Inside 'Ghost Hacker's' Java-based RAT malware that infiltrated Brazilian banks

He became part of the organization's own communication infrastructure.
Leonardo's malware analyzed company emails with AI to forge internal phishing messages that appeared to come from legitimate sources.

Ghost Hacker's malware was a Java RAT with remote access capabilities, using dynamic domain generation to evade detection and communicating with command servers every 9 hours. The attacker targeted major Brazilian banks and government institutions, distributing malware as fake Java updates to compromise developer systems and financial operations.

  • Leonardo arrested May 2026 in São Paulo and Minas Gerais
  • Java-based RAT malware with 9-hour communication cycles and dynamic domain generation
  • At least five major Brazilian banks compromised; government agencies in São Paulo, Goiás, and Tocantins targeted
  • Data center in Belo Horizonte for storing stolen information
  • Malware distributed as fake Java updates targeting bank developers

Leonardo, known as 'Ghost Hacker', was arrested in May 2026 for developing a Java-based RAT malware targeting Brazilian government and banking systems. The sophisticated script used dynamic domain generation and remote command execution to steal data and credentials.

In early May 2026, police in São Paulo and Minas Gerais arrested a man known only as Leonardo, though the press had already given him a different name: Ghost Hacker. The nickname wasn't his own invention—it was what law enforcement called him, a reference to his habit of operating in the shadowy corners of the internet where criminals trade stolen data, malware, and system vulnerabilities. Those spaces are deliberately hard to navigate and harder still to trace. No fixed IP addresses, heavy encryption, routing that obscures origin. To the police, he was a ghost.

Leonardo was no amateur. He had worked in information technology since the 1990s, holding positions in banks and digital networks, and he had spent decades learning how to find and exploit security weaknesses in servers. He wrote malware. He stole credentials and personal data. He sold access to confidential systems belonging to government agencies and private companies. When arrested, he was released on bail with conditions: electronic monitoring, house arrest at night, his passport confiscated, his driver's license suspended, and a ban on using any internet-connected device without a judge's permission.

What made Leonardo dangerous was not just what he did, but how he did it. Cybersecurity analysts who examined his code found a Remote Access Trojan written in Java—a programming language widely used by banks and major corporations for their backend systems. Once the malware infected a machine, it copied itself into the Windows startup folder under the innocent-sounding name "Java.jar," ensuring it would run automatically every time the computer powered on. The script then began communicating with a command-and-control server every nine hours, a rhythm slow enough to slip past most security defenses. Each time it checked in, it received new instructions, executed them through the system's command line, and reported back to its operator. An attacker using this tool could run commands remotely, steal files, install additional malware, move laterally through a network, or deploy ransomware that would lock up critical files until a ransom was paid.

The malware employed a technique called Domain Generation Algorithm, or DGA, which allowed it to create new domain names dynamically based on mathematical calculations and dates. This meant that even if authorities shut down one command server, the malware could automatically generate new addresses to maintain contact with its operator. It was a form of digital resilience, a way of staying alive even as defenders tried to kill it. The technique is standard in modern malware precisely because it makes detection and blocking nearly impossible—DNS filters become useless when the target keeps changing.

Leonardo's victims included the São Paulo state government, the city of São Paulo, the state comptroller's office, and the state police. Courts in Goiás and Tocantins were compromised. The military police in Goiás fell victim as well. But these government targets, while high-profile, were not where the real money was. The choice of Java as the programming language revealed Leonardo's true focus: the banking sector. Five of Brazil's largest banks were infected, though police have not yet released details about the scope of the breaches. The malware was distributed as a fake Java update, targeting developers who worked in financial institutions and large corporations—people whose access to internal systems made them valuable entry points.

Once inside a bank's network, Leonardo's operation became even more sophisticated. The malware analyzed all company emails and writing patterns using artificial intelligence, identifying the rhythms and language of the organization. It then focused on financial transactions, learning payment dates and the employees who handled them. With that knowledge, the attackers could forge emails that mimicked the company's own communications, spoofing legitimate addresses and launching internal phishing campaigns that looked like IT support requests. Employees would click links thinking they were helping their own company. In reality, they were handing over access to criminals.

The infrastructure behind this operation was substantial. Police discovered that Leonardo maintained a data center in Belo Horizonte capable of storing massive amounts of stolen information. He was not simply a malware writer; he was running a business. He would break into systems, maintain access for months, and then sell that access to other criminal groups—a role known in the security industry as an Initial Access Broker, or IAB. These are the specialists who open the door. Others come in later to steal, encrypt, or extort. Leonardo had invested in the tools and infrastructure to do this at scale, which placed him in a rare category: a highly sophisticated operator working not just against government systems, but against the financial backbone of the country.

The code is a Remote Access Trojan developed in Java, with the capacity to remotely control infected machines
— Gabriel Alves, cybersecurity analyst at ZenoX
The choice of Java is no accident. Most current banks use Java as their backend language, as well as Springboot and SpringSecurity frameworks
— Gabriel Alves, cybersecurity analyst at ZenoX
La Conversación del Hearth Otra perspectiva de la historia
Inventor

Why Java? There are other languages. Why did he choose that one?

Model

Because Java runs the banks. Most major financial institutions use Java for their backend systems, along with frameworks like Springboot. If you want to compromise a bank's core operations, you write in Java. It's not random—it's targeting the language of the infrastructure you want to penetrate.

Inventor

And the fake Java updates—that's clever. People trust updates.

Model

Exactly. Developers expect Java updates. They install them without thinking. It's a form of social engineering wrapped in technical sophistication. You're not breaking in through a window; you're walking through the front door because it looks like the mailman.

Inventor

The AI analysis of emails—that seems like overkill for a malware operator.

Model

It's not overkill if you're trying to stay inside a system for months without being detected. You need to understand how the organization communicates, who talks to whom, what the payment patterns look like. The AI lets you automate that analysis across thousands of emails. Then you can forge messages that fit perfectly into the existing flow.

Inventor

So he wasn't just stealing data. He was impersonating the company itself.

Model

Right. He became part of the organization's own communication infrastructure. When he sent a phishing email, it didn't look like an external attack. It looked like IT support. That's a different level of infiltration.

Inventor

The data center in Belo Horizonte—that's a physical commitment. That's not a side hustle.

Model

No. That's a business. He was running an operation with real overhead, real infrastructure. He wasn't just writing code in his bedroom. He was storing stolen data from multiple banks, managing it, preparing it for sale. He was a professional criminal with the resources to match.

Quieres la nota completa? Lee el original en TecMundo ↗
Contáctanos FAQ