{ "id": "425512ca-c6e7-4665-af1f-6ed2c139930e", "created_at": "2026-04-06T00:06:10.20159Z", "updated_at": "2026-04-10T03:36:47.682822Z", "deleted_at": null, "sha1_hash": "9e74980b76abaaeee1ec83328102d13740cefa22", "title": "VENON: The First Brazilian Banker RAT in Rust", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 701397, "plain_text": "VENON: The First Brazilian Banker RAT in Rust\r\nBy ZenoX Team\r\nPublished: 2026-03-10 · Archived: 2026-04-05 13:05:03 UTC\r\nIntroduction\r\nIn February 2026, the ZenoX threat intelligence team identified an unknown malware family during hunting activity,\r\ninternally classified as VENON due to references in the code (spelled with an N). The sample was initially flagged for\r\nbehavior consistent with Latin American banking trojans, particularly the use of banking overlays and active window\r\nmonitoring, characteristics present in established families such as Grandoreiro and Mekotio.\r\nThe fundamental difference emerged during static analysis: unlike all known families in the Latin American ecosystem,\r\nVENON does not contain a single line of Delphi code. The binary is compiled entirely in Rust, with 88 external\r\ndependencies identified from Crates.\r\nThis report documents the results of the technical analysis conducted by the ZenoX Research Team, covering the complete\r\ninfection chain, malware capabilities, command-and-control infrastructure, and attribution indicators identified during the\r\ninvestigation process. The analysis required building custom tooling and reimplementing the Argon2id + XChaCha20-\r\nPoly1305 pipeline used to protect the remote configuration.\r\nDuring analysis, the team raised the hypothesis that VENON may essentially be an AI-assisted Vibecoding refactor of an\r\nalready-established banking trojan in the region, possibly Grandoreiro itself, rewritten from scratch in Rust. The fidelity\r\nwith which classic functional patterns from the Delphi ecosystem, such as the overlay logic, window monitoring, and swap\r\nmechanisms, were reproduced in a completely different systems language suggests the author did not start from an original\r\nconception, but from a known behavioral base, using generative AI to perform the technical translation.\r\nAdditional evidence of AI use was identified in the operator’s own infrastructure: the C2 panel code exhibits AI-assisted\r\ngeneration patterns consistent with what the security community has termed vibe coding, reinforcing the hypothesis that the\r\nentire operation, from malware to backend, was built with extensive AI tooling assistance.\r\nAs of this publication, ZenoX has not identified any other banking trojan in the Brazilian or Latin American ecosystem with\r\nthis technical profile. VENON represents, possibly, the first appearance of a Brazilian banker RAT developed entirely in\r\nRust, with a level of sophistication comparable to tools used by known APT groups.\r\nClick here to read the full report\r\nAnalysis Complexity\r\nVENON presents a level of static analysis difficulty significantly greater than traditional Latin American banking trojans.\r\nWhile Delphi malware like Grandoreiro or Mekotio can be examined with relative ease, with readable strings, exposed\r\nRTTI, and identifiable visual components, VENON combines multiple layers of protection that make each step of the\r\nreverse engineering process a distinct technical challenge.\r\nFor an analyst familiar with Delphi trojans, where an x64dbg session reveals strings like “Banco handler of Brasil” ou\r\n“Itau” nos primeiros minutos, o VENON exige um investimento de tempo and ferramental de ordem de magnitude superior.\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 1 of 17\n\nBarrier Detail\r\nUPX with modified\r\nheaders\r\nPrevents automatic decompression; requires manual header reconstruction\r\nbefore processing the binary\r\nNative Rust compilation Functions with mangled names, 88 crates, no RTTI or debug symbols\r\nXOR encryption with 95\r\nunique functions\r\nEach sensitive string is decrypted by a different key derivation function;\r\nthere is no reusable global key\r\nArgon2id + XChaCha20-\r\nPoly1305\r\nState-of-the-art encryption for the remote config; requires reimplementing\r\nthe KDF parameters to decrypt\r\nChaCha20-Poly1305 in\r\nC2\r\nC2 traffic encrypted per session via ring-0.17.14; passive inspection is not\r\npossible without the session key\r\n9 active anti-analysis\r\ntechniques\r\nAMSI Bypass, ETW Bypass, ntdll overwrite, indirect syscalls, thread\r\nhiding, DACL, anti-sandbox, anti-screenshot, and Defender SID Check  \r\nTable 1 – Analysis Barriers\r\nNo single tool was sufficient to cover all protection layers. The analysis required building a six-phase pipeline, each feeding\r\nthe next with the information needed to advance:\r\nPhase Tool / Technique Result\r\nPhase\r\n1\r\nDIE/PE Analysis + manual UPX\r\ndecompression\r\nlibcef.dll unpacked (9.3 MB)\r\nPhase\r\n2\r\nFLOSS v3.1.1\r\n130,749 static strings + 41,799 Rust strings extracted;\r\nautomatic deobfuscation disabled by binary density\r\nPhase\r\n3\r\nGhidra 12.0.4 Headless\r\n17,765 functions identified; 500 functions of interest\r\ndecompiled; 143,093 lines of decompiled C generated\r\n \r\nPhase\r\n4\r\nPython + Capstone\r\n95 XOR blocks processed; 92 successfully deciphered\r\n(96.8% coverage)  \r\nPhase\r\n5\r\nReimplementation of Argon2id KDF\r\n+ XChaCha20-Poly1305\r\nRemote config decrypted; C2 host confirmed  \r\nPhase\r\n6\r\nCategorization of 143,093\r\ndecompiled lines\r\n14 functional groups mapped, 70+ features\r\ndocumented, Rust modules reconstructed\r\nTable 2 – Analysis Pipeline Adopted\r\nThe level of effort required to analyze VENON is itself a metric of the artifact’s sophistication. A trojan that requires\r\nbuilding custom analysis tools is not ordinary malware. It is an artifact that reflects advanced technical competence from its\r\nauthor and significantly raises the analysis cost for any incident response or threat intelligence team.\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 2 of 17\n\nInfection Chain\r\nVENON’s infection chain is structured in eleven sequential phases, combining social engineering, multiple evasion layers,\r\nand a sophisticated payload delivery mechanism. The campaign demonstrates considerable technical planning, with each\r\nphase designed to overcome specific security controls before advancing to the next.\r\nInitial Vector\r\nThe confirmed entry vector is DLL sideloading via the legitimate NVIDIANotification.exe installer: the malicious libcef.dll\r\nis loaded in place of the legitimate Chromium Embedded Framework by exploiting the Windows DLL search order, which\r\nprioritizes the executable’s directory. The initial delivery mechanism for the NVIDIANotification.exe + libcef.dll pair to the\r\nvictim’s system was not, however, determined with high confidence during this analysis.\r\nIt is worth noting that during the period of sample identification, ZenoX observed a significant increase in ClickFix\r\ncampaigns using NVIDIANotification.exe as the final payload, where the victim is socially engineered into executing a\r\ncommand that downloads and activates the file pair. The correlation between the analyzed artifact and this distribution\r\nvector is plausible and is being investigated, but it was not possible to confirm with sufficient confidence to include it as a\r\ndefinitive finding in this report.\r\nThe infection chain analysis documented in this report begins from the moment the NVIDIANotification.exe + libcef.dll\r\npair is already present on the victim’s system.