Banks and financial institutions across Latin America particularly in Brazil and Mexico continue to be targeted by a sophisticated malware strain known as JanelaRAT.
JanelaRAT is a customized variant of BX RAT designed to harvest financial and cryptocurrency‑related information tied to specific banking entities. Beyond credential theft, the malware is capable of extensive surveillance and control activities, including mouse tracking, keystroke logging, screenshot capture, and the collection of detailed system metadata.
“One of the distinguishing characteristics of these trojans is JanelaRAT’s use of a custom title‑bar detection technique to recognize targeted websites within a victim’s browser and trigger malicious actions,” Kaspersky said in a report published today. “The operators behind JanelaRAT consistently refine both the infection chain and malware variants by introducing new features.”
According to telemetry collected by Kaspersky, 14,739 attack attempts were recorded in Brazil in 2025, while 11,695 attacks were observed in Mexico. The number of attacks that led to confirmed compromises remains unclear.
JanelaRAT was first observed in the wild in June 2023, when Zscaler documented its use of ZIP archives containing Visual Basic Script (VBScript) files. These scripts downloaded a second ZIP archive that included a legitimate executable alongside a malicious DLL. The malware was ultimately launched using DLL side‑loading, allowing it to evade detection.
Further analysis released by KPMG in July 2025 revealed a shift in distribution techniques. The malware was being delivered through malicious MSI installer packages masquerading as legitimate software and hosted on trusted platforms such as GitLab. Campaigns during this period primarily targeted Chile, Colombia, and Mexico.
“Once executed, the installer triggers a multi‑stage infection sequence orchestrated through scripts written in Go, PowerShell, and batch languages,” KPMG noted. “These scripts extract a ZIP archive containing the RAT payload, a malicious Chromium‑based browser extension, and accompanying components.”
The infection scripts also identify installed Chromium‑based browsers and secretly modify their launch parameters such as adding the load-extension flag to force‑load the malicious extension. Once active, the browser add‑on collects extensive data, including system details, cookies, browsing history, installed extensions, and tab metadata, while also executing actions based on matched URL patterns.
Kaspersky’s latest findings show that JanelaRAT operators now rely on phishing emails posing as unpaid invoices. Victims are lured into downloading a PDF via a link, which ultimately delivers a ZIP archive that initiates the full infection chain, again leveraging DLL side‑loading to deploy the malware.
Since at least May 2024, JanelaRAT campaigns have largely abandoned VBScript‑based loaders in favor of MSI installers, which act as droppers and establish persistence by creating a Windows shortcut (LNK) in the Startup folder that points to the malicious executable.
Once installed, JanelaRAT communicates with its command‑and‑control (C2) infrastructure over a TCP socket to confirm successful infection. The malware then actively monitors user behavior, particularly during sensitive banking sessions.
A core function of JanelaRAT is continuously retrieving the title of the active window and comparing it against a hard‑coded list of financial institutions. When a match is detected, the malware waits roughly 12 seconds before opening a dedicated C2 channel and executing commands issued by the attacker.
Supported capabilities include:
- Capturing and transmitting screenshots
- Cropping and exfiltrating specific screen areas
- Displaying full‑screen decoy images (e.g., “Configuring Windows updates”) and presenting fraudulent bank overlays to steal credentials
- Logging keystrokes
- Simulating keyboard inputs such as UP, DOWN, and TAB
- Moving the cursor and performing automated clicks
- Forcing system shutdown
- Executing commands via
cmd.exeand PowerShell - Manipulating Windows Task Manager to conceal it
- Detecting the presence of anti‑fraud defenses
- Sending detailed system metadata
- Identifying sandbox and automation environments
“The malware monitors user inactivity by measuring the time elapsed since the last input,” Kaspersky explained. “If inactivity exceeds ten minutes, the malware alerts the C2 server. It notifies the operator again once activity resumes, allowing attackers to profile user behavior and optimally time remote operations.”
Kaspersky concluded that this JanelaRAT variant reflects a notable evolution in attacker sophistication. By combining multiple communication channels with deep system monitoring, interactive overlays, input automation, and advanced remote‑control features, the malware is deliberately engineered to remain covert while adapting its behavior in the presence of anti‑fraud mechanisms.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
