Security researchers have uncovered a slick new way criminals are robbing online banking customers: let an AI build the trap for them. Zscaler's ThreatLabz team found a fake website, generated with an AI powered site builder, that impersonates a major Brazilian bank and tricks visitors into running a single command that hands their PC to an attacker. The malware it installs, which the researchers named SmartRAT, can watch the screen, log every keystroke, and even swap the QR codes people scan to approve bank transfers.
How the attack works
The lure leans on a technique called ClickFix, where victims are talked into "fixing" a fake problem by pasting a command themselves, sidestepping the download warnings antivirus tools rely on. A visitor to the counterfeit page (the typosquatted domain cartaobb[.]com, mimicking the bank's real cartaobrb[.]com[.]br) is shown a fake Cloudflare CAPTCHA, then a full screen fake Blue Screen of Death that locks the browser and pressures them to press Win+R and paste a PowerShell command. That command quietly downloads and runs SmartRAT from 64[.]95[.]13[.]238. ClickFix has fast become a criminal favorite, recently used to spread malware through a hijacked university website and to turn hundreds of Ghost CMS sites into delivery nodes.
ThreatLabz says the page itself betrays its origins: the source code is littered with templated, AI generated comments, and it actively blocks the browser developer tools and the right click menu to deter inspection.
What SmartRAT can do
SmartRAT is a banking trojan written entirely in PowerShell and focused on Brazil. Once running it sets up persistence as a fake "MicrosoftEdgeUpdateCore" scheduled task or Windows service, then beacons to its command server (c[.]windowsupdate-cdn[.]com, falling back to 162[.]141[.]111[.]227) over TCP port 51888. From there an operator can take full remote control: move the mouse and type, freeze the victim's input, stream the screen, and pop up convincing fake overlays branded for Itau, Bradesco, Santander, Banco do Brasil, Caixa and others to harvest passwords. Most striking, it watches for banking and crypto windows and can hijack on screen QR codes, silently replacing a legitimate payment QR with the attacker's so the victim authorizes a fraudulent transfer.
A telling mistake
The same AI assisted approach left a hole in the crooks' own tooling. ThreatLabz found the web based control panel checked login only in the browser, hiding the login screen whenever two values were present in local storage with no server side validation, meaning anyone could set those values and walk straight into the panel. Trend Micro independently documented the same malware family, which it calls Banana RAT, lending the findings cross vendor corroboration.
What you should do
Never paste a command into the Run box or a terminal because a web page told you to, no matter how official the "security check" looks. Banks do not ask you to run commands. On Windows, treat an unexpected full screen Blue Screen that demands keyboard input as a red flag, and reach online banking only by typing the address yourself.
Indicators (defanged): cartaobb[.]com, 64[.]95[.]13[.]238, 162[.]141[.]111[.]227, c[.]windowsupdate-cdn[.]com, TCP 51888.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.