Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks

TrendAI (formerly Trend Micro) uncovered an active campaign named 'Projeto Banana' operated by a group using the temporary name SHADOW-WATER-063 that delivers Banana RAT to Brazilian banking customers via phishing/WhatsApp lures (a fake invoice file Consultar_NF-e.bat). The malware uses a hidden PowerShell loader and fileless in-memory execution, evades detection via a FastAPI-based crypter that generates many unique variants, and provides real-time theft capabilities (screen streaming, keylogging, BlockInput, full-screen overlays and Pix QR-code swapping) to intercept and redirect payments from multiple major Brazilian banks and crypto exchanges; researchers captured infrastructure and samples from live servers (17–22 April 2026) and recommend blocking identified command domains.