\r\nDistribution occurs via phishing emails, fake pages mimicking legitimate portals, or sponsored ads. In all scenarios, dropper\r\nexecution depends entirely on voluntary victim action; no technical exploit is required at this stage.\r\nInstall via PowerShell\r\nObfuscated batch file of ~1.6 KB. Critical strings (URLs, paths, commands) are reconstructed at runtime by concatenating\r\nfragmented variables, avoiding static signature detection.\r\nThe script relaunches itself with RunAs via PowerShell if not running as administrator.\r\nFigure 1 – Privilege Escalation\r\nAdds C:\\ProgramData\\USOShared\\ NuPLihaOH\\ via Add-MpPreference before the download. The parent directory\r\nmimics the Update Session Orchestrator; the space in the subfolder name impedes command-line searches.\r\nFigure 2 – Defender exclusion\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 3 of 17\n\nZIP obtained from S3 bucket via Invoke-WebRequest, with URL dynamically constructed by variable fragmentation.\r\nFigure 3 – Payload download\r\nThe ZIP contains NVIDIANotification.exe (signed NVIDIA binary) and libcef.dll (malware). The executable is renamed to\r\n®mjtgr.exe; the character ® (U+00AE) in the prefix impedes references via CLI and forensic tools.\r\nFigure 4 – Extraction and Renaming\r\nRun key added at HKCU\\…\\Run; individual exclusion created for ®mjtgr.exe.\r\nFigure 5 – Persistence + second exclusion\r\nScript self-deletes via (goto) 2\u003enul \u0026 and forces reboot in 3 seconds (shutdown /r /t 3 /f), activating the run key and\r\neliminating evidence of the entry vector.\r\nFigure 6 – Self-deletion and reboot\r\nDLL Sideloading\r\nAfter reboot, Windows executes ®mjtgr.exe via run key. Since the Windows DLL search order prioritizes the executable’s\r\ndirectory, the malicious libcef.dll is loaded in place of the legitimate Chromium Embedded Framework.\r\nThe process appears in Task Manager with the NVIDIA name and digital signature. The DLL exports the standard functions\r\nof a COM object (DllCanUnloadNow, DllGetClassObject, DllMain, DllRegisterServer, DllUnregisterServer) to mimic\r\na legitimate DLL; all malicious code resides in the DLL_PROCESS_ATTACH do DllMain.\r\nInitialization and Evasion\r\nUpon loading, the DLL executes nine evasion techniques in sequence before initiating any malicious activity.\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 4 of 17\n\nThe most sophisticated technique in this phase is the overwrite of the .text da ntdll.dll in memory with the clean version\r\nread from disk.\r\nFigure 7 – ntdll .text Overwrite\r\nFor sensitive operations, the malware implements indirect syscalls: syscall numbers are read directly from ntdll on disk and\r\nstubs are constructed in memory, bypassing any hook that could be reinstalled. Finally, it applies thread hiding via\r\nNtSetInformationThread with the flag ThreadHideFromDebugger, modifies the process’s own DACL to deny external\r\naccess, and configures SetWindowDisplayAffinity nos overlays para que screenshots exibam apenas tela preta.\r\nFigure 8 – ThreadHideFromDebugger + DACL Protection\r\nRemote Config Fetch\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 5 of 17\n\nThe config thread makes a GET request to hxxps://storage.googleapis[.]com/mydns2026/startabril2026, with fallback to\r\nhxxps://pluginsafeguard[.]help/ipv4/config.enc. Google Cloud Storage is used as the primary channel because it is rarely\r\nblocked by corporate firewalls.\r\nThe response goes through three decryption layers: Base64 Decode, followed by key derivation via Argon2id (m=19456\r\nKiB, t=2, p=1) with password L0@D_S3CR3T_K3Y_X9F2_PR0D_2024! e salt LOAD_SALT_2024!!, and finally\r\nXChaCha20-Poly1305 decryption with a 24-byte nonce extracted from the beginning of the blob. The result is a JSON\r\ncontaining the C2 address: {“host”:”brasilmotorsvs14[.]com”}.\r\nEarlier versions of this RAT used AES-256-CBC with SHA-256 and a zero IV, significantly weaker. The migration to\r\nArgon2id and XChaCha20-Poly1305 reflects deliberate technical evolution between versions.\r\nFigure 9 – XOR Decrypt Secret Key + Salt\r\nPersistence and C2\r\nAfter obtaining the configuration, the malware installs a Scheduled Task named “NVIDIA Notification Service” with\r\ntrigger AtLogOn and maximum run level, replacing the WMI Event Subscription mechanism used in earlier versions. The\r\nWebSocket connection to the C2 is established under TLS 1.3 with ChaCha20-Poly1305 cipher via tungstenite e rustls.\r\nEach victim is identified by a HardwareID calculated as the SHA-256 of the computer name concatenated with the volume\r\nserial.\r\nItaú Swap\r\nIn addition to the attack mechanisms via banking overlay and clipboard manipulation, VENON deploys two VBScript code\r\nblocks extracted directly from libcef.dll. These blocks implement a shortcut hijacking mechanism targeting the Itaú\r\nApplication, replacing legitimate system shortcuts with tampered versions that redirect the victim to a web page under\r\noperator control, preserving the bank’s original icon to avoid suspicion.\r\nThis is a VB module exclusive to Itaú; no custom scripts like this were found for other banks and targets.\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 6 of 17\n\nThe attack is operated in two distinct stages: install, which performs shortcut substitution, and uninstall, which reverts the\r\nmodifications. The presence of the second block indicates the mechanism is controllable via C2, allowing the operator to\r\nrestore shortcuts before ending the session or upon detecting signs of investigation.\r\nBlock 1: Install\r\nThe install script is responsible for locating and tampering with all Itaú Application shortcuts present on the victim’s\r\nmachine. Execution follows four main steps:\r\nMicrosoft Edge Path Resolution: the script queries the registry at\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\msedge.exe. If the key is absent, it tries\r\nthe WOW6432Node alternative path, then directly checks the standard installation paths at Program Files (x86) e\r\nProgram Files. If Edge is not found by any method, the script writes -2 to the result file and exits without making\r\nmodifications.\r\nTarget Location Enumeration: o script define um array com oito locais handler of sistema de arquivos onde atalhos\r\nhandler of Itau podem existir.\r\nItaú Shortcut Identification: for each .lnk encontrado nos locais alvo, o script abre o atalho via\r\nWScript.Shell.CreateShortcut e verifica se o TargetPath contains any of the strings itauaplicativo.exe, aplicativo\r\nitau ou itauaplicativo. The comparison is done in lowercase to ensure case-insensitivity.\r\nFigure 10 – Itaú Shortcut Identification\r\nShortcut Substitution and Icon Preservation: shortcuts identified as Itaú have their TargetPath substituído pelo\r\ncaminho handler of msedge.exe resolvido anteriormente, and os Arguments definidos como\r\nhxxps://www.itau.com[.]br/empresas. The WorkingDirectory e limpo. Criticamente, o IconLocation is preserved\r\nif present, making the shortcut visually identical to the original. The number of modified shortcuts is written to the\r\nresult file.