JanelaRAT Malware Launches 14,739 Attacks on Latin American Banks in 2025
In a troubling development for cybersecurity, banks and financial institutions in Latin America, particularly in Brazil and Mexico, have become key targets of a sophisticated malware known as JanelaRAT. This malware, a modified variant of BX RAT, is engineered to extract sensitive financial and cryptocurrency information, track user interactions, log keystrokes, capture screenshots, and collect system metadata.
The Evolution of JanelaRAT
JanelaRAT sets itself apart from other trojans through a unique title bar detection mechanism. This feature enables the malware to identify specific websites in victims’ browsers and execute malicious actions accordingly. Kaspersky has reported that the threat actors behind JanelaRAT are continuously refining their infection methods and malware features to improve their effectiveness.
Telemetry data from Kaspersky indicates that Brazil experienced approximately 14,739 attacks in 2025, while Mexico recorded around 11,695. Although the exact number of successful compromises remains unknown, the scale of these attacks underscores a significant threat to the financial sector in these regions.
Technical Mechanisms and Distribution
First detected in the wild by Zscaler in June 2023, JanelaRAT employs ZIP archives containing Visual Basic Scripts (VBScript) to initiate its attack chain. This process involves downloading a second ZIP file that includes a legitimate executable and a DLL payload, ultimately utilizing DLL side-loading techniques to activate the trojan.
A subsequent analysis by KPMG in July 2025 revealed that JanelaRAT is often distributed through rogue MSI installer files disguised as legitimate software on trusted platforms such as GitLab. The malware primarily targets countries including Chile, Colombia, and Mexico.
Upon execution, the installer triggers a multi-stage infection process orchestrated by scripts written in Go, PowerShell, and batch. These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and other supporting components. The scripts are adept at identifying installed Chromium-based browsers and stealthily altering their launch parameters to install the malicious extension.
Phishing Tactics and Infection Vectors
Recent attack vectors documented by Kaspersky involve phishing emails that masquerade as outstanding invoices. These emails entice recipients to download a PDF file, which subsequently leads to the download of a ZIP archive that initiates the DLL side-loading attack to install JanelaRAT.
Since May 2024, the tactics employed by JanelaRAT campaigns have shifted from using Visual Basic scripts to MSI installers, which serve as droppers for the malware. This method establishes persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.
Once activated, JanelaRAT establishes communication with a command-and-control (C2) server via a TCP socket to confirm a successful infection. It monitors the victim’s activities to intercept sensitive banking interactions.
Operational Capabilities and User Monitoring
The primary objective of JanelaRAT is to capture the title of the active window and compare it against a hard-coded list of financial institutions. If a match is found, the malware waits for 12 seconds before opening a dedicated C2 channel to execute commands received from the server. Some of the commands it can execute include:
- Sending screenshots to the C2 server
- Cropping specific screen regions and exfiltrating images
- Displaying images in full-screen mode to impersonate bank-themed dialogs and harvest credentials
- Capturing keystrokes
- Simulating keyboard actions for navigation
- Moving the cursor and simulating clicks
- Executing forced system shutdowns
- Running commands via “cmd.exe” and PowerShell scripts
- Manipulating Windows Task Manager to evade detection
- Identifying the presence of anti-fraud systems
- Sending system metadata
- Detecting sandbox and automation tools
Kaspersky has highlighted that JanelaRAT can determine if a victim’s machine has been inactive for more than 10 minutes by tracking the elapsed time since the last user input. If inactivity exceeds this threshold, the malware notifies the C2 server. Conversely, it alerts the threat actor upon user activity, enabling the tracking of user presence and routine for optimal timing of remote operations.
Implications for the Financial Sector
The emergence of JanelaRAT signifies a notable escalation in the capabilities of cybercriminals. It combines multiple communication channels, extensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically engineered to minimize user visibility and adapt its behavior in response to the detection of anti-fraud software.
As financial institutions in Latin America confront an increasing number of sophisticated cyber threats, the necessity for enhanced cybersecurity measures becomes critical. Organizations must remain vigilant and proactive in their defense strategies to mitigate the risks posed by evolving malware like JanelaRAT.
For further insights into this evolving threat landscape, refer to the original reporting source: cyberwarriorsmiddleeast.com.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-04-14 08:58:00 • By the Editorial Desk
