojan targeting Brazilian Windows users that borrows overlay, active window monitoring, and LNK hijacking techniques from Latin American families like Grandoreiro, Mekotio, and Coyote. The campaign uses DLL side-loading, nine evasion techniques, Google Cloud Storage-hosted configs, Itaú-specific shortcut hijacking, and has links to WhatsApp-distributed SORVEPOTEL lure chains. #VENON #SORVEPOTEL
Keypoints
- VENON is a newly disclosed banking trojan written in Rust and aimed at Brazilian Windows users.
- It implements banking overlay logic, active window monitoring, and shortcut (LNK) hijacking similar to Grandoreiro, Mekotio, and Coyote.
- Distribution leverages DLL side-loading and social engineering (ZIP/PowerShell lures), with configs pulled from Google Cloud Storage and a WebSocket C2 channel.
- The malware employs nine evasion techniques, including anti-sandbox checks, indirect syscalls, ETW bypass, and AMSI bypass.
- It targets 33 financial institutions and digital asset platforms and includes an Itaú-specific shortcut hijack with a removable uninstall capability.
Read More: https://thehackernews.com/2026/03/rust-based-venon-malware-targets-33.html