\r\nVariable / Folder Expanded Path (example)\r\nDesktop (user) %USERPROFILE%\\Desktop\r\nDesktop (public) %PUBLIC%\\Desktop\r\nStartMenu\\Programs %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\r\nStartMenu\\Programs\\Itau …\\Programs\\Itau\r\nStartMenu\\Programs\\Aplicativo\r\nItau\r\n…\\Programs\\Aplicativo Itau\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 7 of 17\n\nAllUsersPrograms\r\n%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\r\nAllUsersPrograms\\Itau …\\Programs\\Itau\r\nAllUsersPrograms\\Aplicativo Itau …\\Programs\\Aplicativo Itau\r\nTable 1 – Locations enumerated by the VBS script\r\nBlock 2: Uninstall / Restore\r\nThe second block implements the inverse operation: it identifies previously tampered shortcuts and restores them to the\r\noriginal Itaú Application executable. The identification logic is distinct from Block 1 and is based on artifacts left by the\r\nmodification, not the original shortcut attributes.\r\nThe script resolves the path to the legitimate Itaú executable by checking two possible installation locations:\r\n%USERPROFILE%\\AppData\\Local\\Aplicativo Itau\\itauaplicativo.exe e\r\n%USERPROFILE%\\AppData\\Local\\ItauAplicativo\\itauaplicativo.exe. If neither is found, it uses the first path as a\r\nfallback. This suggests the operator can trigger the uninstall even on machines where the application is not installed,\r\npossibly to cover tracks before the victim notices the tampering.\r\nThe IsModifiedItauShortcut function identifies tampered shortcuts by checking whether the TargetPath aponta para\r\nmsedge.exe, microsoft-edge, chrome.exe ou firefox.exe, in combination with a Arguments contendo a string itau.com.br.\r\nThe inclusion of Chrome and Firefox as detection criteria indicates the operator may have attack variants using other\r\nbrowsers, or that the criterion was designed to be robust against future variations of Block 1.\r\nIdentified shortcuts have their TargetPath restored to the Itaú executable, the Arguments limpos, and o IconLocation\r\nredefined to itauaplicativo.exe,0 if the file exists on disk. The count of restored shortcuts is written to the result file,\r\nsuggesting the C2 monitors the operation’s success.\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 8 of 17\n\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 9 of 17\n\nMonitored Targets\r\nVENON monitors 33 financial institutions and digital asset platforms, distributed across six categories. Monitoring is\r\nperformed via window title and active browser domain checks, activating attack mechanisms upon detecting any of the\r\ntargets below.\r\n# Institution Monitored Domain\r\n1 Itaú Unibanco itau.com.br\r\n3 Santander Brasil santander.com.br\r\n4 Caixa Econômica Federal caixa.gov.br\r\n5 Banco handler of Brasil bb.com.br\r\n6 Nubank nubank.com.br\r\n7 Banco Inter bancointer.com.br\r\n9 Sicoob (string parcialmente decodificada; confirmado via titulo “- sicoob”)\r\n10 Sicredi sicredi.com.br\r\n11 Banco Original original.com.br\r\n12 Banco Safra safra.com.br\r\nTable 1 – Traditional Banks\r\n# Institution Monitored Domain\r\n13 BTG Pactual btgpactual.com\r\nTable 2 – Investment Bank\r\n# Institution Domain / Identifier\r\n14 PagBank / PagSeguro pagseguro.uol.com.br\r\n15 PicPay picpay.com\r\n16 Mercado Pago mercadopago.com.br\r\n17 Bling ERP (título de janela: “bling erp”)\r\nTable 3 – Fintech / Payments\r\n# Institution Monitored Domain\r\n18 Receita Federal receita.fazenda.gov.br, gov.br/receitafederal\r\nTable 4 – Government\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 10 of 17\n\n# Platform Monitored Domain\r\n19 Binance binance.com\r\n20 Coinbase coinbase.com\r\n21 Kraken kraken.com\r\n22 Bybit bybit.com\r\n23 Mercado Bitcoin mercadobitcoin.com\r\n24 Foxbit foxbit.com\r\n25 Gemini gemini.com\r\n26 Nexo nexo.com\r\n27 Ripio ripio.com\r\nTable 5 – Exchanges and Crypto\r\n# Platform Identificador\r\n28 MetaMask (título de janela: “metamask”)\r\n29 Trust Wallet (título de janela: “trust wallet”)\r\n30 Phantom phantom.app\r\n31 Ledger Live ledger.com\r\n32 Rabby Wallet rabby.io\r\n33 Cake DeFi app.cakedefi\r\nTable 6 – Crypto Wallets\r\nDuring the initial analysis phases, the ZenoX team identified numerous behavioral similarities with established families in\r\nthe Latin American ecosystem, particularly Grandoreiro: use of banking overlays for visual interception, active window\r\nmonitoring, registry-based persistence mechanisms, and a command-and-control structure with remote operation capability.