Inside Banana RAT: From Build Server to Banking Fraud

An MDR investigation successfully mapped the complete operational infrastructure of Banana RAT, a Brazilian banking trojan operated by threat cluster SHADOW-WATER-063. The investigation uncovered both server-side and client-side components, revealing a sophisticated FastAPI-based polymorphic payload generation system that produces hash-unique builds to evade detection. The malware employs layered obfuscation, AES-wrapped payloads, and fileless PowerShell execution. Once deployed, it enables operator-driven fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception specifically targeting Brazilian financial institutions. The tooling exclusively targets 16 Brazilian banks and crypto exchanges, with all operator artifacts written in Brazilian Portuguese, indicating a financially motivated actor operating within the Tetrade banking trojan ecosystem.

Pulse ID: 6a0ce3af84b924ad15e27920
Pulse Link: https://otx.alienvault.com/pulse/6a0ce3af84b924ad15e27920
Pulse Author: AlienVault
Created: 2026-05-19 22:26:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #CryptoExchange #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Trojan #bot #AlienVault

Banking Trojan Targets Crypto Firms with Sophisticated Attacks

A new banking Trojan, dubbed TCLBanker, is wreaking havoc on crypto and finance platforms, allowing hackers to remotely control infected systems and steal sensitive info. This sophisticated attack, linked to North Korea's notorious Lazarus Group, has already led to the largest crypto platform hack of 2026.

https://osintsights.com/banking-trojan-targets-crypto-firms-with-sophisticated-attacks?utm_source=mastodon&utm_medium=social

#Tclbanker #BankingTrojan #LazarusGroup #NorthKorea #CryptoFirms

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs

Pulse ID: 6a01c05dfa507c2e736c894e
Pulse Link: https://otx.alienvault.com/pulse/6a01c05dfa507c2e736c894e
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:41:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #CyberSecurity #ElasticSecurityLabs #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #CyberHunter_NL

TCLBanker is targeting Android users with banking trojan capabilities - stealing credentials, intercepting messages, and abusing trust at scale. Mobile is still prime territory. 📱💸 #BankingTrojan #AndroidSecurity

https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

Pulse ID: 6a016000ee4c7bcaf4f232e3
Pulse Link: https://otx.alienvault.com/pulse/6a016000ee4c7bcaf4f232e3
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #Tr1sa111

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

Albiriox: il malware Android che svuota i conti correnti
#Albiriox #Android #App #BankingTrojan #CyberSecurity #Frode #GooglePlayProtect #MaaS #MalwareAndroid #Sicurezza #TechNews #Tecnologia #Trojan #Truffa

https://www.ceotech.it/albiriox-il-malware-android-che-svuota-i-conti-correnti/

🚨 Alert: The new #EternidadeStealer is using WhatsApp to spread malicious files to steal banking and crypto data from users. Watch out and don’t open unexpected attachments, plus verify messages from contacts.

Read: https://hackread.com/eternidade-stealer-whatsapp-steal-banking-data/

#CyberSecurity #Malware #WhatsApp #BankingTrojan #InfoSec

📰 Herodotus Android Malware Mimics Human Typing to Bypass Biometric Security

🤖 New "Herodotus" Android banking trojan mimics human typing to bypass biometric security! Sold as MaaS, it takes over devices to steal from banking & crypto apps. Active in Italy & Brazil. #Android #Malware #BankingTrojan #MobileSecurity

🔗 https://cyber.netsecops.io/articles/herodotus-android-malware-mimics-human-typing-to-evade-detection/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto