Venom just hit the scene and it’s already reshaping how cyber‑crime looks in Latin America.Unlike the Delphi worms that used to run the show.This new threat is built with Rust language and prized for its safety and speed.Because banks once shrugged off memory bugs are now up against something that can dodge detection while doing the work in the background.
Researchers uncovered the first fire‑starter version in March 2026.Since 33 major banks in Brazil have fallen under its sway, all thanks to Rust’s ability to pack snazzy performance with a stealth‑first approach.The result? A malware that not a just a nuisance but a genuinely sophisticated adversary and a stark reminder that the familiar Delphi pattern is no longer the rule of play.
Credential-Stealing Overlays Threaten Brazil’s Banking Sector
Malicious actors are using credential-stealing overlays to trick users into disclosing sensitive login information and posing a serious cybersecurity threat to Brazilian banks.Because these overlays mimic authentic banking interfaces and it is the almost impossible for gullible consumers to spot fraud.These attacks are carried out by malware and like the Rust-based VENON which targets desktop and mobile banking apps.The malware stealthily collects login credentials and transmits them to distant servers under the control of cybercriminals.Financial experts caution that banks and their customers remain extremely vulnerable to identity fraud, financial theft and serious reputational harm. In the absence of strong multi-factor authentication and proactive monitoring.
How VENON Malware Hijacks Banking Apps
DLL side-loading is the first step in the complex infection chain that the VENON malware uses to launch malicious code without being discovered right away Cybercriminals frequently use social engineering techniques and such as phishing campaigns that pose as ClickFix to trick users into downloading a ZIP file that contains malware, which is subsequently run by a PowerShell script.
Once activated VENOM uses a variety of sophisticated strategies to evade detection by security software, such as indirect system calls, anti-sandbox checks, ETW bypass and AMSI bypass.Additionally, it creates a WebSocket connection to its command-and-control (C2) server and schedules the tasks and retrieves its configuration by connecting to a Google Cloud Storage URL.
The malware pulls out two VBScript files that zero in on the brazil banking app.Those scripts swap out legitimate shortcuts for tampered ones and leading users straight to fake pages the attackers control.Even more intriguing is that VENON can uninstall itself.With a single command and it restores the original shortcuts and remove the traces and keeping the attack slick and neatly contained.
