Banana RAT’s Evolution Revealed: How a Malware-as-a-Service Operation Is Becoming More Adaptive, Stealthy, and Dangerous + Video

Listen to this Post

Featured ImageIntroduction: A Rare Look Inside the Growth of a Modern Malware Operation

Cybersecurity researchers have uncovered a rare window into the development process behind Banana RAT, a remote access trojan that has historically focused on financial theft campaigns in Brazil, especially those involving the country’s popular instant payment system, Pix. Unlike typical malware investigations that only reveal a final malicious payload, this discovery exposed something far more valuable: the internal machinery used by attackers to continuously build, modify, and distribute new malware versions.

The discovery began with an exposed public directory identified through Shodan scanning, hosted on the IP address 198[.]245[.]53[.]26. Instead of finding a simple malware hosting location, researchers uncovered an active backend environment designed to generate new Banana RAT variants automatically.

By analyzing two separate malware samples from the same infrastructure — one collected in late May 2026 and another in early June 2026 — security researchers were able to track how the operators improved their infection chain, persistence methods, command-and-control design, and evasion capabilities.

The findings demonstrate how cybercriminal groups are increasingly adopting professional software-development practices, transforming malware operations into scalable Malware-as-a-Service ecosystems.

The Hidden Infrastructure Behind Banana RAT

A Malware Factory Instead of a Simple Payload Server

The exposed directory revealed that Banana RAT operators were not relying on a traditional static malware distribution method. Instead, researchers discovered a complete backend system capable of generating multiple malware variants automatically.

Among the recovered files were common staging components, including:

st.php

msedge.txt

servidor_completo_pool.py

The most significant discovery was servidor_completo_pool.py, a FastAPI-based application that functioned as an automated malware-generation service.

Rather than manually creating every malicious executable, attackers appeared to maintain a pool of pre-generated payload variations. This approach allows threat actors to quickly replace detected samples, bypass security signatures, and maintain campaign momentum.

This development reflects a broader trend in cybercrime where attackers increasingly adopt automation, cloud-style infrastructure, and software engineering techniques.

Banana RAT Introduces Polymorphic Malware Generation

Attackers Focus on Avoiding Detection

The recovered infrastructure showed clear evidence of polymorphic behavior, where malware characteristics are constantly modified to make detection more difficult.

The backend system was designed to protect and transform important execution elements, including scheduled task strings used for persistence.

A secondary tool named ofuscador.py provided further insight into the attackers’ workflow.

This script transformed PowerShell commands into ASCII-based reconstruction wrappers inside BAT files. These generated launcher files served as initial infection tools designed to bypass basic detection systems.

Instead of deploying identical malware samples repeatedly, the operators could generate slightly different versions for different victims.

This method creates additional challenges for defenders because traditional signature-based security tools often depend on recognizing repeated patterns.

A Major Upgrade in June 2026: More Advanced Delivery and Persistence

From Simple Execution to Flexible Infection Chains

By June 9, 2026, researchers observed a significant evolution in the Banana RAT operation.

Although the attackers continued using the same staging infrastructure, they redesigned important parts of the malware delivery process.

The earlier infection method was replaced with a PHP-based delivery mechanism that enforced TLS 1.2 communication before downloading the final payload.

This upgrade provided several advantages:

Encrypted communication between victims and infrastructure

Reduced visibility for network monitoring systems

More reliable payload delivery

Greater difficulty for defenders attempting interception

The operators also abandoned fixed persistence locations.

Earlier versions relied on predictable installation paths, making detection easier. Newer versions introduced randomized persistence locations, making automated hunting more complicated.

Dynamic Command-and-Control Architecture Shows Professional Malware Development

Banana RAT Moves Beyond Traditional Domain Communication

One of the most notable improvements appeared in the command-and-control system.

Previous Banana RAT versions relied on static domains, including typo-squatted infrastructure that defenders could identify and block.

The newer version introduced a much more advanced technique.

Instead of using a fixed communication address, the malware generates a unique host-specific domain by hashing the victim’s machine identifier.

This means every infected system may communicate through a different subdomain.

The communication process includes:

Unique victim-based domain generation

Encrypted WebSocket communication

Dedicated apex domain infrastructure

Cloudflare protection hiding the original server location

By placing the infrastructure behind Cloudflare, the attackers made it significantly harder for defenders to identify and disable their backend systems.

A simple domain blocklist would no longer be enough.

Deep Anlysis: How Banana RAT Reflects the Future of Cybercrime Operations

Commands and Detection Perspective

Search suspicious Banana RAT infrastructure indicators
grep -R "servidor_completo_pool.py" /var/log/
grep -R "ofuscador.py" /var/log/

Monitor suspicious PowerShell execution

Get-WinEvent -LogName Security | findstr PowerShell

Search unusual scheduled task creation

schtasks /query /fo LIST /v

Malware Evolution Analysis

Banana RAT’s latest development demonstrates that modern malware campaigns are no longer simple criminal scripts operated by individuals.

The exposed infrastructure resembles a commercial software platform.

Attackers created automation systems capable of:

Generating malware variants

Managing delivery operations

Protecting communication channels

Updating persistence techniques

Rotating infrastructure

This approach mirrors legitimate software development practices.

The difference is that the final product is designed for unauthorized access and financial theft.

The discovery of the backend builder provides defenders with a rare opportunity because it exposes the development process behind the malware.

Security teams normally analyze finished malware samples, but this incident reveals how the malware is created.

Understanding the creation process allows researchers to predict future variants.

The transition from static domains to machine-generated communication endpoints represents a significant improvement in attacker resilience.