\r\nAt first glance, the artifact appeared to be yet another representative of the classic LATAM banking trojan paradigm.\r\nThe fundamental difference emerged during static analysis: unlike all known families in the region, VENON does not\r\ncontain a single line of Delphi code. The entire binary is compiled from Rust, with 88 crates identified in Cargo.lock and\r\n17,765 functions. This is not merely a Rust loader delivering a Delphi payload, as experimentally observed in Casbaneiro.\r\nThe final payload, with all attack logic, encryption, evasion, and C2 communication, is native Rust end-to-end.\r\nAs of this publication, ZenoX has not identified any other banking trojan in the Latin American or Brazilian ecosystem with\r\nthis profile. VENON represents, possibly, the first discovery of a Brazilian banker RAT developed entirely in Rust, with a\r\nlevel of technical sophistication comparable to APT group tools.\r\nThe Latin American Banking Trojan Ecosystem\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 11 of 17\n\nLatin America, and Brazil in particular, is the global epicenter of banking trojans. Of the 30 most detected families\r\nworldwide, 11 are of Brazilian origin, representing 22% of all detections in 2024. Brazil alone accounts for 61% of banking\r\ntrojan detections in the region (ESET, 2024).\r\nThe ecosystem has historically been dominated by Delphi-written families, a language that offers self-sufficient binaries and\r\nease of GUI development for banking overlays. The table below lists the main active families and their language\r\ncharacteristics:\r\nFamily Language Profile\r\nGrandoreiro Delphi\r\nThe largest LATAM banker: 1,700 banks, 45 countries, partial MaaS\r\nmodel\r\nMekotio Delphi Europa and LATAM, uso extensivo de PowerShell no dropper\r\nCasbaneiro\r\nDelphi +\r\nRust*\r\nExperimental Rust use only in the downloader; final payload in Delphi\r\nGuildma Delphi Also known as Astaroth; XOR string obfuscation\r\nMispadu Delphi SAMBA SPIDER; dropper via HTA/VBScript\r\nCoyote .NET + Nim Emerged in 2024; Squirrel installer; 61 Brazilian banks\r\nKiron Rust\r\nRust downloader with DGA and browser credential theft (2024); no\r\nbanking attack logic in Rust\r\nVENON Rust nativo\r\nFull banking RAT in Rust: 88 crates, active evasion, state-of-the-art\r\nencryption\r\nTable 1 – Profile Comparison Among Latin American Malware\r\n* Casbaneiro used Rust experimentally only in the download component in 2023; the core malware handler remains in\r\nDelphi.\r\nThe following table compares VENON’s technical attributes with the three most representative families in the ecosystem:\r\nGrandoreiro (volume and reach), Coyote (modern language, Brazil), and Mekotio (European presence).\r\nCharacteristic VENON Grandoreiro Coyote Mekotio\r\nLanguage Rust nativo Delphi .NET + Nim Delphi\r\nActive Period 2024-2026 2017-2026 2024-2026 2015-2026\r\nBinary Size 9,3 MB (UPX) 390-414 MB ~50 MB ~20-30 MB\r\nTargets (Banks) 36+ 1.700+ 61+ 50+\r\nTargets (Crypto) 21 plataformas 276 wallets Não Não\r\nGeographic Reach Brasil 45 países Brasil LATAM + Europa\r\nC2 Protocol WebSocket TLS RealThinClient SSL mutual TCP custom\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 12 of 17\n\nC2 Encryption ChaCha20-Poly1305 AES-CTS AES XOR + custom\r\nConfig Encrypt Argon2 + XChaCha20 AES-256 AES XOR\r\nAMSI Bypass Sim Não Não Não\r\nETW Bypass Sim Não Não Não\r\nntdll Unhook Sim