An exposed public index on 198.245.53.26 revealed two evolutionary branches of Banana RAT, a Brazilian banking-oriented RAT. The older branch (May 2026) used static ETW-themed installation paths and a pseudo-Microsoft C2 domain (c.windowns-cdn.com), while the newer branch (June 2026) shifted to randomized install identifiers, VBS-assisted persistence via hidden SYSTEM scheduled tasks, and WebSocket C2 over host-specific testewin.com subdomains derived from the victim's MachineGuid. Exposed backend scripts (servidorcompletopool.py, ofuscador.py) indicate an automated polymorphic payload generation platform. A shared fallback IP (149.56.12.51) anchors both branches to the same operator.