Dominic Jainy’s deep understanding of machine learning and blockchain infrastructure offers a compelling vantage point for analyzing the industrialization of modern cyber-attacks. As threat actors move away from static infection methods, Jainy’s insights into the automated “malware factories” powering campaigns like Banana RAT are invaluable for security professionals who must defend against increasingly fluid threats. In this discussion, we examine the recent discovery of a backend server that does not just host malware, but actively manufactures it, utilizing complex scripts to ensure each infection is uniquely disguised and difficult to trace. We explore the transition from predictable, typo-squatted domains to hashed WebSocket communication, highlighting how a single exposed IP address at 198.245.53.26 can reveal the blueprint of a global banking fraud operation. Our conversation covers the sophisticated evolution of the Banana RAT trojan, the technical shifts between its May and June 2026 iterations, and the implications of script-based payload generation for the future of financial security.
The discovery of an exposed backend server hosting a payload generator marks a significant shift from traditional malware hosting to active manufacturing; how does this change the way we perceive the lifecycle of a banking trojan like Banana RAT?
Finding a server like the one at 198.245.53.26 is like stumbling upon a hidden assembly line rather than just a finished product in a warehouse. Traditionally, we might find a static malware sample and write a signature for it, but with the discovery of the servidor_completo_pool.py script, we are seeing the “warm-up” of payload pools in real-time. This backend script is designed for ongoing production, pulling source files from a web directory to generate fresh variants in batches rather than one-off files. It creates a sense of an endless, shifting tide where the malware is constantly being refined and disguised before it ever reaches a victim’s machine. For a defender, this means the battle isn’t against a single file like msedge.txt, but against a dynamic process that can adapt its surface-level appearance to bypass standard blocklist-based defenses almost instantly.
You mentioned the use of a second script called ofuscador.py alongside the payload generator; what specific role does this play in the polymorphism of the malware, and why is it so effective against standard detection?
The ofuscador.py script is the “master of disguise” for this operation, taking plain, recognizable PowerShell commands and rewriting them into scrambled character sequences. When the malware lands on a host, these sequences are reassembled and executed in memory, which feels like a magician pulling a rabbit out of a hat—you don’t see the rabbit until it’s already there. Because the script can change the character sequence every time it runs, the SHA256 hash of the payload changes, meaning a hash like 443C0A821C214471D74B51093AB3D69BB9BEE54DCDA2551E4F12707 from an earlier version becomes completely irrelevant for the next one. It forces security teams to move away from simple file-based detection and instead focus on the underlying behavior, such as unexpected hidden PowerShell activity. This constant mutation creates a heavy cognitive load for analysts who are trying to keep up with a threat that looks different every time it is detonated in a sandbox.
The comparison between the late May 2026 and early June 2026 detonations shows a rapid evolution in evasion techniques; how did the attackers transition from predictable structures to more randomized persistence methods?
In late May, the attackers were still using somewhat “noisy” indicators, such as the lookalike domain c.windowns-cdn.com and fixed file paths that mimicked legitimate Windows update components like MicrosoftEdgeUpdateCore.exe. It was a classic deception, but one that left a stable fingerprint for researchers at ANY.RUN to track via scheduled tasks. By early June, however, the campaign had matured significantly, dropping that predictable structure in favor of randomly generated installation folders and file names for every single infected machine. They also shifted their persistence mechanism to a VBS launcher, often named something like c9dba5b0552d.vbs, paired with a hidden scheduled task that runs with system-level privileges. This move toward randomization and higher-level privilege escalation makes the malware much more resilient to automated cleanup tools and manual discovery by IT administrators.
Communication is another area where Banana RAT has seen significant upgrades, specifically moving toward encrypted WebSocket channels; what does this change in network behavior mean for enterprise-level domain blocking?
The shift to an encrypted WebSocket channel using addresses derived from hashed identifiers is a sophisticated way to hide in plain sight. For instance, the newer branch resolves subdomains like 52facc3b24f8bad9c5c56819e385f3a1.testewin.com, where the long string is unique to the infected computer, making it nearly impossible to block via a simple list of domains. Even if you block one subdomain, the attacker can just generate another through their base apex domain, testewin.com. During the June 2026 detonation, we also saw the malware resolving to Cloudflare edge IPs like 104.21.39.172 and 172.67.142.55, which adds another layer of legitimacy and complexity. By masking the true destination of the traffic behind a reputable CDN and using unique hashes for each host, the operators ensure that their command-and-control infrastructure remains elusive and highly targeted.
Despite the high level of randomization, researchers identified a fallback IP address, 149.56.12.51, that remained constant; how does this single static link help defenders understand the broader scope of the operation?
That fallback IP address is the “Achilles’ heel” of the entire operation, acting as a definitive link that binds the older, more amateurish May branch to the highly sophisticated June branch. Even as the operators scrambled their PowerShell code and randomized their file paths, they kept this core piece of infrastructure as a safety net, likely to ensure they wouldn’t lose contact with infected hosts if their more advanced C2 methods failed. It is a visceral reminder that even the most automated malware factories still rely on a central backbone. For a security operations center (SOC), this IP is a goldmine; it allows them to look back through their logs and see if any past “minor” alerts were actually part of this larger, evolving Banana RAT campaign. It provides the continuity needed to build a fuller picture of the threat actor’s evolution rather than just seeing a series of disconnected, random snapshots.
Given that Banana RAT is specifically designed for banking fraud and stealing credentials, what specific indicators should financial institutions look for to prevent these automated variants from interfering with customer transactions?
Financial institutions need to look for specific behavioral patterns, such as the execution of stage-2 stagers like st.php.malw or the creation of suspicious VBS launchers in the ProgramData directory. The malware often disguises itself using banking-related lures, as seen with the file Fatura-BtgPactual-22568.bat, which aims to trick users into initiating the infection chain during a high-stress moment like paying an invoice. Beyond just file names, monitoring for hidden PowerShell activity that reassembles character sequences is critical, as this is the calling card of the ofuscador.py script. Teams should also proactively block the known indicators of compromise, such as the fallback domain cdn.testewin.com, and keep a close eye on any unauthorized scheduled tasks that appear with system-level privileges. Since the goal is the theft of credentials and the interference of payment sessions, any unusual network traffic to Cloudflare edge IPs that doesn’t match known business applications should be treated as a high-priority warning sign.
What is your forecast for the future of polymorphic banking malware like Banana RAT as these “malware-as-a-service” style backend generators become more accessible?
I believe we are entering an era where the “human-in-the-loop” for malware distribution will become increasingly rare, replaced by fully automated pipelines that use machine learning to optimize evasion in real-time. We will likely see these backend generators, similar to the servidor_completo_pool.py we discussed, start to incorporate AI to analyze which specific obfuscation techniques are successfully bypassing EDR systems and then pivot the entire campaign’s “look” within minutes. The persistence of Banana RAT and its ability to reinvent itself in just a few weeks—moving from fixed paths in May to full randomization in June—is just the beginning of a much faster cat-and-mouse game. For defenders, this means that the future of cybersecurity will not be about chasing hashes, but about deploying our own automated, behavioral-based defenses that can detect the “scent” of a threat regardless of the shape it takes. The financial sector, in particular, will need to embrace a zero-trust architecture where no process, even one looking like a legitimate Windows update, is allowed to interact with sensitive banking sessions without rigorous, ongoing verification.
