Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Fake Indian Tax Notices Deliver Dual RAT Malware
July 8, 2026
DuckDuckGo Browser Uses Community Filter Lists to Block YouTube Ads
July 8, 2026
Critical RCE Flaw in Claude Desktop App Lets Attackers Execute Remote Code
July 8, 2026
Home/Threats/Exposed Payload Generator Creates Polymorphic Banking Malware Variants for Banana RAT
Threats

Exposed Payload Generator Creates Polymorphic Banking Malware Variants for Banana RAT

Key Takeaways An exposed payload generator has been identified, actively creating polymorphic banking malware variants for the Banana RAT. The threat leverages an open directory on IP address...

Jennifer sherman
Jennifer sherman
July 8, 2026 4 Min Read
3 0

Key Takeaways

  • An exposed payload generator has been identified, actively creating polymorphic banking malware variants for the Banana RAT.
  • The threat leverages an open directory on IP address 198[.]245[.]53[.]26, facilitating the distribution of obfuscation scripts and malware payloads.
  • Two distinct branches of Banana RAT, an older and a newer version, are being propagated through this shared infrastructure.
  • The malware exhibits polymorphic behavior, making it challenging for traditional signature-based detection methods.
  • Defenders should prioritize blocking identified IoCs and monitoring for suspicious PowerShell activity and scheduled tasks.

A significant vulnerability has emerged in the cybersecurity landscape, revealing an exposed payload generator actively churning out polymorphic banking malware variants associated with the Banana RAT. This discovery points to an alarming level of operational oversight by the threat actors, as a public-facing directory on a server (198[.]245[.]53[.]26) has been left open, offering a direct view into their malicious toolkit.

Table Of Content

  • Key Takeaways
  • Unveiling the Exposed Infrastructure
  • Polymorphism and Evasion Tactics
  • Indicators of Compromise (IoCs)
  • What You Should Do

Unveiling the Exposed Infrastructure

The exposed server hosts a range of critical components used in the malware’s deployment, including the payload generator itself and various obfuscation scripts. This misconfiguration has inadvertently provided security researchers with an unprecedented look into the inner workings of the Banana RAT’s distribution and mutation mechanisms. The publicly accessible index at 198[.]245[.]53[.]26 serves as a staging ground, enabling the continuous generation of new malware iterations.

Analysis of the exposed infrastructure revealed the simultaneous operation of two distinct branches of the Banana RAT. An older, more established branch and a newer, evolving version are both utilizing this shared resource. Crucially, a consistent fallback IP address (149[.]56[.]12[.]51) embedded within the code of both branches serves as a critical link, unequivocally tying the newer variants back to the older, known malicious infrastructure. This persistent identifier has proven invaluable for tracking the malware’s evolution and understanding its operational continuity.

Polymorphism and Evasion Tactics

The Banana RAT variants generated by this exposed tool exhibit polymorphic characteristics. This means the malware can alter its code and appearance with each new instance, making it significantly harder for conventional signature-based antivirus solutions to detect. The obfuscation scripts found on the server are key to this evasive capability, allowing the threat actors to continuously modify the malware’s footprint.

The older branch of the malware was observed using a pseudo-Microsoft command and control (C2) domain, c.windowns-cdn.com, to blend in with legitimate network traffic. For persistence, this older variant drops an executable named MicrosoftEdgeUpdateCore.exe. In contrast, the newer branch employs a base apex domain, testewin.com, for its WebSocket C2 communications, utilizing hashed subdomains like 52facc3b24f8bad9c5c56819e385f3a1.testewin.com, which are resolved during detonation. The newer branch also leverages cdn.testewin.com as a fallback domain embedded within its runtime payload. Persistence for the newer branch is achieved through a VBS launcher script, c9dba5b0552d.vbs, written to the ProgramData directory.

Both branches employ PowerShell for their full payload delivery. The older branch’s full payload (SHA256: 443C0A821C214471D74B51093AB3D69BB9BEE54DCDA2551E4F12707) was observed under names like msedgeupdate.txt or msedge.txt. The newer branch utilizes a stage-2 stager (st.php.malw, SHA256: E9D918FF5F7918CFF1A3A23F3945058A66B56D6DDC7E1CAB95E166D) and a full PowerShell payload (payload_new.php.malw, SHA256: D828949ADE683CF3AC6D4260F946CA33EF8610350EE79EC75DD243B2), which was also seen as c9dba5b0552d879be654.txt when extracted from infected hosts.

Indicators of Compromise (IoCs)

The following indicators have been identified as crucial for detecting and mitigating the threat. Note: IP addresses and domains are intentionally defanged (e.g., [.] ) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Type Indicator Description
IP 198[.]245[.]53[.]26 Exposed staging server hosting payload generator and obfuscation scripts
IP 149[.]56[.]12[.]51 Fallback C2 IP shared across both older and newer Banana RAT branches
IP 104[.]21.39.172 Cloudflare edge IP resolved for newer branch WebSocket C2 domain
IP 67[.]142[.]55 Cloudflare edge IP resolved for newer branch WebSocket C2 domain
Domain c.windowns-cdn.com Pseudo-Microsoft C2 domain used by the older detonation branch
Domain testewin.com Base apex domain used for newer branch’s hashed WebSocket C2 subdomains
Domain 52facc3b24f8bad9c5c56819e385f3a1.testewin.com Host-derived C2 subdomain resolved during newer branch detonation
Domain cdn.testewin.com Fallback domain embedded in newer branch runtime payload
File Fatura-BtgPactual-22568.bat Older detonation entry sample (SHA256: BC4C29BC0C84EA18311FBADC508F6F3A9D84B54AAB34D6B42F56C0C)
File msedgeupdate.txt / msedge.txt Older branch full payload (SHA256: 443C0A821C214471D74B51093AB3D69BB9BEE54DCDA2551E4F12707)
File st.php.malw Stage-2 stager, newer branch (SHA256: E9D918FF5F7918CFF1A3A23F3945058A66B56D6DDC7E1CAB95E166D)
File payload_new.php.malw Full PowerShell payload, newer branch (SHA256: D828949ADE683CF3AC6D4260F946CA33EF8610350EE79EC75DD243B2)
File c9dba5b0552d879be654.txt Runtime payload extracted from infected host, matches payload_new.php.malw hash
File c9dba5b0552d.vbs VBS launcher script written to ProgramData for newer branch persistence
File MicrosoftEdgeUpdateCore.exe Named executable used for persistence in the older detonation branch

What You Should Do

  • Block Known IoCs: Immediately implement blocks for all identified IP addresses and domains listed as Indicators of Compromise in your firewalls, intrusion prevention systems (IPS), and web proxies.
  • Monitor Network Traffic: Scrutinize network traffic for connections to the listed C2 domains and IP addresses. Pay close attention to any outbound connections that match these indicators.
  • Enhance Endpoint Detection: Ensure your Endpoint Detection and Response (EDR) solutions are configured to detect and alert on suspicious PowerShell activity, especially hidden or obfuscated commands.
  • Review Scheduled Tasks: Regularly audit scheduled tasks on endpoints for any newly created or modified entries with unusual names or commands that could indicate persistence mechanisms.
  • Implement

    Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

    Tags:

    MalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Mycelium Framework: First AI-as-a-Service Botnet Discovered

Next Post

Claude Cowork Critical Flaw Exposes AI Sessions to Remote Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Exposed Payload Generator Creates Polymorphic Banking Malware Variants for Banana RAT
July 8, 2026
Mycelium Framework: First AI-as-a-Service Botnet Discovered
July 8, 2026
Critical SharePoint RCE Vulnerability CVE-2023-29357 Gets PoC Exploit Code
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us