ClickFix Campaign Generated Via AI Delivers SmartRAT

June 17, 2026, 8:25 p.m.

Description

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

External References

https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat
https://otx.alienvault.com/pulse/6a32e5873cf59d36f41c77be
Tags
typosquatting
powershell
credential theft
banking trojan
brazil
clickfix
remcos rat
fake captcha
ai-generated
ghostloader
banana rat
2026-06-17
qr code interception
smartrat

Date

  • Created: June 17, 2026, 6:20 p.m.
  • Published: June 17, 2026, 6:20 p.m.
  • Modified: June 17, 2026, 8:25 p.m.

Indicators

  • 64.95.13.238
  • 162.141.111.227
  • http://64.95.13.238/payload.php'
Download all indicators here!

Attack Patterns

  • SmartRAT
  • Banana RAT
  • Remcos RAT
  • GhostLoader

Additional Informations

  • Finance
  • vfsgloball.net
  • cartaobb.com
  • crefisa.online
  • windowsupdate-cdn.com
  • c.windowsupdate-cdn.com
  • cartaobrb.com.br
  • Brazil