Banana RAT Uses Exposed Payload Generator to Create Polymorphic Banking Malware
What happened
Malware researcher and threat hunter Moises Cerqueira found exposed Banana RAT infrastructure that revealed how the banking malware operation generates new payload variants on demand. ANY.RUN analysts used the exposed setup and sandbox detonations to compare two Banana RAT branches observed in late May and early June 2026.
The exposed public index was found on 198[.]245[.]53[.]26 and contained more than hosted malware files. It also exposed operational tooling, including servidor_completo_pool.py, a backend service designed to pre-generate malware payloads in batches, and ofuscador.py, an obfuscation script that rewrites PowerShell commands into scrambled character sequences reassembled at runtime.
That setup showed Banana RAT operators were not relying on a single static payload. Instead, the infrastructure could produce fresh, differently disguised malware variants, helping the operation evade simple signature and blocklist-based defenses. Banana RAT is a banking-oriented remote access trojan tied to Brazilian financial fraud, including attempts to steal banking credentials and interfere with payment transactions.
ANY.RUN’s comparison showed a clear evolution between the two branches. The older May version used fixed file names and Windows-update-style paths, including Microsoft-looking artifacts such as MicrosoftEdgeUpdateCore.exe. The newer June version moved to randomized installation folders and filenames, VBS-assisted persistence, hidden scheduled tasks running with system-level privileges, and encrypted WebSocket command-and-control using host-derived subdomains under testewin[.]com.
Who is affected
Financial institutions, payment providers, and users in regions targeted by Banana RAT are directly affected, especially where Brazilian banking and Pix-related fraud are relevant.
Enterprises may also be affected if employees receive Banana RAT lures, execute malicious scripts, or allow hidden PowerShell, VBS launchers, or scheduled task persistence to run on managed endpoints.
Security teams relying mainly on static indicators may face greater risk because the exposed builder shows the malware can regenerate payloads with changing filenames, paths, obfuscation, and C2 patterns.
Why CISOs should care
This case shows how banking malware operations are becoming more industrialized. The exposed infrastructure was not just a file server; it functioned like a production backend for generating new malware variants.
For CISOs, the payload generator matters because it weakens static defenses. If each victim or campaign can receive a differently named, differently obfuscated payload, blocking one filename, hash, or script pattern will not be enough.
The shift from static Microsoft-themed paths to randomized installation identifiers also shows active operator learning. The newer branch reduced stable forensic fingerprints and added more resilient persistence through VBS launchers and hidden scheduled tasks.
The command-and-control design also matters. By using encrypted WebSockets and host-derived subdomains, the malware makes simple IP or domain blocking less reliable unless defenders also monitor behavior, DNS patterns, SNI, scheduled task creation, and suspicious PowerShell execution.
3 practical actions
Hunt for hidden PowerShell and VBS persistence: Security teams should investigate hidden PowerShell execution, VBS launchers in
ProgramData, suspicious scheduled tasks, and unexpected Microsoft-looking folders or filenames.Block and monitor known infrastructure: Defenders should review traffic tied to
198[.]245[.]53[.]26,149[.]56[.]12[.]51,testewin[.]com,cdn.testewin[.]com, andc.windowns-cdn[.]com, while treating these as starting points rather than complete coverage.Build behavior-based detections: CISOs should prioritize detections for script-based staging, PowerShell obfuscation, runtime payload retrieval, host-derived C2 subdomains, WebSocket traffic to suspicious domains, and scheduled task creation running as SYSTEM.
Recent cybersecurity news:


