SmartRAT Delivered via AI-Generated Phishing Pages and PowerShell ClickFix Lure Targets Brazilian Banks
A campaign using AI-generated phishing pages and a fake Blue Screen of Death tricks Brazilian bank customers into running PowerShell commands that deliver the SmartRAT trojan.
A new cyberattack campaign is targeting Brazilian banking customers with a sophisticated blend of AI-generated phishing pages and PowerShell-based malware delivery. Researchers at Zscaler ThreatLabz, who identified the campaign in March 2026, report that attackers are using a fake website impersonating a well-known Brazilian bank to trick victims into installing SmartRAT, a full-featured remote access trojan. The attack chain relies on a ClickFix technique that presents a fake Blue Screen of Death to panic users into executing a malicious PowerShell command.
The phishing page first displays a fake Cloudflare CAPTCHA, then triggers a simulated system crash. Victims are told that running a specific command is the only way to recover, a social engineering tactic that exploits user urgency. The command, pasted into the Windows Run dialog, connects to a remote server at 64.95.13.238 and downloads a file called st.txt, which acts as a hidden dropper. This dropper fetches a second file, payload.php, containing an AES-encrypted PowerShell script that unpacks and executes SmartRAT.
SmartRAT is a fully featured remote access tool written entirely in PowerShell. Once installed, it can record keystrokes, capture screenshots, intercept QR codes, and display full-screen fake bank forms to steal credentials. The malware monitors browser windows for banking activity and alerts its operator when a victim opens a financial app or website. The attacker can then take over the screen, inject keystrokes, block victim input, and steal whatever data is entered.
The malware hides itself by disguising its files and scheduled tasks under Microsoft Edge update names, blending in with legitimate Windows processes. It attempts to escalate privileges by prompting for UAC approval, and if granted, installs itself as a Windows service under SYSTEM-level access. Even if the user denies that request, SmartRAT persists through a hidden PowerShell process and a registry-based startup entry.
One striking discovery is that the attackers also used AI tools to build their command-and-control panel, a web interface used to manage infected machines. Researchers found the panel's login system was entirely client-side, meaning anyone could bypass it by simply setting two values in the browser's local storage. This basic security gap points to code written without proper review, a likely result of rushed, AI-assisted development.
The C2 panel, branded as MyGood PRO, gives operators a live dashboard of connected victims along with real-time command capabilities. Operators can stream a victim's screen, swap QR codes on banking pages to redirect payment transactions, and inject fake bank verification forms to harvest passwords. The platform targets more than a dozen Brazilian banks and payment services, showing this is a targeted and well-resourced operation.
To stay protected, users should be cautious of any website asking them to paste commands into their computer, even when the page looks like a legitimate bank or security prompt. Organizations should monitor for unusual PowerShell execution, unexpected scheduled tasks, and outbound connections to unknown IP addresses. Endpoint protection tools that flag script-based threats remain a critical line of defense against attacks like SmartRAT.