SHADOW-WATER-063 is a threat cluster tracked by Trend Micro and associated with an ongoing Brazilian banking malware campaign involving the Banana RAT trojan. The activity is highly targeted against Brazil’s financial sector, including 16 major Brazilian financial institutions and several Brazilian-localized cryptocurrency exchanges. Reported targets include Itau, Bradesco, Santander, Caixa, and Banco do Brasil. The cluster delivers Banana RAT through fake NF-e (Nota Fiscal Eletronica) invoice lures, including malicious batch files such as "Consultar_NF-e.bat," distributed via WhatsApp messages or phishing links. The attack chain targets Windows systems and uses hidden PowerShell execution, staged deployment, in-memory decryption of AES-256 encrypted payloads, layered obfuscation, and persistence via a hidden scheduled task. The operation also uses a polymorphic build pipeline that generates byte-unique payloads per victim request. Banana RAT functions as a remote fraud and surveillance platform. Reported capabilities include remote input control, keylogging, live screen streaming, fake banking overlays that imitate legitimate security update screens, and interception or replacement of Pix QR codes during transactions. Command-and-control communications were reported over port 443 using a custom binary protocol encrypted with AES-256-CBC, with typosquatted infrastructure such as windowsk-cdn[.]com and hardcoded fallback IP addresses for redundancy. Trend Micro reported that internal server-side code tied to the operation was written entirely in Brazilian Portuguese, and that the operators used the internal codename "Projeto Banana." The reporting also noted an assessment that the operation may be run as a Malware-as-a-Service platform. No aliases or sub-groups beyond SHADOW-WATER-063 were directly identified in the provided content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
17 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a targeted Brazilian banking trojan campaign using Banana RAT disguised as NF-e electronic invoice files to compromise victims in Brazil’s financial sector and localized cryptocurrency exchanges.
Associated with the Banana RAT banking trojan targeting Brazilian financial institutions. The operation uses polymorphic payload generation, staged deployment, fileless PowerShell execution, layered obfuscation, and AES-wrapped payloads to evade detection, enabling remote input control, keylogging, screen streaming, and Pix QR code fraud.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.