JanelaRAT Malware Launches 14,739 Attacks on Latin American Banks in 2025
In a concerning trend for cybersecurity, banks and financial institutions across Latin America, particularly in Brazil and Mexico, have become prime targets for a sophisticated malware family known as JanelaRAT. This malware, a modified version of BX RAT, has been designed to extract sensitive financial and cryptocurrency data, track user interactions, log keystrokes, capture screenshots, and gather system metadata.
The Evolution of JanelaRAT
JanelaRAT distinguishes itself from other trojans through its unique title bar detection mechanism, allowing it to identify specific websites in victims’ browsers and execute malicious actions accordingly. Kaspersky has noted that the threat actors behind JanelaRAT continuously refine their infection methods and malware features to enhance their effectiveness.
Telemetry data from Kaspersky indicates that Brazil experienced approximately 14,739 attacks in 2025, while Mexico recorded around 11,695. The exact number of successful compromises remains undetermined, but the scale of these attacks highlights a significant threat to the financial sector in these regions.
Technical Mechanisms and Distribution
First detected in the wild by Zscaler in June 2023, JanelaRAT employs ZIP archives containing Visual Basic Scripts (VBScript) to initiate its attack chain. This process involves downloading a second ZIP file that includes a legitimate executable and a DLL payload, ultimately utilizing DLL side-loading techniques to activate the trojan.
A subsequent analysis by KPMG in July 2025 revealed that JanelaRAT is often distributed through rogue MSI installer files disguised as legitimate software on trusted platforms like GitLab. The malware primarily targets countries such as Chile, Colombia, and Mexico.
Upon execution, the installer triggers a multi-stage infection process orchestrated by scripts written in Go, PowerShell, and batch. These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and other supporting components. The scripts are adept at identifying installed Chromium-based browsers and stealthily altering their launch parameters to install the malicious extension.
Phishing Tactics and Infection Vectors
The latest attack vectors documented by Kaspersky involve phishing emails masquerading as outstanding invoices. These emails entice recipients to download a PDF file, which leads to the download of a ZIP archive that initiates the DLL side-loading attack to install JanelaRAT.
Since May 2024, the tactics employed by JanelaRAT campaigns have shifted from using Visual Basic scripts to MSI installers, which serve as droppers for the malware. This method establishes persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.
Once activated, JanelaRAT establishes communication with a command-and-control (C2) server via a TCP socket to confirm a successful infection. It monitors the victim’s activities to intercept sensitive banking interactions.
Operational Capabilities and User Monitoring
JanelaRAT’s primary objective is to capture the title of the active window and compare it against a hard-coded list of financial institutions. If a match is found, the malware waits for 12 seconds before opening a dedicated C2 channel to execute commands received from the server. Some of the commands it can execute include:
- Sending screenshots to the C2 server
- Cropping specific screen regions and exfiltrating images
- Displaying images in full-screen mode to impersonate bank-themed dialogs and harvest credentials
- Capturing keystrokes
- Simulating keyboard actions for navigation
- Moving the cursor and simulating clicks
- Executing forced system shutdowns
- Running commands via “cmd.exe” and PowerShell scripts
- Manipulating Windows Task Manager to evade detection
- Identifying the presence of anti-fraud systems
- Sending system metadata
- Detecting sandbox and automation tools
Kaspersky has highlighted that JanelaRAT can determine if a victim’s machine has been inactive for more than 10 minutes by tracking the elapsed time since the last user input. If inactivity exceeds this threshold, the malware notifies the C2 server. Conversely, it alerts the threat actor upon user activity, enabling the tracking of user presence and routine for optimal timing of remote operations.
Implications for the Financial Sector
The emergence of JanelaRAT represents a significant escalation in the capabilities of cybercriminals. It combines multiple communication channels, extensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically engineered to minimize user visibility and adapt its behavior in response to the detection of anti-fraud software.
As financial institutions in Latin America face an increasing number of sophisticated cyber threats, the need for enhanced cybersecurity measures becomes paramount. Organizations must remain vigilant and proactive in their defense strategies to mitigate the risks posed by evolving malware like JanelaRAT.
For further insights into this evolving threat landscape, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