Não Não Não\r\nIndirect Syscalls Sim Não Não Não\r\nPix QR Intercept Sim Não Não Não\r\nBoleto Swap Sim Não Não Parcial\r\nScreen Streaming DXGI (GPU) Screenshots Screenshots Screenshots\r\nOperational Model Solo / artisanal MaaS (partial)   Solo Solo\r\nTable 2 – Comparative Analysis: VENON vs. Established Families\r\nAttribution\r\nAttribution of VENON to a known operator or group presented low confidence throughout the analysis. Although the\r\nmalware shares several behavioral characteristics with established Latin American families such as Grandoreiro, Mekotio,\r\nand Coyote, the structural technical differences are sufficiently deep to prevent high-confidence attribution to any previously\r\ndocumented group or campaign in the region.\r\nHypothesis: AI-Assisted Development\r\nAn element that complicated both the analysis and attribution is the hypothesis that VENON may have been developed with\r\nextensive artificial intelligence assistance, which the security community has termed “vibe coding”. The Rust code structure\r\npresents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who\r\nused generative AI to rewrite and expand these functionalities in Rust, a language that requires significant technical\r\nexperience to use at the observed level of sophistication.\r\nThis hypothesis would explain some asymmetries observed in the code: the coexistence of state-of-the-art cryptographic\r\nimplementations alongside relatively straightforward control structures, and the reproduction in Rust of functional patterns\r\ncommon in Delphi, such as swap logic and window enumeration, with greater technical fidelity than would be expected\r\nfrom a first-time Rust developer. If confirmed, this would be one of the first documented instances of AI use for banking\r\ntrojan development in Latin America.\r\nDeveloper Exposure via Compilation Artifacts\r\nDuring the string extraction process from an early DLL version (January 2026), identified during hunting, the ZenoX team\r\nlocated local compilation paths exposed in the binary. Unlike the version analyzed as the main subject of this report, this\r\nearlier sample had not removed the full paths from the author’s development environment.\r\nThe exposed paths repeatedly contain the username byst4, revealing the local machine username where the malware was\r\ncompiled. The sequence of strings present in the binary includes paths such as C:\\Users\\byst4\\.cargo\\registry\\src\\..., a\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 13 of 17\n\npattern consistent across dozens of entries corresponding to the Rust crates used in the project.\r\nFigure 11 – Username Mention in Rust Crates Exposing the Developer\r\nIndicatores de comprometimento\r\nType Indicator\r\nDescription /\r\nContexto\r\nDomains\r\nDomain brasilmotorsvs14[.]com\r\nPrimary C2 WebSocket\r\n(Cloudflare)\r\nDomain lazybearpottery[.]net\r\nAlternate C2\r\n(Cloudflare)\r\nDomain digitalmoineyp[.]com\r\nDistribution\r\ninfrastructure\r\nDomain portalhondihs[.]com\r\nDistribution\r\ninfrastructure\r\nDomain storage.googleapis[.]com\r\nDead drop – GCS\r\nbucket mydns2026\r\nURLs\r\nURL\r\nhttps://s3.sa-east-1.amazonaws[.]com/8151218-\r\n25.2025.7.12.5178/modmarco2026-2.zip\r\nPayload – AWS S3 (sa-east-1)\r\nURL https://storage.googleapis[.]com/mydns2026/startabril2026\r\nDead drop resolver –\r\nGCS\r\nURL https://storage.googleapis[.]com/mydns2026/startmarco2026_1_\r\nDead drop resolver –\r\nGCS\r\nURL https://storage.googleapis[.]com/mydns2026/startjaneiro_1_\r\nDead drop resolver –\r\nGCS\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 14 of 17\n\nType Indicator\r\nDescription /\r\nContexto\r\nURL https://storage.googleapis[.]com/mydns2026/startabril_2\r\nDead drop resolver –\r\nGCS\r\nURL https://pastebin.com/raw/2qEMcLsD\r\nDead