Banana RAT Uses Exposed Payload Generator to Create Polymorphic Banking Malware Variants


A Banana RAT campaign has exposed how banking malware operators can generate new payload variants on demand instead of relying on one static malware build.

According to ANY.RUN, researchers found an exposed backend server that hosted not only malicious files, but also scripts used to generate and obfuscate Banana RAT payloads. The setup helped operators create different versions of the same banking malware within a short period.

The discovery matters because Banana RAT focuses on financial activity and Brazilian banking fraud. If the malware can repeatedly change file names, folders, scripts, and command paths, defenders cannot depend only on blocklists or static indicators.

An exposed server revealed the malware factory

The investigation began with a public index on an exposed IP address. Instead of finding only a payload directory, researchers found a working staging environment with a backend generator and an obfuscation script.

The main backend script was named servidor_completo_pool.py. ANY.RUN said it was built to pre-generate malware payloads in batches and expose web routes for warming payload pools, reporting statistics, and serving finished files.

This points to a production system rather than a one-off hosting mistake. The attackers could use the same infrastructure to generate fresh Banana RAT builds as detection rules caught older ones.

ComponentReported role
servidor_completo_pool.pyBackend payload generator that pre-built malware variants
ofuscador.pyPowerShell obfuscation script used to scramble commands
198[.]245[.]53[.]26Exposed staging server hosting the generator and payloads
149[.]56[.]12[.]51Fallback C2 IP shared by older and newer branches
testewin[.]comBase domain used for hashed WebSocket C2 subdomains

Why the generator changes the risk

A static malware sample gives defenders one version to analyze. A generator gives operators a way to create new versions repeatedly.

ANY.RUN said the exposed setup produced two Banana RAT branches observed in late May 2026 and early June 2026. Comparing them showed how the operators changed persistence, naming, folders, and command-and-control behavior while keeping the same broader malware goal.

This type of adaptation makes signature-based detection weaker over time. Security teams need to look at behavior, not only file names or one known script hash.

PowerShell obfuscation helps variants look different

The exposed ofuscador.py script reportedly rewrote plain PowerShell commands into scrambled character sequences that reassemble at runtime.

That technique lets the same underlying action appear different across generated payloads. Defenders may see changed strings, different command layout, and new surface-level patterns even when the malware still performs the same behavior.

MITREโ€™s Obfuscated Files or Information technique explains that adversaries may encrypt, encode, or otherwise obfuscate files and commands to make them harder to discover or analyze.

  • The base malware behavior stays similar.
  • The PowerShell command text changes between builds.
  • Static detections become less reliable.
  • Analysts must compare execution flow and network behavior.
  • Defenders need telemetry from scripts, scheduled tasks, and C2 connections.

The older branch used predictable Windows update disguises

The older Banana RAT branch, detonated in late May 2026, used fixed names and paths designed to look like Microsoft Edge or Windows update components.

One reported persistence file was MicrosoftEdgeUpdateCore.exe. The C2 domain also used a pseudo-Microsoft lookalike, c.windowns-cdn[.]com, with a misspelling that made it easier to detect once analysts noticed the pattern.

This older version still posed a serious risk, but it gave defenders more stable fingerprints. Fixed file names, fixed folders, and a visible typo in the domain created repeatable hunting opportunities.

Older branch behaviorDefender value
Fixed file namesEasier to search across endpoints
Windows update-style namingUseful for spotting suspicious masquerading
Scheduled task persistenceCreates a detectable persistence artifact
Lookalike C2 domainCan be blocked once identified
Shared fallback IPLinks the older branch to later activity

The newer branch became more polymorphic

The newer branch, observed in early June 2026, removed much of the predictable structure. Instead of using stable folders and file names, it generated random installation paths and names for each infected machine.

Persistence also changed. The newer build used a VBS launcher written to ProgramData, paired with a hidden scheduled task running with high privileges.

MITREโ€™s Scheduled Task technique notes that adversaries may abuse Windows Task Scheduler for recurring execution, persistence, privilege escalation, and execution under accounts such as SYSTEM.

Randomized names make blocklists less useful

Randomized folders and payload names reduce the value of simple deny lists. A rule that looks only for MicrosoftEdgeUpdateCore.exe may miss the newer branch if it writes a random VBS launcher and a randomly named payload file.

That does not make the malware invisible. It shifts detection toward patterns such as unusual script creation in ProgramData, hidden scheduled tasks, obfuscated PowerShell, and suspicious WebSocket traffic.

The same MITRE Scheduled Task guidance also notes that adversaries may create hidden scheduled tasks that do not appear in some manual or tool-based task queries.

PowerShell remains central to the infection chain

Both branches rely heavily on PowerShell behavior. That includes payload staging, obfuscation, execution, and communication setup.

MITREโ€™s PowerShell technique explains that adversaries can use PowerShell for discovery, code execution, payload downloads, and in-memory execution.

That makes PowerShell telemetry important for this campaign. Security teams should not only look for powershell.exe, but also for encoded commands, runtime string rebuilding, hidden windows, unusual parent processes, and scripts launched by VBS files.

The newer branch uses hashed WebSocket C2 hosts

The newer Banana RAT branch communicates through an encrypted WebSocket channel. ANY.RUN said the C2 address is built from a hashed identifier unique to each infected computer.

During detonation, one generated host was 52facc3b24f8bad9c5c56819e385f3a1.testewin[.]com. The branch also embedded cdn.testewin[.]com as a fallback domain.

Exposed public index at 198.245.53.26 (Source – Any.Run)

MDNโ€™s WebSocket documentation explains that WebSocket creates and manages a connection to a server and can send and receive data over that connection.

C2 elementReported role
testewin[.]comBase domain for newer branch C2 subdomains
52facc3b24f8bad9c5c56819e385f3a1.testewin[.]comHost-derived C2 subdomain seen during detonation
cdn.testewin[.]comFallback domain embedded in newer runtime payload
149[.]56[.]12[.]51Fallback C2 IP shared across branches
c.windowns-cdn[.]comPseudo-Microsoft C2 domain used by older branch

Why hashed C2 subdomains complicate blocking

Using a host-derived subdomain lets the attacker create a unique-looking C2 endpoint for each infected system. That can reduce the effectiveness of blocking a single fully qualified domain name.

Defenders can still block or monitor the base domain and fallback infrastructure, but they also need DNS analytics that can spot suspicious generated subdomains.

The WebSocket API is legitimate and widely used, so defenders should avoid blocking all WebSocket traffic. Instead, they should focus on unusual destinations, rare domains, new domains, and suspicious PowerShell or VBS processes opening persistent connections.

One important connection remained stable across the two versions. ANY.RUN said both branches included the fallback IP address 149[.]56[.]12[.]51.

That detail helped connect the newer, more randomized branch to the older infrastructure. It also gives defenders a useful indicator when file names and folders change.

Infrastructure reuse often reveals campaign continuity. Even when malware builders randomize payloads, they may still keep backup servers, domains, certificate patterns, scripts, or staging logic from older operations.

Banking malware benefits from fast mutation

Banana RAT targets financial activity, so its operators benefit when the malware stays active long enough to reach a victimโ€™s banking session.

Polymorphic generation helps with that goal. If one version gets detected by antivirus or EDR rules, the operator can generate another build with different surface features while keeping the same fraud workflow.

The MITRE obfuscation entry also lists polymorphic code and command obfuscation as related sub-techniques, which matches the defensive problem raised by this campaign.

Indicators of compromise

ANY.RUN shared the following indicators tied to the exposed infrastructure and the two Banana RAT branches. These indicators should support threat hunting, but defenders should also use behavior-based detections because the malware can regenerate surface details.