Traditional security strategies based on domain blocking become less effective when every victim receives a unique communication path.

The use of encrypted WebSockets also shows that attackers are adapting to modern network monitoring environments.

Many organizations now inspect HTTP traffic, forcing criminals to move toward encrypted and more flexible protocols.

The Cloudflare layer adds another defensive challenge.

Instead of directly communicating with attacker infrastructure, defenders see a legitimate service acting as a shield.

This does not make the attack invisible, but it increases investigation complexity.

The hardcoded fallback IP address discovered inside the newer payload became the key mistake made by the attackers.

Even advanced malware operations often leave behind small technical fingerprints.

The connection between 149[.]56[.]12[.]51 and previous Banana RAT activity allowed researchers to confirm that both malware generations belonged to the same campaign.

This highlights an important cybersecurity lesson:

Attackers can improve their tools, but maintaining operational security across multiple versions remains difficult.

Every update creates new opportunities for researchers to identify relationships.

The Banana RAT campaign also demonstrates the increasing professionalization of cybercrime.

Malware groups now operate like technology companies:

They build automation systems.

They test new versions.

They improve user delivery methods.

They protect infrastructure.

They analyze defender behavior.

The future of malware defense will require similar levels of automation.

Security teams will need AI-powered detection, behavioral analysis, and threat intelligence systems capable of identifying changes rather than only known signatures.

The battle is shifting from detecting malware files to understanding malware ecosystems.

Banana RAT is not dangerous only because of its payload.

It is dangerous because of the infrastructure supporting it.

MITRE ATT&CK Mapping: Banana RAT Techniques

Tactic Technique ID Evidence

Execution Command and Scripting Interpreter: PowerShell T1059.001 PowerShell-based execution, dynamic reconstruction, and memory-focused techniques
Execution Command and Scripting Interpreter: Visual Basic T1059.005 VBS launcher used to execute payloads from ProgramData locations

Evidence Linking Multiple Banana RAT Generations

The Mistake That Exposed the Campaign Connection

Despite implementing advanced evasion methods, Banana RAT operators left behind a critical technical fingerprint.

The newer runtime payload contained a hardcoded fallback IP address:

149[.]56[.]12[.]51

This indicator connected the June 2026 WebSocket-based malware branch with the older May campaign.

The discovery confirmed that both samples were not separate attacks but different generations of the same evolving malware framework.

This case demonstrates that even highly adaptive malware operations can reveal their identity through small implementation mistakes.

What Undercode Say:

Banana RAT represents a clear example of how cybercrime is moving toward industrial-scale operations.

The discovery of the backend builder is more important than the malware sample itself.

It exposes the mindset of modern attackers.

They are no longer creating one-time tools.

They are building platforms.

The use of FastAPI infrastructure shows that malware developers are adopting modern programming frameworks.

The attackers are thinking like software engineers.

They are creating systems that can automatically produce new versions.

This reduces development time and increases campaign longevity.

The shift toward polymorphic payload generation shows that criminals understand the limitations of traditional antivirus detection.

Static signatures are becoming weaker against constantly changing threats.

The dynamic command-and-control model is another major evolution.

Machine-generated domains make traditional blocking strategies less effective.

Security teams must focus more on behavior, communication patterns, and endpoint activity.

The use of encrypted WebSockets demonstrates how attackers are adapting to enterprise security improvements.

As organizations improve network inspection, criminals search for protocols that blend into normal traffic.

The Cloudflare protection layer highlights another important trend.

Attackers increasingly abuse legitimate infrastructure providers to hide their operations.

This creates a difficult balance between blocking threats and avoiding disruption to legitimate services.

The Banana RAT case also proves the value of threat intelligence sharing.

Without comparing samples from different time periods, researchers might have viewed the May and June versions as unrelated malware.

Historical analysis revealed the connection.

Cybersecurity teams should preserve and analyze old indicators because yesterday’s samples can explain tomorrow’s attacks.

The attackers’ biggest weakness was not their technology.

It was their operational mistake.

A single fallback IP address exposed the relationship between different malware generations.

This demonstrates that even advanced attackers struggle with perfect secrecy.

The future of malware defense will require continuous monitoring.

Organizations cannot rely only on known indicators.

They must detect unusual behavior.

They must understand attacker infrastructure.

They must analyze malware development patterns.

Banana RAT is a warning that financially motivated malware is becoming more automated, adaptive, and professional.

The next generation of threats will likely combine artificial intelligence, automated malware generation, and advanced infrastructure management.

Defenders must evolve at the same speed.

✅ Confirmed: Banana RAT has been associated with financial targeting activity, particularly campaigns affecting Brazilian users and Pix-related fraud operations.

✅ Confirmed: Researchers identified exposed infrastructure containing malware-building components, including scripts used for payload generation and obfuscation.

❌ Unconfirmed: The exact identity of the threat actors operating Banana RAT remains unknown, and attribution cannot be confirmed solely from infrastructure evidence.

Prediction

(+1) Banana RAT and similar Malware-as-a-Service platforms will likely continue becoming more automated, using AI-assisted development, dynamic infrastructure, and personalized payload generation to evade detection.

(+1) Security vendors will increasingly focus on behavioral detection and infrastructure analysis instead of relying mainly on malware signatures.

(-1) Organizations that depend only on domain blocking and traditional antivirus solutions will continue struggling against adaptive malware campaigns.

(-1) Financial malware targeting banking systems and payment platforms will likely increase as attackers improve automation and delivery methods.

(+1) Future investigations will likely uncover more exposed criminal development environments, providing defenders with valuable insight into attacker workflows.

▶️ Related Video (78% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube