Inside Banana RAT: From Build Server to Banking Fraud
Banana RAT is a Brazilian banking trojan operated by the SHADOW-WATER-063 threat cluster. It uses a FastAPI-based polymorphic payload generation system to create unique builds that evade detection. The malware employs layered obfuscation, AES encryption, and fileless PowerShell execution. It enables operator-driven financial fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception. The trojan specifically targets 16 Brazilian banks and crypto exchanges, with all operator tools in Brazilian Portuguese, indicating a financially motivated actor within the Tetrade banking trojan ecosystem. No known exploits in the wild or patches are documented. The threat is assessed as medium severity based on its targeted financial fraud capabilities.
AI Analysis
Technical Summary
Banana RAT is a sophisticated Brazilian banking trojan linked to the SHADOW-WATER-063 cluster. It features a FastAPI-based polymorphic payload generation system that produces hash-unique builds to avoid detection. The malware uses layered obfuscation techniques, AES-wrapped payloads, and fileless PowerShell execution to maintain stealth. Once deployed, it facilitates operator-driven fraud through multiple capabilities including remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception. The trojan exclusively targets 16 Brazilian banks and cryptocurrency exchanges. Operator artifacts are in Brazilian Portuguese, indicating a financially motivated actor operating within the Tetrade banking trojan ecosystem. Indicators include domains, IP addresses, URLs, and file hashes associated with the malware infrastructure. There is no vendor advisory or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The malware enables financially motivated fraud targeting Brazilian banks and crypto exchanges by allowing attackers to remotely control infected systems, capture keystrokes, stream screens, overlay fake banking interfaces, and intercept Pix QR codes. This can lead to unauthorized transactions and financial theft from victims. The targeting is highly specific to Brazilian financial institutions, increasing the risk to customers of those entities. There is no evidence of widespread exploitation beyond this targeted scope.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this is malware with no direct patch, mitigation should focus on detection and removal using updated endpoint protection solutions capable of identifying polymorphic payloads and fileless PowerShell activity. Network defenses should monitor and block known malicious domains, IPs, and URLs associated with the threat. User education on phishing and suspicious downloads is recommended to reduce infection risk. No official fix or vendor advisory is currently available.
Indicators of Compromise
- domain: windowsk-cdn.com
- ip: 162.141.111.227
- domain: c.windowsk-cdn.com
- hash: 38dfeb772afbd01c04eddda120d283acfb1147a6dc3d54ac62fe23ad06e39d8f
- hash: 4912b1134e69ade7266e8508eec33ccb2d80ad693f1dbc4f1f4344c6dfcf2ff1
- hash: d7545b6dacebdae27effb3c778c5e349027ec789c76ae4f777bd9ba56a70cdaa
- hash: ecdc8fade561a75d68235859ad8b1fe131db2c458b4894268e38e90ecab1c47f
- url: http://24.199.90.58/payload.php
- url: http://24.199.90.58:80/payload.php
- url: https://convitemundial2026.com/Consultar_NF-e.bat
- domain: convitemundial2026.com
Inside Banana RAT: From Build Server to Banking Fraud
Description
Banana RAT is a Brazilian banking trojan operated by the SHADOW-WATER-063 threat cluster. It uses a FastAPI-based polymorphic payload generation system to create unique builds that evade detection. The malware employs layered obfuscation, AES encryption, and fileless PowerShell execution. It enables operator-driven financial fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception. The trojan specifically targets 16 Brazilian banks and crypto exchanges, with all operator tools in Brazilian Portuguese, indicating a financially motivated actor within the Tetrade banking trojan ecosystem. No known exploits in the wild or patches are documented. The threat is assessed as medium severity based on its targeted financial fraud capabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Banana RAT is a sophisticated Brazilian banking trojan linked to the SHADOW-WATER-063 cluster. It features a FastAPI-based polymorphic payload generation system that produces hash-unique builds to avoid detection. The malware uses layered obfuscation techniques, AES-wrapped payloads, and fileless PowerShell execution to maintain stealth. Once deployed, it facilitates operator-driven fraud through multiple capabilities including remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception. The trojan exclusively targets 16 Brazilian banks and cryptocurrency exchanges. Operator artifacts are in Brazilian Portuguese, indicating a financially motivated actor operating within the Tetrade banking trojan ecosystem. Indicators include domains, IP addresses, URLs, and file hashes associated with the malware infrastructure. There is no vendor advisory or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The malware enables financially motivated fraud targeting Brazilian banks and crypto exchanges by allowing attackers to remotely control infected systems, capture keystrokes, stream screens, overlay fake banking interfaces, and intercept Pix QR codes. This can lead to unauthorized transactions and financial theft from victims. The targeting is highly specific to Brazilian financial institutions, increasing the risk to customers of those entities. There is no evidence of widespread exploitation beyond this targeted scope.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this is malware with no direct patch, mitigation should focus on detection and removal using updated endpoint protection solutions capable of identifying polymorphic payloads and fileless PowerShell activity. Network defenses should monitor and block known malicious domains, IPs, and URLs associated with the threat. User education on phishing and suspicious downloads is recommended to reduce infection risk. No official fix or vendor advisory is currently available.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.trendmicro.com/en_us/research/26/e/banana-rat.html"]
- Adversary
- SHADOW-WATER-063
- Pulse Id
- 6a0ce3af84b924ad15e27920
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwindowsk-cdn.com | — | |
domainc.windowsk-cdn.com | — | |
domainconvitemundial2026.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip162.141.111.227 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash38dfeb772afbd01c04eddda120d283acfb1147a6dc3d54ac62fe23ad06e39d8f | — | |
hash4912b1134e69ade7266e8508eec33ccb2d80ad693f1dbc4f1f4344c6dfcf2ff1 | — | |
hashd7545b6dacebdae27effb3c778c5e349027ec789c76ae4f777bd9ba56a70cdaa | — | |
hashecdc8fade561a75d68235859ad8b1fe131db2c458b4894268e38e90ecab1c47f | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://24.199.90.58/payload.php | — | |
urlhttp://24.199.90.58:80/payload.php | — | |
urlhttps://convitemundial2026.com/Consultar_NF-e.bat | — |
Threat ID: 6a0e52dcba1db47362ca4f6b
Added to database: 5/21/2026, 12:33:32 AM
Last enriched: 5/21/2026, 12:48:44 AM
Last updated: 5/21/2026, 4:24:33 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.