TypeIndicatorDescription
IP198[.]245[.]53[.]26Exposed staging server hosting payload generator and obfuscation scripts
IP149[.]56[.]12[.]51Fallback C2 IP shared across older and newer Banana RAT branches
IP104[.]21[.]39[.]172Cloudflare edge IP resolved for newer branch WebSocket C2 domain
IP67[.]142[.]55Cloudflare edge IP resolved for newer branch WebSocket C2 domain
Domainc.windowns-cdn[.]comPseudo-Microsoft C2 domain used by the older branch
Domaintestewin[.]comBase apex domain used for hashed WebSocket C2 subdomains
Domain52facc3b24f8bad9c5c56819e385f3a1.testewin[.]comHost-derived C2 subdomain resolved during newer branch detonation
Domaincdn.testewin[.]comFallback domain embedded in newer branch runtime payload
FileFatura-BtgPactual-22568.batOlder detonation entry sample
Filemsedgeupdate.txt / msedge.txtOlder branch full payload
Filest.php.malwStage-2 stager for the newer branch
Filepayload_new.php.malwFull PowerShell payload for the newer branch
Filec9dba5b0552d879be654.txtRuntime payload extracted from infected host
Filec9dba5b0552d.vbsVBS launcher written to ProgramData for newer branch persistence
FileMicrosoftEdgeUpdateCore.exeNamed executable used for persistence in the older branch

Detection should focus on behavior

Defenders should use the indicators above, but they should not rely on them alone. The exposed generator shows that the malware can alter names and script content quickly.

Useful behavioral signals include obfuscated PowerShell launched from unusual locations, VBS files written to ProgramData, hidden scheduled tasks, host-derived C2 subdomains, and persistent WebSocket traffic from scripts or suspicious child processes.

Execution Flow Comparison (Source – Any.Run)

The MITRE PowerShell guidance is useful here because it specifically notes that PowerShell can download and run executables from the internet, including from disk or in memory.

  1. Block known Banana RAT C2 domains and fallback IP addresses.
  2. Hunt for hidden scheduled tasks created by unknown scripts.
  3. Monitor VBS launchers written to ProgramData.
  4. Detect PowerShell commands that rebuild strings at runtime.
  5. Look for random folder and file names tied to persistence paths.
  6. Alert on WebSocket traffic to rare or newly seen domains.
  7. Compare behavior across variants rather than relying only on hashes.

Why exposed tooling helps defenders

The exposed backend gave researchers more than a single sample. It showed the machinery behind the campaign, including how payloads were generated, obfuscated, staged, and served.

That kind of visibility helps defenders build rules around the malwareโ€™s production logic. Even if the next build changes file names, the same generator may leave patterns in script structure, persistence methods, staging paths, or C2 behavior.

For enterprise teams, the main lesson is clear: when malware uses polymorphic generation, detection needs to follow the workflow from delivery to persistence to C2, not only the last known payload.

FAQ

What is Banana RAT?

Banana RAT is a remote access trojan linked to banking fraud activity, including Brazilian banking targets. It is designed to give attackers remote access and support financial theft workflows.

What did researchers find on the exposed Banana RAT server?

Researchers found a public staging server that hosted malicious files, a backend payload generator named servidor_completo_pool.py, and an obfuscation script named ofuscador.py.

Why is the Banana RAT payload generator important?

The generator can create new Banana RAT variants on demand. This makes static detection harder because file names, scripts, paths, and command structure can change between builds.

How did the newer Banana RAT branch differ from the older one?

The older branch used more predictable Windows update-style names and paths. The newer branch used randomized names, a VBS launcher, hidden scheduled task persistence, and hashed WebSocket C2 subdomains.

How can defenders detect Banana RAT variants?

Defenders should monitor obfuscated PowerShell, VBS launchers in ProgramData, hidden scheduled tasks, suspicious WebSocket connections, rare C2 domains, and fallback infrastructure instead of relying only on file hashes.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages