Hackers Deliver Banana RAT via NF-e Invoice Lures Through
A newly discovered banking trojan, dubbed Banana RAT, is actively targeting Brazilian users. This malware leverages fake NF-e (Nota Fiscal Eletronica) documents to trick victims into executing...
A newly discovered banking trojan, dubbed Banana RAT, is actively targeting Brazilian users. This malware leverages fake NF-e (Nota Fiscal Eletronica) documents to trick victims into executing malicious batch files. These files then covertly install a potent remote access tool onto their Windows systems.
Table Of Content
The campaign has been active and ongoing against Brazil’s financial sector, and its level of sophistication clearly points to a well-organized, well-resourced threat actor operating behind it.
NF-e is Brazil’s official electronic invoicing system, and it is widely trusted and used by businesses across the country every day. Attackers are counting on that familiarity, sending lure files with the name “Consultar_NF-e.bat” through WhatsApp messages or phishing links.
The goal is to make victims believe they are opening a routine tax document, when in reality they are handing attackers full and persistent control of their machines.
Researchers from Trend Micro’s Managed Detection and Response (MDR) team identified the malware while investigating a live Brazilian banking trojan operation.
They were able to recover both the attacker’s server-side tooling and the client-side malware from compromised endpoints, giving them a rare and complete picture of the full attack chain.
Trend Micro said in a report shared with Cyber Security News (CSN) that they tracked this threat cluster as “SHADOW-WATER-063.”
The impact of this campaign is considerable. Banana RAT specifically targets 16 major Brazilian financial institutions, including Itau, Bradesco, Santander, Caixa, and Banco do Brasil, as well as several Brazilian-localized cryptocurrency exchanges.
By focusing exclusively on Brazil’s financial sector, the threat actor has built a highly targeted operation that leaves virtually no room for accidental infections outside its intended victim pool.
NF-e Invoice Lures
Analysts believe the operation may be running on a Malware-as-a-Service (MaaS) model, where access to the platform is potentially resold to one or more affiliates.
Internal server-side code was written entirely in Brazilian Portuguese, and the project carries an internal codename of “Projeto Banana,” pointing to a well-maintained and actively developed toolset rather than a simple, isolated one-off attack campaign.
The attack begins when a victim downloads and runs the malicious batch file, which triggers a hidden PowerShell command. That command silently fetches a small staging script from an attacker-controlled server, which then downloads an AES-256 encrypted payload called “msedge.txt.”
The payload is decrypted entirely in memory, meaning no unencrypted file ever touches the victim’s hard drive, making it far harder for traditional security tools to detect any infection.
Once the payload runs, it establishes persistence by registering a hidden scheduled task that launches PowerShell every minute for up to 9,999 days.
The malware disguises its files inside a directory path that mimics legitimate Microsoft diagnostic storage, designed to blend in completely with trusted system files.
The polymorphic build pipeline also generates a completely byte-unique payload for every single victim request, making file-hash-based detection essentially useless against this campaign at scale.
Banana RAT’s Remote Fraud and Surveillance Capabilities
Once active on a victim’s machine, Banana RAT functions as a full-featured remote fraud and surveillance platform.
It streams the victim’s screen live to the operator, logs every keystroke, injects fake banking overlays that convincingly mimic real security update screens, and can intercept or replace Pix QR codes during live payment transactions.
Pix is Brazil’s central bank instant payment system, and the RAT includes a dedicated subsystem built exclusively for this payment rail.
The malware connects back to its command-and-control server on port 443 using a custom binary protocol encrypted with AES-256-CBC. It also uses a typosquatting domain designed to impersonate legitimate Microsoft CDN infrastructure, with hardcoded fallback IP addresses built in for redundancy if that domain is disrupted.
Defenders are advised to block all identified network indicators at the perimeter, enable real-time behavioral monitoring on endpoints, and train users to be suspicious of any unexpected full-screen banking overlays or QR code prompts during active banking sessions.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Name | Consultar_NF-e.bat | Malicious batch file used as the initial lure (NF-e invoice decoy) |
| File Name | st.txt / st.php | Initial PowerShell stager; downloads and executes next-stage payload |
| File Name | payload.php | Polymorphic payload dropper; stages second-stage execution content |
| File Name | msedge.txt | Primary second-stage payload; Banana RAT remote access trojan functionality |
| Domain | conviTemundial2026[.]com | Delivery domain used to distribute the malicious Consultar_NF-e.bat file |
| Domain | windowsk-cdn[.]com | C2 server domain; typosquats legitimate Microsoft CDN infrastructure |
| IP Address | 162.141.111[.]227 | C2 server fallback IP address; port 443 (TLS/SSL) |
| URL | hxxp://24[.]199[.]90[.]58:80/Disease_vector | Delivery/staging URL |
| URL | hxxp://24[.]199[.]90[.]58:80/payload[.]php | Payload delivery URL |
| URL | hxxp://24[.]199[.]90[.]58:80/st[.]txt | Stager delivery URL |
| SHA-256 | 5ileecd fcfadead adgbfedbc beee cfabcf | st.txt — Backdoor.PS1.BANANARAT.A (PowerShell downloader component) |
| SHA-256 | 5stphb eadeeee fffbgdgb efiifgif | st.php — Trojan.PS1.BANANARAT.A (Web-based downloader/bootstrap) |
| SHA-256 | paseffhe ffcdhieb geddfgd d | msedge.txt — Backdoor.PS1.BANANARAT.A (Primary second-stage RAT payload) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.