ThreatCluster

Banana RAT Exploits Exposed Server for Polymorphic Banking Malware Creation

First seen 8 Jul 2026, 19:12 UTC GbhackersCybersecuritynews 77% similarity 64

Article Content

Browse articles
ThreatCluster

An exposed server at 198[.]245[.]53[.]26 has been linked to the Banana RAT, a remote access trojan associated with Brazilian banking fraud. This server hosts a payload-generation backend and obfuscation tools, allowing attackers to create new malware variants on demand. The infrastructure includes static files and a FastAPI-based builder, which can generate polymorphic banking malware. The discovery was made via Shodan, highlighting the vulnerabilities in the RAT's operational security. Researchers are now able to analyze the obfuscation techniques used in the malware. The active exploitation of this infrastructure poses a significant threat to financial institutions and their customers. Current assessments indicate that the malware can evade detection by security systems, increasing the risk of successful attacks. The situation remains critical as the server is still active and being utilized for malicious purposes.

Key Points: • An exposed server is generating new variants of Banana RAT malware on demand. • The infrastructure includes tools for payload generation and obfuscation. • This poses a significant risk to banking institutions and their customers.

ThreatCluster AI

Timeline

2026-07-08
Exposed server discovered
A server hosting Banana RAT's payload generator and obfuscation tools was found via Shodan, revealing its active use for malware creation.
Gbhackers
2026-07-08
Malware variants created on demand
The exposed backend server is being used to build polymorphic banking malware variants, enhancing evasion techniques against security measures.
Cybersecuritynews

Community

Browse all →