Malware

VENON

VENON is a previously undocumented Windows banking trojan targeting Brazilian users and financial institutions. It is written in Rust, diverging from the more typical Delphi-based Latin American banker ecosystem, and has been described as sharing behavioral traits with regional banking trojans such as Grandoreiro, Mekotio, and Coyote, though it has not been attributed to any known threat group or campaign.

VENON is delivered via DLL sideloading as a trojanized libcef.dll masquerading as a Chromium Embedded Framework library. The malicious DLL exports 209 fake CEF function stubs and has been observed in infection chains likely involving social engineering, including suspected ClickFix-style lures, ZIP archives, and PowerShell-assisted execution. It targets Windows systems and includes LNK shortcut hijacking logic, with Visual Basic Script components specifically targeting the Itaú banking application and replacing shortcuts with tampered versions that redirect victims to attacker-controlled web pages. It also supports uninstall and restoration of shortcut changes, likely to reduce evidence.

Its core fraud capabilities include credential theft through bank-specific overlays, active window and browser-domain monitoring, PIX key and QR payload swapping, boleto payment manipulation, and cryptocurrency address replacement. The malware uses DirectComposition with D3D11 to render hardware-accelerated overlays and calls SetWindowDisplayAffinity with WDA_EXCLUDEFROMCAPTURE so overlays are excluded from screenshots and some remote viewing contexts. Embedded overlay templates were tailored for Brazilian banks including Bradesco and Itaú. A companion monitor module can deploy blackout overlays across multiple monitors. VENON also modifies the Windows hosts file to redirect targeted banking domains to 127.0.0.1 for 24 hours after credential theft, using markers # VENON_BLOCK_START and # VENON_BLOCK_END and a timestamp file named block_24h.dat, apparently to give operators time to drain accounts.

The malware targets numerous Brazilian financial institutions and payment platforms, including Banco do Brasil, Bradesco, Caixa Economica, Santander, Itau Unibanco, Safra, Sicoob, Sicredi, Banesc/BFRB, Mercado Livre/Pago, Nubank, Inter/C6, BTG, PagBank, PicPay, and Original. Reporting also states it is equipped to target 33 financial institutions and digital asset platforms. Its cryptocurrency clipper functionality replaces copied wallet addresses associated with 21 blockchain networks, including BTC, ETH, LTC, DOGE, TRX, XRP, XMR, SOL, BCH, ADA, DOT, BNB, MATIC, AVAX, LINK, UNI, XLM, ALGO, NEAR, APT, and DASH, and monitors address patterns tied to 28 platforms such as Binance, Coinbase, Kraken, KuCoin, Bybit, OKX, Mercado Bitcoin, Foxbit, MetaMask, Trust Wallet, Phantom, Ledger, Rabby, Gemini, and Nexo.

VENON employs extensive evasion and anti-analysis techniques. Reported behaviors include anti-sandbox checks, NTDLL unhooking by remapping a clean ntdll.dll .text section, indirect syscalls for NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, and NtCreateThreadEx, AMSI patching, ETW disabling or bypass, anti-debugging via IsDebuggerPresent, and NtSetInformationThread with HideFromDebugger.

For persistence, VENON installs itself under %LOCALAPPDATA%\NVIDIA Corporation\NVIDIA Notification%COMPUTERNAME%\NVIDIANotification.exe and uses NVIDIA-themed artifacts to blend in. Persistence mechanisms include a scheduled task named NVIDIA Notification Service, a registry run key named NVIDIA Notification, and a WMI event subscription using NVIDIAFilter and NVIDIAConsumer. It also uses mutex names mimicking NVIDIA software, including Global\NvContainerMutex_* and Local\NvContainerMutex_*.

VENON communicates with operators over WebSocket TLS using rustls with certificate pinning, with additional ChaCha20/XChaCha20 encryption and Argon2-derived keys. It supports remote configuration and self-updating. Configuration retrieval has been reported via Google Cloud Storage, and telemetry sent by the malware includes HWID, public IP, location, ISP, computer name, and Windows version, with ipinfo.io referenced for victim profiling.

Known indicators and artifacts mentioned in the content include the hosts-file markers # VENON_BLOCK_START and # VENON_BLOCK_END, the file block_24h.dat, the installation path under NVIDIA Notification, and four SHA-256 hashes for samples uploaded to MalwareBazaar from Switzerland on March 17 and March 31, 2026: dc7c8f5cb67148876617f387df095dcea8598726fe5599cc1d3bab18932d372d, 530e501f3e0aa8a5e3a41a06b0ba4e159ea6cea258b71c644c0578b856aebddb, 00dbe21b176bef396455459d7e8da3365397a47c9c54b4422a30f8dae7cb578b, and c482286a7fdfb64d308c197a4deabcd773b8b62d9e74d1d08fcfd02568d75d72.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

26 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195.002Compromise Software Supply ChainEvidence1

MITRE ATT&CK Tactic Technique ID Initial Access Supply Chain Compromise T1195.002

Execution

4 techniques

T1053.005Scheduled TaskEvidence2

Scheduled Task : NVIDIA Notification Service -- triggers at logon, runs at highest privilege level

T1059.001PowerShellEvidence2

MITRE ATT&CK Tactic Technique ID ... Execution PowerShell T1059.001

T1059.005Visual BasicEvidence2

VBS artifacts : %TEMP%\itau_swap_*.vbs -- VBScript files used for Itau-specific social engineering

T1129Shared ModulesEvidence1

When a user launches the host application, Windows loads libcef.dll from the application directory before checking system paths. The trojanized DLL gets loaded.

Persistence

4 techniques

T1053.005Scheduled TaskEvidence2

Scheduled Task : NVIDIA Notification Service -- triggers at logon, runs at highest privilege level

T1546.003Windows Management Instrumentation Event SubscriptionEvidence1

WMI Event Subscription : NVIDIAFilter / NVIDIAConsumer -- the most resilient of the three, surviving even if the scheduled task and registry key are removed

T1547.001Registry Run Keys / Startup FolderEvidence1

Registry Run Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Notification

T1547.009Shortcut ModificationEvidence1

"...two Visual Basic Script blocks that implement a shortcut hijacking mechanism... replacing the legitimate system shortcuts with tampered versions that redirect the victim to a web page under the threat actor's control."

Privilege Escalation

4 techniques

T1053.005Scheduled TaskEvidence2

Scheduled Task : NVIDIA Notification Service -- triggers at logon, runs at highest privilege level

T1546.003Windows Management Instrumentation Event SubscriptionEvidence1

WMI Event Subscription : NVIDIAFilter / NVIDIAConsumer -- the most resilient of the three, surviving even if the scheduled task and registry key are removed

T1547.001Registry Run Keys / Startup FolderEvidence1

Registry Run Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Notification

T1547.009Shortcut ModificationEvidence1

Stealth

4 techniques

T1036.005Match Legitimate Resource Name or LocationEvidence1

The malware installs itself to %LOCALAPPDATA%\NVIDIA Corporation\NVIDIA Notification\%COMPUTERNAME%\NVIDIANotification.exe .

T1070Indicator RemovalEvidence1

"The attack also supports an uninstall step to undo the modifications... to restore the shortcuts... to cover up the tracks."

T1497Virtualization/Sandbox EvasionEvidence1

"Once the DLL is executed, it performs nine evasion techniques, including anti-sandbox checks..."

T1622Debugger EvasionEvidence1

Anti-Debug : Standard checks via IsDebuggerPresent and NtSetInformationThread with HideFromDebugger , preventing analysts from attaching debuggers to the running process.

Credential Access

3 techniques

T1056Input CaptureEvidence1

Most banking trojans have used overlay windows for years -- fake login prompts that sit on top of real banking websites to capture credentials.

T1056.001KeyloggingEvidence1

"...features like banking overlay logic, active window monitoring..."

T1056.002GUI Input CaptureEvidence1

The embedded overlay images ... are tailored social engineering prompts for Bradesco and Itau, requesting security tokens and phone numbers through convincing facsimiles of each bank's actual interface.

Discovery

4 techniques

T1010Application Window DiscoveryEvidence1

"...by monitoring the window title and active browser domain, springing into action only when any of the targeted applications or websites are opened..."

T1082System Information DiscoveryEvidence1

Upon initial connection, the malware authenticates with a LoginResponse ... and transmits a victim fingerprint via POST to ipinfo.io : Hardware ID (HWID) Public IP address City, region, country ISP/organization Computer name Windows version

T1497Virtualization/Sandbox EvasionEvidence1

"Once the DLL is executed, it performs nine evasion techniques, including anti-sandbox checks..."

T1622Debugger EvasionEvidence1

Anti-Debug : Standard checks via IsDebuggerPresent and NtSetInformationThread with HideFromDebugger , preventing analysts from attaching debuggers to the running process.

Collection

5 techniques

T1056Input CaptureEvidence1

Most banking trojans have used overlay windows for years -- fake login prompts that sit on top of real banking websites to capture credentials.

T1056.001KeyloggingEvidence1

"...features like banking overlay logic, active window monitoring..."

T1056.002GUI Input CaptureEvidence1

T1115Clipboard DataEvidence1

VENON monitors the clipboard in real time. When it detects a PIX key or QR code payload, it silently replaces it with an attacker-controlled key.

T1185Browser Session HijackingEvidence1

"...facilitate credential theft by serving fake overlays."

Command and Control

4 techniques

T1071.001Web ProtocolsEvidence1

VENON's command-and-control communication uses WebSocket over TLS ( wss:// )

T1105Ingress Tool TransferEvidence1

"It also reaches out to a Google Cloud Storage URL to retrieve a configuration..."

T1568Dynamic ResolutionEvidence1

The C2 configuration isn't hardcoded. The src/config/remote.rs module implements fetch_remote_host() , which resolves the C2 address dynamically through a base64-encoded, encrypted payload.

T1573.001Symmetric CryptographyEvidence1

VENON's command-and-control communication uses WebSocket over TLS ( wss:// ), encrypted with ChaCha20/XChaCha20 using Argon2 key derivation.

Impact

2 techniques

T1565.002Transmitted Data ManipulationEvidence1

VENON intercepts boleto codes on the clipboard and replaces the destination bank account digits while preserving the rest of the code structure.

T1657Financial TheftEvidence1

Impact Financial Theft T1657

Other

1 technique

T1562.001Disable or Modify ToolsEvidence2

AMSI Bypass : The Anti-Malware Scan Interface is patched. AmsiScanBuffer ... is neutralized... ETW Patching : Event Tracing for Windows is disabled

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

10 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

hash.md5●●●●●●●●●●●●View more in app3 months ago

hash.sha1●●●●●●●●●●●●View more in app3 months ago

domain●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

breakglass intelNews

Apr 1, 2026

VENON: A Rust-Based Brazilian Banker With Screenshot-Proof Overlays, Three Fraud Engines, and a 24-Hour Bank Lockout - Breakglass Intelligence - Breakglass Intelligence

Rust-based Brazilian banking trojan delivered as a trojanized libcef.dll via DLL sideloading. It steals banking credentials using invisible hardware-accelerated overlays, swaps PIX, boleto, and cryptocurrency clipboard data, blocks access to targeted bank domains for 24 hours via hosts-file manipulation, persists as fake NVIDIA services, and uses encrypted WebSocket C2 with strong evasion features including NTDLL unhooking, indirect syscalls, AMSI bypass, and ETW patching.

risky biz rssNews

Mar 13, 2026

Another residential proxy provider falls as authorities continue crackdowns

A new Rust-based Windows banking trojan targeting Brazil.

the hacker newsNews

Mar 12, 2026

Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays

Rust-based Windows banking trojan targeting Brazilian users; uses DLL side-loading and a multi-stage chain with PowerShell-delivered ZIP payloads, extensive evasion (anti-sandbox, indirect syscalls, ETW/AMSI bypass), retrieves config from Google Cloud Storage, persists via scheduled task, connects to C2 over WebSocket, and performs credential theft via window/domain monitoring and fake banking overlays; includes LNK/shortcut hijacking (noted targeting Itaú) to redirect victims to attacker-controlled pages.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping26

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.