Banana RAT Evolves with Exposed Payload Generator, Evading Detection
The Banana RAT banking trojan is leveraging an exposed backend server to generate polymorphic malware variants, significantly complicating detection and defense efforts.

A sophisticated campaign centered around the Banana RAT banking trojan has been observed employing a novel evasion technique: an exposed backend server that actively generates polymorphic malware variants. This discovery, made by Any.Run analysts, reveals a dynamic approach to malware development, where threat actors can rapidly create new, obfuscated payloads on demand, making traditional signature-based detection methods increasingly ineffective.
The exposed infrastructure was found through routine internet scanning, revealing not just static malware samples but a fully functional delivery platform. This platform includes a payload generator and an obfuscation script, enabling the creation of diverse malware versions. Researchers were able to track the evolution of Banana RAT by analyzing two distinct samples detonated within weeks of each other, showcasing the threat actor's agility in adapting their tools.
This method of on-the-fly malware generation presents a significant challenge for cybersecurity defenses. The exposed server, identified at IP address 198.245.53.26, hosted tooling capable of producing new, differently disguised payloads. This allows the operators to continuously alter the malware's appearance and behavior, effectively sidestepping blocklist-based defenses that rely on known signatures.
Analysis of the two observed Banana RAT versions highlighted key differences in their evasion tactics. The earlier sample, from late May 2026, used predictable file names and folder paths mimicking legitimate Windows components, along with a lookalike domain. In contrast, the newer version, seen in early June, adopted a more robust evasion strategy. It features randomly generated installation folders and file names, and its persistence mechanism shifted to a VBS launcher coupled with a hidden scheduled task running with system privileges.
Furthermore, communication with the command-and-control (C2) servers has been upgraded. The newer Banana RAT variant utilizes an encrypted WebSocket channel, with C2 addresses constructed from unique hashed identifiers for each infected computer. This dynamic communication method, often routed through services like Cloudflare, makes simple domain or IP blocking far less effective than in previous campaigns.
Despite these significant changes, a crucial link between the older and newer branches was discovered: a fallback IP address embedded in the code, directly connecting the evolving infrastructure. This continuity provides defenders with a vital thread to follow, even as the malware itself morphs.
Security teams are advised to implement broader detection strategies beyond simple blocklists. Monitoring for suspicious scheduled tasks, scrutinizing unexpected PowerShell activity, and blocking the identified indicators of compromise are crucial steps. The continuous evolution of Banana RAT underscores the need for adaptive security measures that can detect behavioral anomalies rather than relying solely on static signatures.
The ability of threat actors to maintain and evolve such a sophisticated malware operation through readily available, albeit exposed, infrastructure highlights a growing trend in cybercrime. This incident serves as a stark reminder of the constant arms race between attackers and defenders, emphasizing the importance of proactive threat hunting and rapid response capabilities.