Banana RAT Uses Exposed Payload Generator to Create Polymorphic Banking Malware Variants
A Banana RAT campaign has exposed how banking malware operators can generate new payload variants on demand instead of relying on one static malware build.
According to ANY.RUN, researchers found an exposed backend server that hosted not only malicious files, but also scripts used to generate and obfuscate Banana RAT payloads. The setup helped operators create different versions of the same banking malware within a short period.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The discovery matters because Banana RAT focuses on financial activity and Brazilian banking fraud. If the malware can repeatedly change file names, folders, scripts, and command paths, defenders cannot depend only on blocklists or static indicators.
An exposed server revealed the malware factory
The investigation began with a public index on an exposed IP address. Instead of finding only a payload directory, researchers found a working staging environment with a backend generator and an obfuscation script.
The main backend script was named servidor_completo_pool.py. ANY.RUN said it was built to pre-generate malware payloads in batches and expose web routes for warming payload pools, reporting statistics, and serving finished files.
This points to a production system rather than a one-off hosting mistake. The attackers could use the same infrastructure to generate fresh Banana RAT builds as detection rules caught older ones.
| Component | Reported role |
|---|---|
| servidor_completo_pool.py | Backend payload generator that pre-built malware variants |
| ofuscador.py | PowerShell obfuscation script used to scramble commands |
| 198[.]245[.]53[.]26 | Exposed staging server hosting the generator and payloads |
| 149[.]56[.]12[.]51 | Fallback C2 IP shared by older and newer branches |
| testewin[.]com | Base domain used for hashed WebSocket C2 subdomains |
Why the generator changes the risk
A static malware sample gives defenders one version to analyze. A generator gives operators a way to create new versions repeatedly.
ANY.RUN said the exposed setup produced two Banana RAT branches observed in late May 2026 and early June 2026. Comparing them showed how the operators changed persistence, naming, folders, and command-and-control behavior while keeping the same broader malware goal.
This type of adaptation makes signature-based detection weaker over time. Security teams need to look at behavior, not only file names or one known script hash.
PowerShell obfuscation helps variants look different
The exposed ofuscador.py script reportedly rewrote plain PowerShell commands into scrambled character sequences that reassemble at runtime.
That technique lets the same underlying action appear different across generated payloads. Defenders may see changed strings, different command layout, and new surface-level patterns even when the malware still performs the same behavior.
MITREโs Obfuscated Files or Information technique explains that adversaries may encrypt, encode, or otherwise obfuscate files and commands to make them harder to discover or analyze.
- The base malware behavior stays similar.
- The PowerShell command text changes between builds.
- Static detections become less reliable.
- Analysts must compare execution flow and network behavior.
- Defenders need telemetry from scripts, scheduled tasks, and C2 connections.
The older branch used predictable Windows update disguises
The older Banana RAT branch, detonated in late May 2026, used fixed names and paths designed to look like Microsoft Edge or Windows update components.
One reported persistence file was MicrosoftEdgeUpdateCore.exe. The C2 domain also used a pseudo-Microsoft lookalike, c.windowns-cdn[.]com, with a misspelling that made it easier to detect once analysts noticed the pattern.
This older version still posed a serious risk, but it gave defenders more stable fingerprints. Fixed file names, fixed folders, and a visible typo in the domain created repeatable hunting opportunities.
| Older branch behavior | Defender value |
|---|---|
| Fixed file names | Easier to search across endpoints |
| Windows update-style naming | Useful for spotting suspicious masquerading |
| Scheduled task persistence | Creates a detectable persistence artifact |
| Lookalike C2 domain | Can be blocked once identified |
| Shared fallback IP | Links the older branch to later activity |
The newer branch became more polymorphic
The newer branch, observed in early June 2026, removed much of the predictable structure. Instead of using stable folders and file names, it generated random installation paths and names for each infected machine.
Persistence also changed. The newer build used a VBS launcher written to ProgramData, paired with a hidden scheduled task running with high privileges.
MITREโs Scheduled Task technique notes that adversaries may abuse Windows Task Scheduler for recurring execution, persistence, privilege escalation, and execution under accounts such as SYSTEM.
Randomized names make blocklists less useful
Randomized folders and payload names reduce the value of simple deny lists. A rule that looks only for MicrosoftEdgeUpdateCore.exe may miss the newer branch if it writes a random VBS launcher and a randomly named payload file.
That does not make the malware invisible. It shifts detection toward patterns such as unusual script creation in ProgramData, hidden scheduled tasks, obfuscated PowerShell, and suspicious WebSocket traffic.
The same MITRE Scheduled Task guidance also notes that adversaries may create hidden scheduled tasks that do not appear in some manual or tool-based task queries.
PowerShell remains central to the infection chain
Both branches rely heavily on PowerShell behavior. That includes payload staging, obfuscation, execution, and communication setup.
MITREโs PowerShell technique explains that adversaries can use PowerShell for discovery, code execution, payload downloads, and in-memory execution.
That makes PowerShell telemetry important for this campaign. Security teams should not only look for powershell.exe, but also for encoded commands, runtime string rebuilding, hidden windows, unusual parent processes, and scripts launched by VBS files.
The newer branch uses hashed WebSocket C2 hosts
The newer Banana RAT branch communicates through an encrypted WebSocket channel. ANY.RUN said the C2 address is built from a hashed identifier unique to each infected computer.
During detonation, one generated host was 52facc3b24f8bad9c5c56819e385f3a1.testewin[.]com. The branch also embedded cdn.testewin[.]com as a fallback domain.

MDNโs WebSocket documentation explains that WebSocket creates and manages a connection to a server and can send and receive data over that connection.
| C2 element | Reported role |
|---|---|
| testewin[.]com | Base domain for newer branch C2 subdomains |
| 52facc3b24f8bad9c5c56819e385f3a1.testewin[.]com | Host-derived C2 subdomain seen during detonation |
| cdn.testewin[.]com | Fallback domain embedded in newer runtime payload |
| 149[.]56[.]12[.]51 | Fallback C2 IP shared across branches |
| c.windowns-cdn[.]com | Pseudo-Microsoft C2 domain used by older branch |
Why hashed C2 subdomains complicate blocking
Using a host-derived subdomain lets the attacker create a unique-looking C2 endpoint for each infected system. That can reduce the effectiveness of blocking a single fully qualified domain name.
Defenders can still block or monitor the base domain and fallback infrastructure, but they also need DNS analytics that can spot suspicious generated subdomains.
The WebSocket API is legitimate and widely used, so defenders should avoid blocking all WebSocket traffic. Instead, they should focus on unusual destinations, rare domains, new domains, and suspicious PowerShell or VBS processes opening persistent connections.
The fallback IP links both branches
One important connection remained stable across the two versions. ANY.RUN said both branches included the fallback IP address 149[.]56[.]12[.]51.
That detail helped connect the newer, more randomized branch to the older infrastructure. It also gives defenders a useful indicator when file names and folders change.
Infrastructure reuse often reveals campaign continuity. Even when malware builders randomize payloads, they may still keep backup servers, domains, certificate patterns, scripts, or staging logic from older operations.
Banking malware benefits from fast mutation
Banana RAT targets financial activity, so its operators benefit when the malware stays active long enough to reach a victimโs banking session.
Polymorphic generation helps with that goal. If one version gets detected by antivirus or EDR rules, the operator can generate another build with different surface features while keeping the same fraud workflow.
The MITRE obfuscation entry also lists polymorphic code and command obfuscation as related sub-techniques, which matches the defensive problem raised by this campaign.
Indicators of compromise
ANY.RUN shared the following indicators tied to the exposed infrastructure and the two Banana RAT branches. These indicators should support threat hunting, but defenders should also use behavior-based detections because the malware can regenerate surface details.
| Type | Indicator | Description |
|---|---|---|
| IP | 198[.]245[.]53[.]26 | Exposed staging server hosting payload generator and obfuscation scripts |
| IP | 149[.]56[.]12[.]51 | Fallback C2 IP shared across older and newer Banana RAT branches |
| IP | 104[.]21[.]39[.]172 | Cloudflare edge IP resolved for newer branch WebSocket C2 domain |
| IP | 67[.]142[.]55 | Cloudflare edge IP resolved for newer branch WebSocket C2 domain |
| Domain | c.windowns-cdn[.]com | Pseudo-Microsoft C2 domain used by the older branch |
| Domain | testewin[.]com | Base apex domain used for hashed WebSocket C2 subdomains |
| Domain | 52facc3b24f8bad9c5c56819e385f3a1.testewin[.]com | Host-derived C2 subdomain resolved during newer branch detonation |
| Domain | cdn.testewin[.]com | Fallback domain embedded in newer branch runtime payload |
| File | Fatura-BtgPactual-22568.bat | Older detonation entry sample |
| File | msedgeupdate.txt / msedge.txt | Older branch full payload |
| File | st.php.malw | Stage-2 stager for the newer branch |
| File | payload_new.php.malw | Full PowerShell payload for the newer branch |
| File | c9dba5b0552d879be654.txt | Runtime payload extracted from infected host |
| File | c9dba5b0552d.vbs | VBS launcher written to ProgramData for newer branch persistence |
| File | MicrosoftEdgeUpdateCore.exe | Named executable used for persistence in the older branch |
Detection should focus on behavior
Defenders should use the indicators above, but they should not rely on them alone. The exposed generator shows that the malware can alter names and script content quickly.
Useful behavioral signals include obfuscated PowerShell launched from unusual locations, VBS files written to ProgramData, hidden scheduled tasks, host-derived C2 subdomains, and persistent WebSocket traffic from scripts or suspicious child processes.

The MITRE PowerShell guidance is useful here because it specifically notes that PowerShell can download and run executables from the internet, including from disk or in memory.
- Block known Banana RAT C2 domains and fallback IP addresses.
- Hunt for hidden scheduled tasks created by unknown scripts.
- Monitor VBS launchers written to ProgramData.
- Detect PowerShell commands that rebuild strings at runtime.
- Look for random folder and file names tied to persistence paths.
- Alert on WebSocket traffic to rare or newly seen domains.
- Compare behavior across variants rather than relying only on hashes.
Why exposed tooling helps defenders
The exposed backend gave researchers more than a single sample. It showed the machinery behind the campaign, including how payloads were generated, obfuscated, staged, and served.
That kind of visibility helps defenders build rules around the malwareโs production logic. Even if the next build changes file names, the same generator may leave patterns in script structure, persistence methods, staging paths, or C2 behavior.
For enterprise teams, the main lesson is clear: when malware uses polymorphic generation, detection needs to follow the workflow from delivery to persistence to C2, not only the last known payload.
FAQ
Banana RAT is a remote access trojan linked to banking fraud activity, including Brazilian banking targets. It is designed to give attackers remote access and support financial theft workflows.
Researchers found a public staging server that hosted malicious files, a backend payload generator named servidor_completo_pool.py, and an obfuscation script named ofuscador.py.
The generator can create new Banana RAT variants on demand. This makes static detection harder because file names, scripts, paths, and command structure can change between builds.
The older branch used more predictable Windows update-style names and paths. The newer branch used randomized names, a VBS launcher, hidden scheduled task persistence, and hashed WebSocket C2 subdomains.
Defenders should monitor obfuscated PowerShell, VBS launchers in ProgramData, hidden scheduled tasks, suspicious WebSocket connections, rare C2 domains, and fallback infrastructure instead of relying only on file hashes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages