ClickFix Campaign Generated Via AI Delivers SmartRAT
In March 2026, threat actors used AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign used ClickFix techniques with fake CAPTCHA and BSOD screens to trick victims into running malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan capable of encrypted command-and-control communications, remote control of user input devices, credential theft via keylogging and banking overlays, and QR code interception for transaction fraud. The malware persists through scheduled tasks and Windows services. The campaign targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The attackers' command-and-control panel had critical authentication flaws allowing client-side bypass, indicating poor security review before deployment.
AI Analysis
Technical Summary
This threat involves a malware campaign leveraging AI-generated typosquatting domains mimicking a Brazilian bank to deliver SmartRAT, a PowerShell-based banking trojan. The campaign uses ClickFix social engineering techniques presenting fake CAPTCHA and BSOD screens to deceive victims into executing malicious PowerShell commands. SmartRAT features encrypted C2 communications, remote control of screen, keyboard, and mouse, credential theft through keylogging and banking overlays, and QR code interception to facilitate transaction fraud. It establishes persistence via scheduled tasks and Windows services. The campaign specifically targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. Additionally, the attackers' C2 infrastructure contained critical authentication vulnerabilities allowing client-side bypass, suggesting the malware was deployed without adequate security controls. No CVE or patch information is available for this threat.
Potential Impact
The malware enables attackers to remotely control infected systems, steal banking credentials, intercept QR codes for fraudulent transactions, and maintain persistence on victim machines. This compromises the confidentiality and integrity of financial data and transactions for targeted Brazilian institutions and users. The critical authentication flaws in the C2 panel could potentially allow unauthorized access or disruption of the attackers' infrastructure, but this does not mitigate the threat to victims. There are no known exploits in the wild beyond this campaign, and no official patches or fixes are available.
Mitigation Recommendations
No official patch or remediation is available for this threat. Organizations and users should be aware of typosquatting domains impersonating trusted banks and avoid executing unsolicited PowerShell commands or interacting with suspicious CAPTCHA or BSOD screens. Monitoring for indicators of compromise such as the listed domains, IPs, and file hashes can aid detection. Given the lack of vendor advisories or fixes, defensive measures should focus on user education, network monitoring, and endpoint detection to identify and block SmartRAT infections.
Affected Countries
Brazil
Indicators of Compromise
- domain: crefisa.online
- ip: 162.141.111.227
- domain: windowsupdate-cdn.com
- domain: c.windowsupdate-cdn.com
- hash: 297eb45f028d44d750297d2f932b9c91
- hash: 3c72e1f37f115b00c3ad6ed31bacfe8a
- hash: 6bf4d4c62b5138ace281ce3d08297787
- hash: b17ccdb5531555e43f082d6e77c07227
- ip: 64.95.13.238
- url: http://64.95.13.238/payload.php'
- domain: cartaobb.com
- domain: cartaobrb.com.br
- domain: vfsgloball.net
ClickFix Campaign Generated Via AI Delivers SmartRAT
Description
In March 2026, threat actors used AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign used ClickFix techniques with fake CAPTCHA and BSOD screens to trick victims into running malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan capable of encrypted command-and-control communications, remote control of user input devices, credential theft via keylogging and banking overlays, and QR code interception for transaction fraud. The malware persists through scheduled tasks and Windows services. The campaign targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The attackers' command-and-control panel had critical authentication flaws allowing client-side bypass, indicating poor security review before deployment.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a malware campaign leveraging AI-generated typosquatting domains mimicking a Brazilian bank to deliver SmartRAT, a PowerShell-based banking trojan. The campaign uses ClickFix social engineering techniques presenting fake CAPTCHA and BSOD screens to deceive victims into executing malicious PowerShell commands. SmartRAT features encrypted C2 communications, remote control of screen, keyboard, and mouse, credential theft through keylogging and banking overlays, and QR code interception to facilitate transaction fraud. It establishes persistence via scheduled tasks and Windows services. The campaign specifically targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. Additionally, the attackers' C2 infrastructure contained critical authentication vulnerabilities allowing client-side bypass, suggesting the malware was deployed without adequate security controls. No CVE or patch information is available for this threat.
Potential Impact
The malware enables attackers to remotely control infected systems, steal banking credentials, intercept QR codes for fraudulent transactions, and maintain persistence on victim machines. This compromises the confidentiality and integrity of financial data and transactions for targeted Brazilian institutions and users. The critical authentication flaws in the C2 panel could potentially allow unauthorized access or disruption of the attackers' infrastructure, but this does not mitigate the threat to victims. There are no known exploits in the wild beyond this campaign, and no official patches or fixes are available.
Mitigation Recommendations
No official patch or remediation is available for this threat. Organizations and users should be aware of typosquatting domains impersonating trusted banks and avoid executing unsolicited PowerShell commands or interacting with suspicious CAPTCHA or BSOD screens. Monitoring for indicators of compromise such as the listed domains, IPs, and file hashes can aid detection. Given the lack of vendor advisories or fixes, defensive measures should focus on user education, network monitoring, and endpoint detection to identify and block SmartRAT infections.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat"]
- Adversary
- null
- Pulse Id
- 6a32e5873cf59d36f41c77be
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincrefisa.online | — | |
domainwindowsupdate-cdn.com | — | |
domainc.windowsupdate-cdn.com | — | |
domaincartaobb.com | — | |
domaincartaobrb.com.br | — | |
domainvfsgloball.net | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip162.141.111.227 | — | |
ip64.95.13.238 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash297eb45f028d44d750297d2f932b9c91 | — | |
hash3c72e1f37f115b00c3ad6ed31bacfe8a | — | |
hash6bf4d4c62b5138ace281ce3d08297787 | — | |
hashb17ccdb5531555e43f082d6e77c07227 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://64.95.13.238/payload.php' | — |
Threat ID: 6a3304f8f198dc38c102561d
Added to database: 6/17/2026, 8:35:04 PM
Last enriched: 6/17/2026, 8:49:59 PM
Last updated: 6/17/2026, 9:35:42 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.