Banana RAT Banking Trojan Targets Brazilian Institutions via Fake NF-e Invoice Lures
A new banking trojan dubbed Banana RAT is targeting 16 major Brazilian financial institutions by disguising itself as legitimate electronic invoice files delivered through WhatsApp and phishing links.
A newly discovered banking trojan is targeting Brazilians by disguising itself as a legitimate electronic invoice. The malware, known as Banana RAT, uses fake NF-e (Nota Fiscal Eletronica) documents to trick victims into running malicious batch files that quietly install a powerful remote access tool on their Windows systems. The campaign has been active and ongoing against Brazil's financial sector, and its level of sophistication clearly points to a well-organized, well-resourced threat actor operating behind it.
NF-e is Brazil's official electronic invoicing system, widely trusted and used by businesses across the country every day. Attackers are counting on that familiarity, sending lure files with the name "Consultar_NF-e.bat" through WhatsApp messages or phishing links. The goal is to make victims believe they are opening a routine tax document, when in reality they are handing attackers full and persistent control of their machines.
Researchers from Trend Micro's Managed Detection and Response (MDR) team identified the malware while investigating a live Brazilian banking trojan operation. They were able to recover both the attacker's server-side tooling and the client-side malware from compromised endpoints, giving them a rare and complete picture of the full attack chain. Trend Micro tracked this threat cluster as "SHADOW-WATER-063."
Banana RAT specifically targets 16 major Brazilian financial institutions, including Itau, Bradesco, Santander, Caixa, and Banco do Brasil, as well as several Brazilian-localized cryptocurrency exchanges. By focusing exclusively on Brazil's financial sector, the threat actor has built a highly targeted operation that leaves virtually no room for accidental infections outside its intended victim pool.
The attack begins when a victim downloads and runs the malicious batch file, which triggers a hidden PowerShell command. That command silently fetches a small staging script from an attacker-controlled server, which then downloads an AES-256 encrypted payload called "msedge.txt." The payload is decrypted entirely in memory, meaning no unencrypted file ever touches the victim's hard drive, making it far harder for traditional security tools to detect any infection.
Once the payload runs, it establishes persistence by registering a hidden scheduled task that launches PowerShell every minute for up to 9,999 days. The malware disguises its files inside a directory path that mimics legitimate Microsoft diagnostic storage, designed to blend in completely with trusted system files. The polymorphic build pipeline also generates a completely byte-unique payload for every single victim request, making file-hash-based detection essentially useless against this campaign at scale.
Once active on a victim's machine, Banana RAT functions as a full-featured remote fraud and surveillance platform. It streams the victim's screen live to the operator, logs every keystroke, injects fake banking overlays that convincingly mimic real security update screens, and can intercept or replace Pix QR codes during live payment transactions. Pix is Brazil's central bank instant payment system, and the RAT includes a dedicated subsystem built exclusively for this payment rail.
The malware connects back to its command-and-control server on port 443 using a custom binary protocol encrypted with AES-256-CBC. It also uses a typosquatting domain designed to impersonate legitimate Microsoft CDN infrastructure, with hardcoded fallback IP addresses built in for redundancy if that domain is disrupted. Defenders are advised to block all identified network indicators at the perimeter, enable real-time behavioral monitoring on endpoints, and train users to be suspicious of any unexpected full-screen banking overlays or QR code prompts during active banking sessions.