216.73.217.98

Inside Banana RAT: From Build Server to Banking Fraud

· Published 19/05/2026 22:26 · Modified 21/05/2026 00:37

Export JSON

Essential information

Published
19/05/2026 22:26
Modified
21/05/2026 00:37
Tags
2026-05-19 banana rat brazilian banking trojan casbaneiro chavecloak fastapi financial fraud grandoreiro guildma mekotio pix qr interception polymorphic payload powershell tetrade
Related entities
8 observables, 1 intrusion sets (apt), 20 techniques (mitre), 8 malware, 5 others

Description

An MDR investigation successfully mapped the complete operational infrastructure of , a operated by threat cluster SHADOW-WATER-063. The investigation uncovered both server-side and client-side components, revealing a sophisticated -based generation system that produces hash-unique builds to evade detection. The malware employs layered obfuscation, AES-wrapped payloads, and fileless execution. Once deployed, it enables operator-driven fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception specifically targeting Brazilian financial institutions. The tooling exclusively targets 16 Brazilian banks and crypto exchanges, with all operator artifacts written in Brazilian Portuguese, indicating a financially motivated actor operating within the banking trojan ecosystem.

External references