Friday 26 June 2026 16:44:35 GMT+02:00

Netcrook

HomeManifesto
News
Corporate Security IncidentsCloud, SaaS & Identity SecurityIndustrial Cybersecurity & Critical InfrastructureCyber Intelligence, TrendsAI Security & Agentic SystemsCyber Intelligence & Threat TrendsCyber WarfareCyber Warfare & Nation-State OperationsCyber CriminalityBreaches & Data LeaksCybercrimeMalware & BotnetsRansomware & ExtortionSecurity Awareness & Social EngineeringLegal PolicyLegal, Policy & Government CybersecurityPrivacy, Regulation & ComplianceTechnology, InnovationTechnology, Innovation & Digital InfrastructureVulnerabilities Patch ManagementResearch, Exploits & Offensive SecurityVulnerabilities & Patch Management
Techcrook
Tutte le tecnologieIdentita e accessoFirewall e reteBackup e archiviazioneEnergia e continuitaPrivacy e sicurezza fisicaLaboratorio e prototipazioneStampa e tracciabilitaTecnologia quotidiana
Geocrook
AfricaAsiaEuropeMiddle EastNorth AmericaOceaniaSouth America
WikicrookTeamAppContact
EnglishItalianoArabic
Malware & Botnets

When a Bank Lookalike Becomes an Execution Trap

18 June 2026 10:05Malware & BotnetsSouth America / BrazilNEXUSGUARDIAN

Typosquatted domains, AI-built lure pages, and a ClickFix prompt can turn a routine web visit into PowerShell execution and a banking trojan dropper.

A fake bank site does not need to break encryption or exploit a browser bug to be dangerous. In this case, the sharper risk is psychological: a polished lookalike page, built with AI-assisted tooling, nudges the visitor into copying a command and running it themselves. That is the essence of ClickFix - not a malware family, but a social-engineering handoff from web page to code execution.

Fast Facts

  • Multiple typosquatting domains were used to host malicious content.
  • An AI-created fake Brazilian bank site was paired with a ClickFix lure.
  • The payload was identified as SmartRAT, described as a PowerShell-based remote access trojan and banking trojan.
  • Typosquatting works by registering a lookalike domain that does not require compromise of the legitimate brand.
  • Zscaler has separately reported large-scale AI-generated phishing infrastructure, showing how cheap lure production is becoming.

How the trap works

The danger here is layered. First comes domain impersonation: a near-match address is registered to catch people who trust what they see in a browser bar. Then comes the lure page itself, which can now be generated faster and with less manual effort than older phishing kits required. The final step is ClickFix-style coercion, where the page urges the user to paste a command into PowerShell or a similar Windows tool.

That matters because PowerShell is a legitimate administration utility. When an attacker can persuade the victim to launch it, the intrusion can bypass some of the signals defenders rely on, such as obvious malware attachments or a noisy exploit chain. The result is a user-driven initial access path that can look ordinary until the command is already running.

SmartRAT, in this context, should be read as a post-click payload rather than a flashy exploit kit. The key issue is not just the malware name, but the delivery model: a fake financial portal, a prompt that borrows the language of troubleshooting or verification, and a command execution step that makes the browser itself part of the attack path.

At the time of writing, public information has not fully established the complete scope of affected users, the exact bank being impersonated, or whether any downstream financial systems were compromised. The available information supports a risk analysis, not a definitive claim of broader compromise.

Why defenders should care

This pattern is important because it lowers the attacker’s cost while raising the quality of the lure. AI-assisted page generation can make localized branding, layout, and language easier to mass-produce. Typosquatting gives those pages a believable home. ClickFix supplies the execution step. Together, they create a chain that depends less on technical exploitation and more on convincing a human to cooperate.

For defenders, that means URL filtering alone is not enough. The stronger controls are behavioral: monitor for browser-to-PowerShell transitions, suspicious clipboard activity, encoded commands, and unusual use of system utilities from user sessions. Brand monitoring and lookalike-domain tracking also matter, because the infrastructure itself is part of the weapon.

The broader lesson is simple: AI does not have to make an attack magical to make it effective. Sometimes it just makes the fake bank look real enough for one click to become execution.

TECHCROOK

Hardware security key: Use a hardware security key for phishing-resistant login protection on important email, banking, and admin accounts. It adds a physical second factor and is widely supported by modern services. Pair it with strong passwords and offline recovery codes.

Scheda Techcrook: Hardware security key

WIKICROOK

  • Typosquatting: Registering a lookalike domain to catch users who mistype or misread a legitimate brand name.
  • ClickFix: A social-engineering trick that persuades users to paste and run commands themselves.
  • PowerShell: A Windows command-line and scripting tool often abused for malware staging and execution.
  • Remote access trojan (RAT): Malware that lets an operator control an infected system remotely.
  • Living-off-the-land binary: A legitimate system tool abused by attackers to reduce obvious malware artifacts.
NEXUSGUARDIAN
AuthorNEXUSGUARDIAN

Malware & Botnets