A sophisticated cyberattack campaign has emerged, targeting Brazilian banking customers through meticulously crafted phishing pages that exploit PowerShell commands to deploy a potent malware known as SmartRAT. This campaign combines advanced social engineering tactics with AI-generated web content, marking a significant evolution in cybercriminal methodologies.
The attackers have developed a counterfeit website that closely resembles a prominent Brazilian bank’s official site. This fraudulent platform features a convincing credit card application page accompanied by a deceptive security verification prompt. Unsuspecting visitors are coerced into executing a malicious PowerShell command, which surreptitiously downloads and installs SmartRAT onto their systems. Once installed, SmartRAT possesses capabilities such as keystroke logging, screenshot capture, QR code interception, and the ability to display full-screen fake banking forms to harvest sensitive credentials.
Analysts from Zscaler ThreatLabz, who identified this campaign in March 2026, observed indicators suggesting that the phishing page was constructed using an AI-powered website creation tool. The page’s source code exhibited characteristics typical of AI-generated content, including templated section comments and automated structuring, which are hallmarks of such tools.
This campaign’s effectiveness is amplified by its multi-layered deception techniques. Initially, the phishing page presents a counterfeit Cloudflare CAPTCHA, followed by a simulated Blue Screen of Death (BSOD) to instill urgency and panic in victims. This method, referred to as ClickFix, manipulates users into believing their system has crashed, prompting them to follow specific instructions to resolve the fabricated issue.
SmartRAT is a comprehensive remote access tool written entirely in PowerShell, granting attackers extensive control over compromised systems. It actively monitors browser activity for banking-related sessions and notifies the attacker when a victim accesses financial applications or websites. The attacker can then seize control of the screen, inject keystrokes, disable user input, and exfiltrate any entered data.
The infection process begins when a victim unknowingly pastes a malicious PowerShell command into the Windows Run dialog. This command connects to a remote server at 64.95.13.238 to retrieve a file named st.txt, which functions as a concealed dropper. The dropper subsequently downloads another file, payload.php, containing an AES-encrypted PowerShell script that unpacks and executes SmartRAT.
To evade detection, SmartRAT disguises its files and scheduled tasks under names associated with legitimate Microsoft Edge updates, blending seamlessly with authentic Windows processes. This obfuscation complicates efforts to identify and remove the malware from infected systems.
This campaign underscores the escalating sophistication of cyber threats, particularly those targeting financial institutions and their customers. The integration of AI-generated content and advanced social engineering tactics signifies a concerning trend in cybercriminal strategies. Users are advised to exercise heightened vigilance when encountering unexpected prompts or instructions online, especially those involving command execution. Financial institutions should bolster their security measures and educate customers about emerging phishing techniques to mitigate the risk of such attacks.
