Banana RAT Operators Exploit Exposed Backend to Generate Polymorphic Payloads

An exposed backend server is actively generating new, polymorphic versions of the Banana RAT banking trojan, complicating detection for defenders.

CSBadmin
2 Min Read

Exposed Generator Powers Malware Production

Researchers have uncovered a campaign in which the Banana RAT remote access trojan is being produced via an exposed backend server that actively generates new payload variants on demand. The server, discovered through routine internet scanning on IP address 198.245.53.26, was found to host a full delivery platform. This platform included a Python script called servidor_completo_pool.py that pre-generates malware payloads in batches, as well as an obfuscation script named ofuscador.py that scrambles PowerShell commands into unique character sequences at execution time.

According to analysis from ANY.RUN, the infrastructure supported the creation of at least two distinct versions of Banana RAT within a few weeks: one detonated in late May 2026 and another in early June 2026. The obfuscation technique allows the same base malware to appear different each time it infects a machine, making signature based detection far less reliable.

How the Two Variants Differ

The older version of Banana RAT relied on fixed file names and folder paths that mimicked legitimate Windows update components, along with a misspelled lookalike domain. Persistence was achieved through a scheduled task tied to a named executable, providing a stable fingerprint for defenders. In contrast, the newer variant uses randomly generated installation folders and file names for each infected machine, and persistence shifts to a VBS launcher combined with a hidden scheduled task running at system level privileges. Communication with command and control servers now occurs over an encrypted WebSocket channel, with the server address built from a hashed identifier unique to each victim. Despite these changes, both branches share a fallback IP address embedded in the code, linking the newer version to the older infrastructure.

Security teams are advised to block traffic to the known indicators, monitor for suspiciously named scheduled tasks, and treat unexpected hidden PowerShell activity as a potential sign of infection.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.