Cybersecurity researchers have disclosed details of a new banking malware targeting Brazilian users that’s written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem.
The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed VENON by Brazilian cybersecurity company ZenoX.
What makes VENON notable is that it shares behaviors that are consistent with established banking trojans targeting the region, such as Grandoreiro, Mekotio, and Coyote, specifically when it comes to features like banking overlay logic, active window monitoring, and a shortcut (LNK) hijacking mechanism.
The malware has not been attributed to any previously documented group or campaign. However, an earlier version of the artifact, dating back to January 2026, has been found to expose full paths from the malware author’s development environment. The paths repeatedly reference a Windows machine username “byst4” (e.g., “C:\Users\byst4\…”).
“The Rust code structure presents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who used generative AI to rewrite and expand these functionalities in Rust, a language that requires significant technical experience to use at the observed level of sophistication,” ZenoX said.
VENON is distributed by means of a sophisticated infection chain that uses DLL side-loading to launch a malicious DLL. It’s suspected that the campaign leverages social engineering ploys like ClickFix to trick users into downloading a ZIP archive containing the payloads by means of a PowerShell script.
Once the DLL is executed, it performs nine evasion techniques, including anti-sandbox checks, indirect syscalls, ETW bypass, AMSI bypass, before actually initiating any malicious actions. It also reaches out to a Google Cloud Storage URL to retrieve a configuration, install a scheduled task, and establish a WebSocket connection to the command-and-control (C2) server.
Also extracted from the DLL are two Visual Basic Script blocks that implement a shortcut hijacking mechanism exclusively targeting the Itaú banking application. The components work by replacing the legitimate system shortcuts with tampered versions that redirect the victim to a web page under the threat actor’s control.
The attack also supports an uninstall step to undo the modifications, suggesting that the operation can be remotely controlled by the operator to restore the shortcuts to what they originally were to cover up the tracks.
In all, the banking malware is equipped to target 33 financial institutions and digital asset platforms by monitoring the window title and active browser domain, springing into action only when any of the targeted applications or websites are opened to facilitate credential theft by serving fake overlays.
The disclosure comes amid campaigns where threat actors are exploiting the ubiquity of WhatsApp in Brazil to distribute a worm named SORVEPOTEL via the messaging platform’s desktop web version. The attack hinges on abusing previously authenticated chats to deliver malicious lures directly to victims, ultimately resulting in the deployment of banking malware such as Maverick, Casbaneiro, or Astaroth.
“A single WhatsApp message delivered through a hijacked SORVEPOTEL session was sufficient to draw a victim into a multi-stage chain that ultimately resulted in an Astaroth implant running fully in memory,” Blackpoint Cyber said.
“The combination of local automation tooling, unsupervised browser drivers, and user-writable runtimes created an unusually permissive environment, allowing both the worm and the final payload to establish themselves with minimal friction.”
Two U.K. regulators on Thursday publishedwarnings demanding that Facebook, Instagram, Snapchat, TikTok, YouTube and other large platforms used by children “take urgent steps” to integrate robust age assurance tools into their sites.
The Information Commissioner’s Office (ICO) and Ofcom stressed that they expect immediate action, with Ofcom saying that firms have until the end of April to report back on their plans. The ICO said that it has “started direct engagement with some of the highest risk services and expect them to work directly with us to strengthen their age assurance measures over the next two months.”
The regulators’ public call to action comes at a time when countries across Europe are considering or are implementing social media bans for children and are generally laser-focused on child safety online.
In January, the British government announced it is considering a social media ban for children under age 16 and said it is consulting with Australia to learn about the impact and efficacy of its own ban, which took effect in December. On Monday members of Parliament voted down a ban, but it could still take effect after the British government finishes an ongoing “consultation” process.
In its open letter, the ICO said it is considering “further regulatory action” if platforms do not do more to ensure that children under age 13 cannot access their platforms.
The ICO said it has found that many platforms set a minimum age of 13 but rely on children to honestly report their ages as their sole enforcement mechanism.
“As self-declaration is easily circumvented, this means underage children can easily access services that have not been designed for them,” the ICO letter said. “This puts under-13s at risk by allowing their information to be collected and used unlawfully, without the protections they are entitled to.”
The regulator emphasized that age assurance technologies have become much more effective in recent years but that many services have failed to begin using the technology.
Ofcom’s warning said that social media platforms and Roblox have privately assured it that they are committed to creating safe online ecosystems for kids. The regulator said it plans to make the companies’ responses to its demand for action public in May and will then “announce any next steps for regulatory action.”
“These online services are household names, but they’re failing to put children’s safety at the heart of their products,” Dame Melanie Dawes, Ofcom’s chief executive, said in a statement. “There is a gap between what tech companies promise in private, and what they’re doing publicly to keep children safe on their platforms.”
Ofcom’s four demands include a call for platforms to implement effective age assurance protocols, “failsafe” grooming protections, safer feeds and no more product testing on children.
The regulator said its research shows that 72% of children aged 8-12 are accessing the platforms’ sites and apps.
Honest, paywall-free news is rare. Please support our boldly independent journalism with a donation of any size.
Up until the end of February, a steady flow of ships bound for destinations across the world would pass daily through the Strait of Hormuz. A narrow channel running between Oman and Iran, the waterway serves as the only natural maritime link between the Persian Gulf and the global economy. That all changed on March 2, when, after days of military strikes led by the U.S. and Israel, Iran effectively closed the strait for the first time in history and warned that any ships passing through would be fired upon. Ever since, vessels moving through the channel have been attacked and set ablaze, and hundreds of tankers remain stranded. At least 1,800 people have been killed in the war, including Iran’s supreme leader Ayatollah Ali Khamenei and other top government officials.
Another world crisis sparked by the war in Iran may also be in the offing. That’s because the region’s oil and gas production has made it one of the world’s leading exporters of nitrogen fertilizers, which are indispensable to the global food system. To produce the chemicals used to grow much of the planet’s crops, natural gas is broken down to extract hydrogen, which is combined with nitrogen to make ammonia, and then mixed with carbon dioxide to make urea. All told, nearly a third of the global trade for nitrogen fertilizer passes through the Strait of Hormuz, while almost half of the world’s sulfur, essential in producing phosphate fertilizers, also travels through the corridor.
“A worrying amount of food, or inputs into modern agriculture, are going through this very small channel,” said Ginni Braich, a data scientist who studies food insecurity at the University of Colorado Boulder’s Better Planet Laboratory. She estimates that the strait is in the top 20th percentile of all the worlds’ transportation corridors just based on the sheer volume of food that passes through it. The sudden and cascading effects of trade halting through the waterway, according to Braich “really underscores how interconnected everything is, and how fragile … just any small amount of disruption can have huge aftershocks that reverberate all around the world.”
The timing, Braich said, could not be worse, as spring planting in the northern hemisphere — crop farmers’ biggest season — is approaching. “So, basically, vessels that were leaving the Middle East today would be arriving in mid-April,” she said. “Now, the fact that obviously nothing is leaving means that there’s going to be a large hole in the market for fertilizer.”
If the war persists, experts warn that the drop in supply and the increase of cargo insurance premiums and freight rates could raise prices for everyone along the supply chain. Unlike with oil, there is no meaningful strategic reserve for nitrogen-based fertilizer, so there’s no equivalent stockpile to help buffer the shocks. While the U.S. does produce some of its own fertilizer, domestic producers cannot rapidly replace millions of tons of fertilizer supplies. Other countries more reliant on fertilizer imports from the Middle East, such as India, will be hit hard by the cessation of traffic on the strait. China, Indonesia, Morocco, and several sub-Saharan African nations are also expected to be affected by the global gridlock of sulfur exports flowing from the Gulf.
Moreover, Braich warned, any prolonged increase in shipping and inventory costs “is going to be felt by the consumer.”
For some, the impact is already here. Prices for key fertilizer products are up because of the war and are expected to squeeze growers’ profit margins — which could lead farmers to ration fertilizer use, reducing yields, or even to shift from planting input-intensive crops. U.S. Agriculture Secretary Brooke Rollins told reporters in Atlanta, Georgia, on Tuesday that the Trump administration was “looking at every possible option” to address “skyrocketing” fertilizer costs for U.S. farmers “based on actions on the other side of the world.”
About 4 billion people on the planet eat food grown with synthetic nitrogen fertilizers. Roughly half of the global population, in other words, is alive because of these chemicals converted into nutrients for plants, said Lorenzo Rosa, who researches sustainable energy, water, and food systems at the Carnegie Institution for Science at Stanford University.
Of course, the fact that natural gas is the key to mass-producing synthetic fertilizers carries its own terrible climate implications. Together, manufacturing and applying synthetic fertilizers to fields and farms accounts for over 2 percent of global greenhouse gas emissions — just about equal to the CO2 emissions from global aviation. There are low-emissions alternatives to this process, Rosa argued: Nitrogen could be recycled from waste, and natural gas plants could be powered by local or renewable energy sources and built closer to the farms that require fertilizer.
Normally, the fossil fuel-based, centralized — and, thus, fragile — supply chain for fertilizer and food is far cheaper than its alternative. But major shocks like the U.S.-Israel war against Iran expose the dangerous vulnerability of that system, as efficient and financially sound as it may be. “At some point, a country will have to decide: ‘Do I want the cheap fertilizer, importing it from the Strait of Hormuz or another country? Or do I prefer to pay a green premium and have my own domestic production and energy and food security?’” said Rosa.
USDA Secretary Rollins acknowledged this vulnerability in Tuesday’s press conference. “We are getting almost all of our urea, almost all of our phosphate, almost all of our nitrogen from other countries around the world, and that has to stop,” she said.
The catch, however, is that decentralizing this supply chain could inadvertently create a green divide — splitting the world between the nations and farmers who can afford domestically produced fertilizer and those who can’t. Many countries confronting widespread famine in Africa, for instance, already pay the highest fertilizer prices in the world and are unable to withstand further inflation.
“There are many stops along the way from closing the Strait of Hormuz to a child in Malawi being fed,” said Cary Fowler, president of the nonprofit Food Security Leadership Council and former U.S. Special Envoy for Global Food Security in the Biden administration. “The clear thing is that those two things are connected.”
The same countries that stand to face the most harmful food security effects because of the conflict in Iran are also the ones struggling to feed their citizens following the collapse of global food aid after President Donald Trump dissolved the U.S. Agency for International Development, or USAID, last year. Emergencies like these are where the international community’s response becomes increasingly important, Fowler said.
In addition to the dissolution of USAID, which halted international research efforts and initiatives to improve farming practices in lower-income nations, the World Food Programme has in recent months sounded the alarm over historically low donations from the U.S. and other major Western donors.
“If we don’t invest in that sustainable productivity growth, then we put ourselves in a situation where we’re going to need a lot more humanitarian aid, particularly when there’s flare-ups like we’re experiencing now,” said Fowler. “And that gives us another choice — whether to provide that humanitarian aid or not. And that’s a choice of whether we want to, at least in the short-term, solve the problem. Or do we want to watch children starve to death on TV?”
It’s not clear how long the strait will remain closed, although Trump has swung between stating the war with Iran could stretch on through April, if not longer, and declaring it nearly done. Last week, the president announced that the U.S. might begin to escort oil tankers through the embattled channel. “No matter what, the United States will ensure the FREE FLOW of ENERGY to the WORLD,” Trump wrote on social media, before later declaring “death, fire, and fury” if Iran continues its shipping blockade. On Sunday, he told Fox News that ships holding there should “show some guts” and push through.
The president made no mention of fertilizer — or food.
Rahul Bali of WABE, Atlanta’s NPR station and a Grist partner, contributed reporting.
Grist is a nonprofit, independent media organization dedicated to telling stories of climate solutions and a just future. Learn more at Grist.org
An urgent appeal for your support: 10 Days to raise $50,000
Truthout relies on individual donations to publish independent journalism, free from political and corporate influence. In fact, we’re almost entirely funded by readers like you.
Unfortunately, donations are down. At a moment when independent journalism is urgently needed, we are struggling to meet our operational costs due to increasing political censorship.
Truthout may end this month in the red without additional help, so we’ve launched a fundraiser. We have 10 days to hit our $50,000 goal. Please make a tax-deductible one-time or monthly donation if you can.
