AI-Generated ClickFix Banking Trojan Campaign Delivers SmartRAT in Brazil
Threat actors used an AI-generated typosquatting site impersonating a Brazilian bank to deliver SmartRAT, a PowerShell-based banking trojan built for financial theft. Victims were funneled through a fake Cloudflare CAPTCHA and then a fullscreen fake BSOD/system recovery page that pressured them to paste and run a malicious PowerShell command, which fetched additional payload stages from attacker-controlled infrastructure. Researchers linked the campaign to delivery from 64.95.13.238, command-and-control at windowsupdate-cdn[.]com, and a fallback IP of 162.141.111.227.
Once installed, SmartRAT established encrypted raw TCP communications over port 51888, persisted through scheduled tasks, registry Run keys, and optionally a Windows service named MicrosoftEdgeUpdateCore, and could run with elevated privileges while still interacting with the user session. The malware monitored Brazilian banking, payment, and cryptocurrency windows, used keylogging and fake bank-branded overlays to steal credentials, and supported QR-swap fraud by replacing on-screen banking QR codes with attacker-controlled images. It also provided full RAT capabilities including screen streaming, file exfiltration, clipboard manipulation, process and service listing, arbitrary PowerShell execution, and input freezing; researchers additionally found the web-based SmartRAT control panel had a critical authentication weakness, relying on client-side localStorage checks without server-side validation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
ThreatLabz publishes SmartRAT campaign analysis
On 2026-06-17, Zscaler ThreatLabz published analysis of SmartRAT, describing it as a Brazil-focused PowerShell banking RAT used for financial theft through remote control, keylogging, fake bank overlays, and QR code interception. The report also documented SmartRAT persistence methods, encrypted TCP communications, targeted banking-window monitoring, and a critical client-side-only authentication weakness in the malware's web-based C2 panel.
Threat actors run March 2026 ClickFix campaign delivering SmartRAT
In March 2026, threat actors used an AI-generated typosquatting site impersonating a Brazilian bank and a ClickFix lure to trick victims into executing a PowerShell command that installed the SmartRAT banking trojan. The infection chain used a fake Cloudflare CAPTCHA and a fullscreen fake BSOD/system recovery page to pressure victims into running the malicious command.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers Abuse PowerShell Commands to Deliver SmartRAT Through Brazilian Bank Phishing Page
cybersecuritynews.com
Open sourceClickFix Campaign Generated via AI Delivers SmartRAT | Community Portal | Gurucul
community.gurucul.com
Open sourceClickFix Campaign Generated Via AI Delivers SmartRAT - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceAI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz
zscaler.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Campaigns Deliver Modular RATs, Banking Trojans, and macOS Stealers
Researchers reported multiple **ClickFix** campaigns using fake CAPTCHA or reCAPTCHA prompts to trick users into manually running malicious commands, with payloads tailored by platform and victim profile. On Windows, one campaign delivered a modular NodeJS-based RAT and infostealer through a malicious MSI installer, loading key capabilities only in memory after command-and-control was established and using `gRPC` over Tor for persistent communications. An operational security failure exposed the malware’s backend protocol definitions and admin panel API, revealing a malware-as-a-service operation with multi-operator support, Telegram alerts, automation rules, and cryptocurrency wallet tracking. The malware also fingerprinted victims extensively and established persistence through the Windows Run registry key as **LogicOptimizer**. A separate ClickFix chain attributed with high confidence to **Grandoreiro** targeted users of eight Brazilian banks by luring victims through a fake reCAPTCHA page and launching a malicious PowerShell sequence that sideloaded a Delphi banking trojan with legitimate GoToMeeting and Nero binaries. The malware deployed banking overlays, intercepted **PIX** QR-code payments, added Microsoft Defender exclusions, and stole credentials, device information, signatures, and payment confirmation codes. Netskope also documented a macOS variant that used AppleScript and a persistent fake password dialog to harvest Keychain data, browser cookies, saved credentials, extension storage, and cryptocurrency wallet data; the theft of live session cookies can enable attackers to bypass MFA by hijacking authenticated sessions.
May 1, 2026
JanelaRAT Banking Trojan Expands Attacks on Latin American Financial Users
Researchers reported that **JanelaRAT**, a Latin America-focused banking trojan derived from **BX RAT**, is actively targeting online banking and cryptocurrency users, with the heaviest activity in **Brazil** and **Mexico** and additional campaigns observed in **Chile** and **Colombia**. Kaspersky said it recorded **14,739 detections in Brazil** and **11,695 in Mexico** during 2025, as the malware continued to evolve from earlier VBScript-and-ZIP delivery chains to newer phishing-led infections using **MSI droppers**, **DLL sideloading**, obfuscated **.NET** payloads, and persistence through **Startup-folder LNK files**. Recent activity also included deployment of a malicious Chromium extension disguised as legitimate software. Once installed, JanelaRAT monitors browser and window titles for hard-coded banking and financial targets, then opens interactive **TCP** and **HTTP** command-and-control channels to support screenshots, keylogging, input injection, cursor control, remote command execution, and session hijacking. The malware uses encrypted strings, anti-analysis checks, daily rotating dynamic DNS infrastructure, and user inactivity monitoring to evade detection and help operators time fraudulent transactions. A notable feature is its overlay system, which displays fake banking prompts and Windows update screens to steal credentials and **MFA** tokens while suppressing user interaction.
Apr 22, 2026
SmartApeSG ClickFix Campaign Delivers Remcos, NetSupport, StealC, and Sectop RAT
Researchers documented a **SmartApeSG** malware campaign using fake CAPTCHA pages and the **ClickFix** social-engineering technique to trick victims into launching an initial script that led to a multi-stage infection. In observed intrusions, **Remcos RAT** executed first, followed within minutes by **NetSupport RAT**, then **StealC**, and later **Sectop RAT** identified as **ArechClient2**. The activity relied on compromised web infrastructure, rotating delivery domains, attacker-controlled command-and-control servers, and multiple payload packages, with several stages using **DLL side-loading** through legitimate executables while NetSupport RAT was deployed as a legitimate remote administration tool configured for malicious control. Separate analysis tied **Sectop RAT / ArechClient2** to additional follow-on infections, including a chain where a victim seeking cracked software downloaded a password-protected archive that installed **Lumma Stealer** before fetching a 64-bit DLL from `enotsosun[.]pw` and executing it via `rundll32` using the `LoadForm` export. Investigators reported concrete indicators including malware hashes, filenames, persistence artifacts, malicious URLs, and network traffic from Sectop RAT to `91.92.241[.]102` over ports `9000` and `443`, reinforcing that ArechClient2 is being used across varied delivery lures as part of broader credential theft and remote-access operations.
Jun 1, 2026