VENON: A Rust-Based Brazilian Banker With Screenshot-Proof Overlays, Three Fraud Engines, and a 24-Hour Bank Lockout
PIX Swap, Boleto Swap, Crypto Swap — three simultaneous financial fraud engines in a single Rust implant
A banking trojan written in Rust. A DLL disguised as a Chromium library with 209 fake function exports. Three simultaneous financial fraud engines -- one for instant payments, one for bank slips, one for cryptocurrency across 21 blockchains. Hardware-accelerated overlay windows that are invisible to screenshots. And a kill switch that locks victims out of their own bank accounts for 24 hours after stealing their credentials.
This is VENON -- a previously undocumented Brazilian banking trojan that represents a generational leap in how Latin American financial malware is engineered. Uploaded to MalwareBazaar from Switzerland, compiled on a machine with the build path C:\cargobr\, and carrying overlay images timestamped to Brasilia time in Adobe Photoshop CC, VENON is Brazilian malware built for a world beyond Brazil.
Why Rust Matters
Brazilian banking trojans have a type. They're written in Delphi. Sometimes .NET. Occasionally C++. They ship as bloated executables with Portuguese-language debug strings, target Bradesco and Itau with crude screen overlays, and rely on social engineering to compensate for weak evasion. The Brazilian banker ecosystem -- Grandoreiro, Casbaneiro, Mekotio, Guildma -- is one of the most prolific regional malware families in the world, and it has looked roughly the same for a decade.
VENON breaks the mold.
Built in Rust with the Tauri/Wry framework, tokio async runtime, and tungstenite WebSocket library, VENON is architecturally closer to modern offensive tooling than to its Delphi-based ancestors. Rust gives the developer memory safety without a garbage collector, zero-cost abstractions for performance-critical clipboard monitoring, and -- critically -- compiled binaries that static analysis engines struggle with. Rust's ownership model produces control flow graphs that confuse decompilers. IDA Pro and Ghidra both produce less readable output for Rust binaries than for equivalent C++ code.
The build path tells us something else: C:\cargobr\. Not C:\Users\someone\projects\. Not a standard Cargo workspace. A dedicated, minimal build directory with "br" in the name -- Brazil. This developer maintains a clean build environment specifically for this project.
The Perfect Disguise: 209 Lies
VENON doesn't arrive as a standalone executable. It arrives as libcef.dll -- the Chromium Embedded Framework library that legitimate Tauri and CEF-based applications depend on. When a user launches the host application, Windows loads libcef.dll from the application directory before checking system paths. The trojanized DLL gets loaded. The application works normally. The user notices nothing.
But here's what makes this sideloading particularly sophisticated: the DLL exports 209 CEF function stubs. Real CEF functions. cef_api_hash, cef_browser_host_create_browser, cef_command_line_create, cef_cookie_manager_get_global_manager -- every export you'd expect from a legitimate Chromium library is present. They don't do anything. They exist to pass automated analysis tools that check export tables against known-good signatures. A quick diff of the export list against a real libcef.dll would show nothing unusual.
The DLL weighs 9.78 MB. Real libcef.dll files from Chromium distributions are similar in size. Even the imphash -- the hash of the import table -- looks unremarkable. Everything about this file is designed to survive a first pass.
Three Engines, One Clipboard
Most banking trojans specialize. Some steal credentials via overlay windows. Some manipulate payment slips. Some swap cryptocurrency addresses. VENON does all three simultaneously, and the source module architecture reveals how deliberately this was engineered:
Engine 1: PIX Swap (src/pixswap.rs)
PIX is Brazil's instant payment system, launched by the Central Bank in November 2020 and now used by over 150 million Brazilians. Payments are initiated by scanning QR codes or copying PIX keys -- essentially account identifiers -- into banking apps. VENON monitors the clipboard in real time. When it detects a PIX key or QR code payload, it silently replaces it with an attacker-controlled key. The victim pastes what they think is their landlord's PIX key. They're actually pasting the attacker's. The money moves instantly and irrevocably.
Engine 2: Boleto Swap (src/boletoswap.rs)
Boletos are uniquely Brazilian -- bank-issued payment slips with 47-digit numerical codes used for everything from utility bills to car payments. They're the second most common payment method in Brazil after PIX. VENON intercepts boleto codes on the clipboard and replaces the destination bank account digits while preserving the rest of the code structure. The victim sees a boleto that looks correct. The payment routes to the attacker's account.
Engine 3: Crypto Swap (src/clipswap.rs)
This is where VENON's ambition becomes clear. The crypto swapper doesn't just target Bitcoin. It targets 21 blockchain networks: BTC, ETH, LTC, DOGE, TRX, XRP, XMR, SOL, BCH, ADA, DOT, BNB, MATIC, AVAX, LINK, UNI, XLM, ALGO, NEAR, APT, and DASH. It monitors for address patterns from 28 platforms including Binance, Coinbase, Kraken, KuCoin, Bybit, OKX, Mercado Bitcoin, Foxbit, MetaMask, Trust Wallet, Phantom, Ledger, Rabby, Gemini, Nexo, and more.
Every cryptocurrency address copied to the clipboard gets silently replaced with an attacker-controlled address for the corresponding chain. The victim thinks they're sending ETH to their hardware wallet. They're sending it to Sao Paulo.
Overlays That Can't Be Screenshotted
Banking trojans have used overlay windows for years -- fake login prompts that sit on top of real banking websites to capture credentials. VENON's overlays are different in two important ways.
First, they use DirectComposition with D3D11 -- Windows' hardware-accelerated compositing engine. Instead of the GDI-based overlays common in Delphi bankers, VENON creates composition targets backed by Direct3D 11 swap chains. The overlays are GPU-rendered, pixel-perfect, and blend seamlessly with the underlying desktop. They don't flicker. They don't tear. They match the DPI scaling of the victim's monitor.
Second -- and this is the detail that matters for incident response -- the overlays call SetWindowDisplayAffinity with the WDA_EXCLUDEFROMCAPTURE flag. This Windows API function tells the Desktop Window Manager to exclude the window from screen capture operations. Screenshots, screen recordings, remote desktop sessions, and screen-sharing applications all see a black rectangle where the overlay should be. If a victim tries to screenshot the suspicious prompt to send to their IT department or bank, the screenshot shows nothing. If an EDR product captures screen state during the event, the overlay is invisible.
The source tree (src/view/screens/b02/tokencel/window.rs) reveals bank-specific overlay templates. The b02 directory naming convention suggests a versioning scheme. The embedded overlay images -- created in Adobe Photoshop CC on February 27, 2026, at 13:24:40 UTC-3 -- are tailored social engineering prompts for Bradesco and Itau, requesting security tokens and phone numbers through convincing facsimiles of each bank's actual interface.
A companion module (src/monitors.rs) handles multi-monitor setups by deploying blackout overlays across all connected displays, ensuring the victim can only interact with the attacker's fake prompt.
The 24-Hour Lockout
After VENON captures credentials through its overlay windows, it does something ruthless: it locks the victim out of their bank for 24 hours.
The src/site_block.rs module manipulates the Windows hosts file, redirecting all domains for the targeted bank to 127.0.0.1. The blocks are bracketed with markers -- # VENON_BLOCK_START and # VENON_BLOCK_END -- and a timestamp file (block_24h.dat) tracks when the block was set. After 24 hours, the entries are automatically removed.
The targeted domains tell us which banks VENON was designed to attack:
| Bank | Blocked Domains |
|---|---|
| Banco do Brasil | bb.com.br, bancobrasil.com.br, aapj.bb.com.br |
| Bradesco | bradesco.com.br, banco.bradesco.com.br |
| Caixa Economica | caixa.gov.br, internetbanking.caixa.gov.br |
| Santander | santander.com.br, santandernet.com.br |
| Itau Unibanco | itau.com.br, bankline.itau.com.br |
| Safra | safra.com.br, safranet.com.br |
| Sicoob | sicoob.com.br, sicoobnet.com.br |
| Sicredi | sicredi.com.br |
| Banesc/BFRB | bfrb.com.br |
| Mercado Livre/Pago | mercadolivre.com.br, mercadopago.com.br |
Additional targets include Nubank, Inter/C6, BTG, PagBank, PicPay, and Original.
Why 24 hours? Because it gives the attacker time to drain the account. The victim can't check their balance, can't see the unauthorized transactions, can't initiate a freeze. They can call the bank by phone, but by the time a phone agent investigates and escalates, the money has moved through the PIX network -- which settles in seconds -- and into a chain of mule accounts.
The NVIDIA Impersonation
Persistence is where malware developers reveal their paranoia. VENON uses three independent persistence mechanisms, all disguised as NVIDIA services:
- Scheduled Task:
NVIDIA Notification Service-- triggers at logon, runs at highest privilege level - Registry Run Key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Notification - WMI Event Subscription:
NVIDIAFilter/NVIDIAConsumer-- the most resilient of the three, surviving even if the scheduled task and registry key are removed
The malware installs itself to %LOCALAPPDATA%\NVIDIA Corporation\NVIDIA Notification\%COMPUTERNAME%\NVIDIANotification.exe. On any system with an NVIDIA GPU -- which is most Windows desktops and gaming laptops in Brazil -- this path looks entirely legitimate. NVIDIA's actual notification service installs to a similar location. A user browsing their AppData would see an NVIDIA folder and move on.
The mutex names follow the same pattern: Global\NvContainerMutex_* and Local\NvContainerMutex_*, mimicking NVIDIA's real NvContainer service.
The Evasion Stack
VENON's evasion capabilities are where the Rust rewrite pays its dividends. This isn't a Delphi banker calling IsDebuggerPresent and hoping for the best. This is a methodical, layered approach to defeating endpoint security:
NTDLL Unhooking: VENON loads a clean copy of ntdll.dll from disk and remaps the .text section over the in-memory copy. EDR products work by hooking Windows API functions in ntdll.dll -- intercepting calls to monitor behavior. By replacing the hooked code with pristine copies, VENON removes every hook in a single operation. The EDR's monitoring disappears.
Indirect Syscalls: After unhooking, VENON doesn't even call ntdll functions normally. It resolves syscall numbers dynamically and invokes NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, and NtCreateThreadEx via indirect syscall stubs. This bypasses any remaining usermode hooks and evades syscall-based detection that watches for direct syscall instructions from non-ntdll memory regions.
AMSI Bypass: The Anti-Malware Scan Interface is patched. AmsiScanBuffer -- the function Windows calls to submit content for scanning -- is neutralized, preventing any AMSI-aware security product from inspecting VENON's in-memory operations.
ETW Patching: Event Tracing for Windows is disabled, cutting off the telemetry pipeline that feeds Windows Defender, Sysmon, and third-party EDR products. Without ETW events, behavioral detections that rely on process creation chains, API call sequences, and .NET assembly loads go blind.
Anti-Debug: Standard checks via IsDebuggerPresent and NtSetInformationThread with HideFromDebugger, preventing analysts from attaching debuggers to the running process.
This is the full offensive security playbook -- the same techniques documented in red team frameworks like Havoc and Sliver -- implemented in a banking trojan. The Brazilian malware ecosystem has caught up to nation-state tradecraft.
Encrypted C2 Over WebSocket
VENON's command-and-control communication uses WebSocket over TLS (wss://), encrypted with ChaCha20/XChaCha20 using Argon2 key derivation. The TLS layer uses rustls with certificate pinning -- a hardcoded CERT_PIN value prevents MITM interception even on networks with corporate TLS inspection.
The C2 configuration isn't hardcoded. The src/config/remote.rs module implements fetch_remote_host(), which resolves the C2 address dynamically through a base64-encoded, encrypted payload. This means the C2 infrastructure can be rotated without recompiling the malware.
Upon initial connection, the malware authenticates with a LoginResponse (10-second timeout) and transmits a victim fingerprint via POST to ipinfo.io:
- Hardware ID (HWID)
- Public IP address
- City, region, country
- ISP/organization
- Computer name
- Windows version
The telemetry module (src/telemetry.rs) handles fingerprinting. The updater module (src/updater.rs) enables remote self-update -- the operator can push new versions without reinfecting victims.
The Swiss Upload
Four samples exist on MalwareBazaar. The earliest two appeared on March 17, 2026, with the latest pair uploaded on March 31. All four share the same core architecture but show iterative development:
| SHA256 | Size | First Seen | Imphash |
|---|---|---|---|
dc7c8f5c...932d372d | 9.78 MB | 2026-03-31 | 4aceb040a1b535976549387ede600ab6 |
530e501f...56aebddb | 9.78 MB | 2026-03-31 | 4aceb040a1b535976549387ede600ab6 |
00dbe21b...7cb578b | 9.74 MB | 2026-03-17 | f737f43305f5f8a5afbff8052e16e560 |
c482286a...8d75d72 | 4.70 MB | 2026-03-17 | 4936e85ab101212909cfd35492a0d277 |
The March 17 samples differ in imphash from the March 31 pair, indicating the import table was restructured between versions. The 4.70 MB variant is roughly half the size of the others -- possibly a stripped build or a variant without the overlay image resources.
The upload origin is notable: Switzerland. Brazilian banking trojans have historically been distributed from Brazilian IPs or via Brazilian hosting providers. A Swiss upload point suggests either the developer is operating from Europe, the distribution infrastructure spans continents, or -- perhaps most likely -- VENON is being tested against European security sandboxes as a precursor to expanding beyond Brazilian targets. The cryptocurrency swapper already targets global platforms. The PIX and boleto modules are Brazil-specific, but the architecture is modular enough to add SEPA or Faster Payments swappers with a new source file.
The Debug Breadcrumbs
Like most malware developers, VENON's author left traces:
- Build path:
C:\cargobr\-- a Cargo (Rust's build tool) workspace with "br" in the name - Rust compiler:
rustcbuildded5c06cf21d2b93bffd5d884aa6e96434ee4234 - Debug log:
br_debug.logwritten to%USERPROFILE%\Desktop\-- the developer's desktop debug output, left in the production build - Debug toggle:
enable_log.txt-- presence of this file enables verbose logging - VBS artifacts:
%TEMP%\itau_swap_*.vbs-- VBScript files used for Itau-specific social engineering - Overlay metadata: Adobe Photoshop CC, Windows, XMP ID
xmp.iid:8553c373-1760-6346-96ec-3e37fb54f5cf - Language: Brazilian Portuguese throughout all strings and comments
The Photoshop metadata is particularly useful. The XMP instance ID is globally unique and would match across any other images created in the same Photoshop session. If the developer creates promotional material, documentation, or overlays for other banking targets using the same Photoshop installation, the metadata chain is traceable.
Indicators of Compromise
File Hashes
Primary Sample (March 31, 2026)
- SHA256:
dc7c8f5cb67148876617f387df095dcea8598726fe5599cc1d3bab18932d372d - SHA1:
43da340f3501b4ba664417d0ea2b8455280bbf68 - MD5:
f5a0faf233a32b9af424e6c12cad1588 - SSDeep:
98304:mkbTzb3U7Vud/gdBV/lHtQ16Yurb85TkEhU84+hUFn6fdGuqnwn+npXFK:T3k4ITNw6IzU84AA6FG3nWmK
All Samples
| SHA256 | Imphash |
|---|---|
dc7c8f5cb67148876617f387df095dcea8598726fe5599cc1d3bab18932d372d | 4aceb040a1b535976549387ede600ab6 |
530e501f3e0aa8a5e3a41a06b0ba4e159ea6cea258b71c644c0578b856aebddb | 4aceb040a1b535976549387ede600ab6 |
00dbe21b176bef396455459d7e8da3365397a47c9c54b4422a30f8dae7cb578b | f737f43305f5f8a5afbff8052e16e560 |
c482286a7fdfb64d308c197a4deabcd773b8b62d9e74d1d08fcfd02568d75d72 | 4936e85ab101212909cfd35492a0d277 |
Host-Based Indicators
| Indicator | Value |
|---|---|
| Install path | %LOCALAPPDATA%\NVIDIA Corporation\NVIDIA Notification\%COMPUTERNAME%\ |
| Executable | NVIDIANotification.exe |
| DLL name | libcef.dll (trojanized, 9.78 MB) |
| Scheduled task | NVIDIA Notification Service |
| Registry key | HKCU\...\Run\NVIDIA Notification |
| WMI filter | NVIDIAFilter |
| WMI consumer | NVIDIAConsumer |
| Mutex | Global\NvContainerMutex_*, Local\NvContainerMutex_* |
| Hosts markers | # VENON_BLOCK_START / # VENON_BLOCK_END |
| Debug log | %USERPROFILE%\Desktop\br_debug.log |
| Debug toggle | enable_log.txt |
| Block timer | block_24h.dat |
| Telemetry flag | hwid_sent.dat |
| VBS artifacts | %TEMP%\itau_swap_*.vbs |
MITRE ATT&CK
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Supply Chain Compromise | T1195.002 |
| Execution | Shared Modules | T1129 |
| Execution | VBScript | T1059.005 |
| Execution | PowerShell | T1059.001 |
| Persistence | Scheduled Task | T1053.005 |
| Persistence | Registry Run Keys | T1547.001 |
| Persistence | WMI Event Subscription | T1546.003 |
| Defense Evasion | DLL Side-Loading | T1574.002 |
| Defense Evasion | Masquerading | T1036.005 |
| Defense Evasion | Disable Tools | T1562.001 |
| Defense Evasion | Debugger Evasion | T1622 |
| Credential Access | GUI Input Capture | T1056.002 |
| Credential Access | Clipboard Data | T1115 |
| Discovery | System Info Discovery | T1082 |
| Collection | Input Capture | T1056 |
| C2 | Web Protocols | T1071.001 |
| C2 | Encrypted Channel | T1573.001 |
| C2 | Dynamic Resolution | T1568 |
| Impact | Transmitted Data Manipulation | T1565.002 |
| Impact | Financial Theft | T1657 |
What This Means
VENON is a signal. Brazilian banking trojans have been treated as a regional nuisance for years -- high volume, low sophistication, geographically contained. VENON changes that calculus. A Rust-based trojan with indirect syscalls, NTDLL unhooking, hardware-accelerated overlays, and ChaCha20-encrypted C2 is not a regional nuisance. It's a modern implant that happens to target banks.
The cryptocurrency module spanning 21 chains and 28 platforms is geography-agnostic. The Swiss upload origin suggests the developer is already thinking beyond Brazilian borders. The modular source architecture -- separate files for PIX, boleto, and clipboard swapping -- means adding payment systems from other countries is a matter of writing a new module, not refactoring the codebase.
For defenders in Brazil: Monitor for VENON_BLOCK_START in hosts files. Alert on NVIDIA Notification Service scheduled tasks on machines without NVIDIA GPUs. Watch for SetWindowDisplayAffinity calls from unsigned DLLs. The 24-hour bank blocking is detectable and is the most reliable behavioral indicator -- no legitimate software modifies the hosts file to block banking domains.
For defenders globally: The imphashes, SSDeep hash, and XMP metadata ID above are tracking anchors. If VENON adds SEPA or Faster Payments modules, the core binary structure will be similar enough for fuzzy matching. The 209 fake CEF exports are a strong static signature -- legitimate libcef.dll files export real function implementations, not empty stubs.
For the broader community: The gap between "Brazilian banker" and "sophisticated implant" just closed. When a Delphi-to-Rust rewrite includes the full red team evasion playbook, targets cryptocurrency across two dozen blockchains, and uploads from Switzerland, the geographic label stops being useful. VENON is what happens when the Brazilian cybercrime ecosystem adopts modern offensive engineering.
The build path says C:\cargobr\. The ambition says everywhere.
This investigation was conducted by Breakglass Intelligence's autonomous GHOST investigation system. All samples were sourced from MalwareBazaar. Sandbox analysis via CAPE Sandbox. All evidence was captured via passive methods.
Breakglass Intelligence | March 31, 2026