drop resolver –\r\nPastebin\r\nURL https://digitalmoineyp[.]com/v2/cloudflare/avsmail/recive.php Distribution endpoint\r\nIP Addresses – C2 / Panel\r\nIP 104.21.7[.]106\r\nbrasilmotorsvs14.com\r\n– Cloudflare CDN\r\nIP 188.114.96[.]3\r\nlazybearpottery.net –\r\nCloudflare CDN\r\nIP 206.0.29[.]58\r\nVENON Panel –\r\nLACNIC\r\nIP 51.222.75[.]250\r\nVENON Panel – OVH\r\nCanada\r\nIP 51.222.75[.]248\r\nVENON Panel – OVH\r\nCanada\r\nIP 192.99.226[.]117\r\nVENON Panel – OVH\r\nCanada\r\nIP 212.69.5[.]84\r\nVENON Panel –\r\nEurope\r\nIP 34.227.229[.]85\r\nVENON Panel – AWS\r\nEC2\r\nIP Addresses – Abused Legitimate Services\r\nIP 34.117.59[.]81\r\nipinfo.io – geolocation\r\nfingerprinting\r\nIP 142.251.140[.]187\r\nstorage.googleapis.com\r\n– dead drop GCS\r\nIP 142.251.141[.]67\r\nc.pki.goog – CRL\r\nvalidation\r\nIP 142.251.140[.]163\r\no.pki.goog – OCSP\r\nvalidation\r\nFile System Paths\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 15 of 17\n\nType Indicator\r\nDescription /\r\nContexto\r\nPath C:\\ProgramData\\USOShared\\NuPLihaOH\\\r\nImplant staging\r\ndirectory\r\nPath C:\\ProgramData\\USOShared\\NuPLihaOH\\NVIDIANotification.exe\r\nLegitimate NVIDIA\r\nexecutable\r\n(sideloading)\r\nPath C:\\ProgramData\\USOShared\\NuPLihaOH\\®mjtgr.exe\r\nMain implant (Unicode\r\nprefix)\r\nPath C:\\ProgramData\\USOShared\\NuPLihaOH\\qYogBt.zip\r\nTemporary ZIP in\r\nstaging\r\nRegistry Keys\r\nRegistry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nPersistence – executes\r\n®mjtgr.exe at logon\r\nProcesses\r\nProcess ®mjtgr.exe\r\nMain implant (PID\r\n6864)\r\nProcess NVIDIANotification.exe\r\nLegitimate NVIDIA\r\nexecutable –\r\nsideloading vehicle\r\nProcess CasPol.exe\r\nLOLBin – sideloading\r\ntarget\r\nProcess wscript.exe VBS script executor\r\nFiles\r\nFile libcef.dll\r\nMalicious DLL –\r\nsideloading via CEF\r\n(packed)\r\nFile NVIDIANotification.exe\r\nLegitimate NVIDIA\r\nexecutable used as\r\nloader\r\nFile ®mjtgr.exe\r\nRenamed implant\r\n(Unicode ® prefix)\r\nFile qYogBt.zip\r\nTemporary ZIP in\r\nstaging\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 16 of 17\n\nType Indicator\r\nDescription /\r\nContexto\r\nFile modmarco2026.zip\r\nVersioned payload –\r\nhosted on S3\r\nFile DocumentReclamaAQUI_56b2ca9811.cmd.bin\r\nCMD dropper (phase\r\nF1)\r\nFile Itau_swap_install.vbs\r\nVBS Script – Itaú\r\nshortcut swap\r\nFile startabril2026\r\nDead drop resolver –\r\nGCS\r\nFile startmarco2026_1_\r\nDead drop resolver –\r\nGCS\r\nFile startjaneiro_1_\r\nDead drop resolver –\r\nGCS\r\nFile startabril_2\r\nDead drop resolver –\r\nGCS\r\nHashes\r\nMD5 427ccfa456ed27a819aa152708212ff4 libcef.dll (packed)\r\nSHA256 c482286a7fdfb64d308c197a4deabcd773b8b62d9e74d1d08fcfd02568d75d72 libcef.dll (packed)\r\nMD5 2d1c4778094ba0e1a6e13bb67ce1b631 libcef.dll (unpacked)\r\nSHA256 75d1a2560cf93c6a028aa3573febddaf713014d64b0e8904488111772e4cff49 libcef.dll (unpacked)\r\nMD5 a99cb35768489b7aacf2d31d33d8f541 Itau_swap_install.vbs\r\nSHA256 fd5d9effc1ef77a49b0720d2691bc144f513609760c22fa62bc1e8b84dedf879 Itau_swap_install.vbs\r\nSHA256 78b62856878cb09602b14104df18ca2bedac8640e09d74b934ff3ea0e15627f3 Amostra adicional\r\nSHA256 d61be2b21e135726c547a388ecb47552559e5221894f5005ce35bdb24efc0c26 Amostra adicional\r\nSource: https://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nhttps://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/" ], "report_names": [ "venon-the-first-brazilian-banker-rat-in-rust" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433970, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e74980b76abaaeee1ec83328102d13740cefa22.pdf", "text": "https://archive.orkl.eu/9e74980b76abaaeee1ec83328102d13740cefa22.txt", "img": "https://archive.orkl.eu/9e74980b76abaaeee1ec83328102d13740cefa22.jpg" } }