Banana RAT Campaign Exposed: Malware Builder Generates Fresh Variants on Demand
A recent discovery by researcher Moises Cerqueira has uncovered a sophisticated upgrade to Banana RAT, a remote access trojan (RAT) linked to Brazilian banking fraud. The malware’s operators are now using an exposed backend server to dynamically generate new, obfuscated variants in real time, evading traditional detection methods.
The exposed server, hosted at 198.245.53.26, functioned as a payload generator, running scripts like servidor_completo_pool.py to produce fresh malware batches. A secondary script, ofuscador.py, scrambled PowerShell commands into randomized sequences, ensuring each payload appeared unique while maintaining core malicious functionality.
Key Findings from the Campaign
-
Two Distinct Versions Detected: Researchers at ANY.RUN analyzed two Banana RAT variants one from late May 2026 and another from early June 2026 both originating from the same infrastructure.
- May Version: Used fixed file paths and a misspelled domain (c.windowns-cdn.com) to mimic legitimate Windows updates. Persistence relied on a scheduled task tied to a named executable (MicrosoftEdgeUpdateCore.exe).
- June Version: Adopted randomized file names and folders, a VBS launcher, and system-level scheduled tasks for persistence. Communication shifted to encrypted WebSocket channels with hashed, machine-specific subdomains (testewin.com), complicating domain-based blocking.
-
Shared Infrastructure: Both versions retained a fallback C2 IP (149.56.12.51), linking them to the same operation. The newer variant also resolved to Cloudflare edge IPs (104.21.39.172, 67.142.55) for command-and-control (C2) traffic.
Impact on Defenders
Banana RAT’s on-demand regeneration undermines blocklist-based defenses, as each infection appears distinct. The exposed server provided defenders with a rare, real-time view of malware evolution, offering insights into how attackers refine evasion techniques. The trojan’s primary focus remains stealing banking credentials and hijacking payment transactions, posing a direct threat to financial institutions and users.
Indicators of Compromise (IoCs)
Security teams are advised to monitor for:
- IPs:
198.245.53.26(staging server),149.56.12.51(fallback C2),104.21.39.172/67.142.55(Cloudflare C2). - Domains:
c.windowns-cdn.com(older),testewin.comand subdomains (newer). - Files:
Fatura-BtgPactual-22568.bat,msedgeupdate.txt,st.php.malw,payload_new.php.malw,c9dba5b0552d879be654.txt, andMicrosoftEdgeUpdateCore.exe.
The discovery highlights the growing sophistication of banking malware, where automated payload generation enables rapid adaptation to defensive measures.
Source: https://cybersecuritynews.com/banana-rat-uses-exposed-payload-generator/
ANY.RUN cybersecurity rating report: https://www.rankiteo.com/company/any-run
"id": "ANY1783528011",
"linkid": "any-run",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Banking, Financial Services',
'location': 'Brazil (primary target), global '
'(potential)',
'type': 'Financial institutions, banking customers'}],
'attack_vector': 'Exposed backend server (198.245.53.26), malicious scripts '
'(servidor_completo_pool.py, ofuscador.py), phishing '
'(malicious batch files)',
'data_breach': {'file_types_exposed': ['.bat', '.txt', '.php.malw', '.exe'],
'personally_identifiable_information': 'Yes (banking '
'credentials, '
'transaction data)',
'sensitivity_of_data': 'High (financial and PII data)',
'type_of_data_compromised': 'Banking credentials, payment '
'transaction data, personally '
'identifiable information (PII)'},
'date_detected': '2026-05',
'description': 'A recent discovery by researcher Moises Cerqueira has '
'uncovered a sophisticated upgrade to Banana RAT, a remote '
'access trojan (RAT) linked to Brazilian banking fraud. The '
'malware’s operators are now using an exposed backend server '
'to dynamically generate new, obfuscated variants in real '
'time, evading traditional detection methods. The exposed '
'server, hosted at 198.245.53.26, functioned as a payload '
'generator, running scripts like servidor_completo_pool.py to '
'produce fresh malware batches. A secondary script, '
'ofuscador.py, scrambled PowerShell commands into randomized '
'sequences, ensuring each payload appeared unique while '
'maintaining core malicious functionality.',
'impact': {'data_compromised': 'Banking credentials, payment transaction data',
'identity_theft_risk': 'High (PII and financial data theft)',
'operational_impact': 'Potential unauthorized access to financial '
'systems, transaction hijacking',
'payment_information_risk': 'High (payment transaction hijacking)',
'systems_affected': 'Windows systems (via malicious executables '
'and scheduled tasks)'},
'initial_access_broker': {'backdoors_established': 'Scheduled tasks (May: '
'MicrosoftEdgeUpdateCore.exe; '
'June: randomized VBS '
'launcher)',
'entry_point': 'Exposed backend server '
'(198.245.53.26), phishing '
'(malicious batch files)',
'high_value_targets': 'Banking customers, financial '
'institutions'},
'investigation_status': 'Ongoing (malware variants analyzed, IoCs published)',
'lessons_learned': 'Banana RAT’s on-demand regeneration undermines '
'blocklist-based defenses, highlighting the need for '
'behavior-based detection and real-time monitoring of '
'malware evolution.',
'motivation': 'Financial gain (banking fraud, credential theft, payment '
'hijacking)',
'post_incident_analysis': {'corrective_actions': 'Implement behavior-based '
'detection, monitor '
'WebSocket traffic, enhance '
'phishing awareness, and '
'block IoCs.',
'root_causes': 'Exposed backend server used for '
'dynamic malware generation, lack '
'of behavior-based detection for '
'randomized payloads, reliance on '
'blocklist-based defenses.'},
'recommendations': ['Monitor for IoCs (IPs: 198.245.53.26, 149.56.12.51, '
'104.21.39.172, 67.142.55; domains: c.windowns-cdn.com, '
'testewin.com; files: Fatura-BtgPactual-22568.bat, '
'msedgeupdate.txt, st.php.malw, payload_new.php.malw, '
'c9dba5b0552d879be654.txt, MicrosoftEdgeUpdateCore.exe).',
'Implement behavior-based detection to counter evasion '
'techniques like randomized payloads and encrypted C2 '
'channels.',
'Enhance monitoring of WebSocket traffic and hashed '
'subdomains for C2 communication.',
'Educate users on phishing risks, especially malicious '
'batch files and fake update domains.'],
'references': [{'source': 'Moises Cerqueira (Researcher)'},
{'source': 'ANY.RUN (Malware Analysis)'}],
'response': {'enhanced_monitoring': 'Monitoring for IoCs (IPs, domains, '
'files)',
'third_party_assistance': 'ANY.RUN (malware analysis)'},
'threat_actor': 'Brazilian cybercriminals (linked to Banana RAT)',
'title': 'Banana RAT Campaign Exposed: Malware Builder Generates Fresh '
'Variants on Demand',
'type': 'Malware (RAT)'}