TrendMicro’s Pesquisadores discovered in April 2026 a sophisticated malware campaign developed by Brazilians against the country’s financial institutions. The banking Trojan called Banana RAT was tracked under the code SHADOW-WATER-063 and specifically targets 16 national banks and cryptocurrency exchanges using advanced real-time infection and fraud techniques.
The analysis revealed a complex architecture that begins with a malicious file disguised as an electronic tax document distributed via WhatsApp and phishing links. Operators especially target corporate users familiar with the Brazilian electronic invoicing system, using names such as “Consultar_NF-e.bat” to camouflage the threat.
Cadeia six-step infection
The infection process follows a well-structured flow. Quando the victim executes the .bat file, a hidden PowerShell command is fired immediately. Esse command downloads a second step called “msedge.txt” from a remote server, keeping all the code running in the system’s volatile memory (RAM) without touching the storage in an unencrypted form.
The infrastructure maintained by operators is sophisticated. Utilizam based FastAPI servers with nine layers of obfuscation in each payload. The system maintains a pool of 100 to 200 unique pre-generated builds, and each request from a victim consumes a different file.
Isso means that each download has a unique hash. Técnicas traditional signature detection completely fails this strategy. Durante analysis, researchers found four parallel threads constantly generating new payloads to keep the pool full, ensuring that signature-based antiviruses cannot identify the threat.
Controle full remote and real-time fraud
Once active, the Banana RAT delivers full remote access capabilities. The operator is able to transmit the victim’s screen in real time via JPEG streaming, with the captures working with multiple monitors and respecting resolution settings. The malware injects mouse and keyboard controls through Win32 APIs, allowing the operator to freeze the victim’s input using the BlockInput function while operating the machine remotely.
A keylogger based on GetAsyncKeyState captures all keystrokes in a circular buffer of 2 thousand entries. Todas communications between client and server use AES-256-CBC encryption, with the key deriving from a fixed master key via SHA-256. The attackers’ server analytics panel shows downloads tracked by country, time and operating system — all recorded access came from Brasil.
The main scam technique uses full screen overlay. Quando the victim opens the banking website, the malware displays a fake security update message that says “Segurança update required. DO NOT TURN OFF YOUR COMPUTER”. The fake screen shows progress animation with four simulated steps while the operator performs unauthorized transfers in the real banking session running in the background.
Subsistema dedicated to Pix and QR code interception
The malware implements a specific subsystem for Pix, using the ZXing.NET library to detect and decode QR codes on the screen. Quando the victim tries to pay a bill via QR, the malware replaces the code data. The money goes directly to the criminals’ accounts. Essa functionality exists exclusively for the Brazilian market, since the target is the Pix technology, which is not present in other countries.
The researchers found a hardcoded list of 16 targets directly in the frontend source code. Todos are Brazilian financial institutions or cryptocurrency exchanges located for the national market:
- Itaú
- Bradesco
- Santander Brasil
- Caixa
- Banco from Brasil
- Safra
- Banrisul
- Daycoval
- Sicoob
- Sicredi
Assinatura technique and continuous development
Infrastructure analysis revealed consistent fingerprints. The polymorphism engine stamps each payload with the header “PROTECTED SCRIPT v4.0. Projeto Banana (MSEDGE EDITION)”. The edition qualifier and version number suggest a product line that is constantly being updated by developers.
The Banana RAT shares capabilities with the Tetrade family of Brazilian banking trojans, such as Grandoreiro, Mekotio, Casbaneiro and CHAVECLOAK. The full-screen banking overlay is the defining behavior of this malware family. But architectural differences distinguish it from the rest: the Banana RAT is a PowerShell client orchestrated by the Python server, while the other members of the Tetrade family follow different standards.
Além Furthermore, the polymorphism system per victim exceeds that documented for other family members. The infrastructure also does not overlap with published indicators of Grandoreiro at the time of analysis, suggesting that operators utilized new evasion techniques not previously documented by the security community.
Federação Brasileira of Bancos has already received intelligence shared by TrendMicro to protect institutions and customers against this growing threat.