VENON Banking Trojan Targeting Latin America Rewritten in Rust Using AI

Researchers have described a new banking trojan VENON that targets Windows users and mimics the behavior of known Latin American malware. The key distinction is that the malware is written in Rust, and its structure, according to analysts, indicates active use of generative AI in development.

Why This Is Unusual

For the Latin American banking trojan segment, this approach is atypical. The region has long been dominated by families like Grandoreiro, Mekotio, and Coyote, typically written in Delphi. VENON, however, reproduces their key logic: monitors active windows, replaces the user interface of banking pages, and intercepts Windows shortcuts.

Essentially, the attackers did not invent a new attack mechanism, but took a familiar model and ported it to a different technology stack. It is precisely the choice of Rust that makes this story notable. This language requires higher technical proficiency than a typical malware builder or quick assembly using familiar tools.

Researchers believe that the malware author understood how local banking attacks work, but relied on generative AI to recreate and expand this set of functions in Rust. This is no longer simply copying someone else's code, but a new way to quickly assemble mature malicious tools from familiar patterns.

How VENON Works

VENON's infection scheme is multi-stage. According to researchers, the malware runs via DLL side-loading, and can be delivered to victims through a ZIP archive and PowerShell script. The ClickFix technique is also mentioned, where users are socially engineered into launching the malicious chain themselves. After the DLL starts, it does not rush to manifest: first it checks the environment and attempts to verify that it has not landed in a sandbox or under observation by security tools.

• Checks whether the sample is running in a virtual environment
• Uses indirect system calls to conceal activity
• Attempts to bypass ETW and AMSI before executing the payload
• Loads configuration from Google Cloud Storage and creates a task in the scheduler
• Opens a WebSocket connection to the command server

Next, the malware moves to targeted activity. Two Visual Basic scripts are injected from the DLL to intercept Windows system shortcuts; the report indicates they target the Itaú banking application. Simultaneously, VENON monitors browser window titles and active domains.

If a user opens one of the services of interest, the trojan overlays a fake layer on the screen and intercepts credentials. The target list includes 33 financial organizations and cryptocurrency platforms. Another detail is a built-in rollback mechanism.

After replacing shortcuts, the malware can restore them to their original state, presumably to hide traces of the attack. This does not make VENON a technological breakthrough, but shows that the author thought not only about data theft but also about covering tracks after the operation. This set of techniques makes the campaign more resilient: a victim may not immediately understand that their login to a bank or cryptocurrency service occurred through a spoofed interface.

Why Generative AI Is Suspected

The generative AI hypothesis did not emerge from a single obvious marker, but from the overall project structure. ZenoX analysts believe that the developer clearly modeled known regional banking trojans, but used AI to port this logic to Rust and expand functionality. In other words, the author was not a complete novice, but some of the engineering work could have been accelerated through LLMs and what is called vibe coding.

Linking VENON to a specific cybercrime group has not yet been possible. In an early sample dated January 2026, researchers found an artifact with the username byst4, but this is insufficient for confident attribution. For the cybersecurity market, a different conclusion is more important: generative models are already helping not only to write harmless utilities and prototypes, but also to package malicious logic in a more modern and less familiar stack for analysts.

What It Means

The VENON story shows that AI lowers the barrier to entry even for complex malware projects, but does not eliminate the need for knowledge of attack tactics. For defenders, this is a signal to strengthen behavioral analysis, pay closer attention to Rust components, and account for the fact that the next wave of banking trojans may be assembled faster than classical signatures are updated.