JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil by 2025
Banks and financial institutions in Latin American countries such as Brazil and Mexico have continued to fall victim to a family of malware called JanelaRAT.
A modified version of the BX RAT, JanelaRAT is known to steal financial and cryptocurrency data associated with certain financial companies, as well as track mouse inputs, keystrokes, take screenshots, and collect system metadata.
“One of the main differences between these trojans is that JanelaRAT uses a custom title bar detection method to target desired websites on victims’ browsers and perform malicious actions,” Kaspersky said in a report published today. “The threat actors behind the JanelaRAT campaigns continue to update the series of infections and versions of the malware by adding new features.”
Telemetry data collected by a Russian cybersecurity vendor shows that approximately 14,739 attacks were recorded in Brazil in 2025 and 11,695 in Mexico. It is not yet known how many of these have resulted in successful compromises.
First discovered in the wild by Zscaler in June 2023, JanelaRAT used ZIP archives containing Visual Basic Script (VBScript) to download a second ZIP file, which came with a legitimate executable and DLL download. The last stage uses the DLL sideloading method to launch the trojan.
In a subsequent analysis published in July 2025, KPMG said the malware is being distributed via malicious MSI installation files masquerading as legitimate software hosted on trusted platforms such as GitLab. The attack involving the malware targeted Chile, Colombia, and Mexico.
“After execution, the installer begins a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,” KPMG noted at the time. “These scripts extract a ZIP archive containing an executable RAT, a malicious Chromium-based browser extension, and supporting components.”
The scripts are also designed to target installed Chromium-based browsers and stealthily modify their startup parameters (such as the “–load-extension” command line switch) to install the extension. The browser add-on then continues to collect system information, cookies, browsing history, installed extensions, and tab metadata, and to trigger certain actions based on URL pattern matching.
A recent series of attacks documented by Kaspersky shows that phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, which leads to the download of a ZIP archive that starts the aforementioned series of attacks that includes sideloading a DLL to install JanelaRAT.
At least as of May 2024, JanelaRAT campaigns have shifted from Visual Basic scripts to MSI installers, which act as a malware dropper using DLL sideloading and ensure persistence on hosts by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.
After execution, the malware establishes a connection to the command and control server (C2) using a TCP socket to register a successful infection and keep tabs on the victim’s activity to prevent sensitive banking interactions.
JanelaRAT’s main goal is to find the title of the active window and compare it to a hard-coded list of financial institutions. If there is a match, the malware waits for 12 seconds before opening the dedicated C2 channel and performing malicious operations detected on the server. Some of the supported commands include –
- Sending screenshots to C2 server
- Crops certain screen regions and displays images
- Displaying images in full-screen mode (eg, “Preparing Windows updates, please wait”) and impersonating banking-themed chats with fake overlays to harvest credentials.
- Captures buttons
- Emulates keyboard actions such as DOWN, UP, and TAB for navigation
- Moving the cursor and simulating clicks
- It uses a forced system shutdown
- It executes commands using “cmd.exe” and PowerShell commands or scripts
- Manage Windows Task Manager to hide its window from discovery
- To flag the existence of anti-fraud systems
- Sends system metadata
- Gets a sandbox and automatic tools
“The malware determines that the victim’s machine has been inactive for more than 10 minutes by counting the time that has passed since the last user input,” Kaspersky said. “If the time of inactivity exceeds 10 minutes, the malware informs C2 by sending a corresponding message. In case of user activity, it notifies the threat actor as well. This makes it possible to track the presence of the user and the system in order to stop possible remote operation.”
“This variant represents a major improvement in player capabilities, integrating multiple communication channels, comprehensive victim monitoring, integrated stacking, input injection, and robust remote control features. The malware is specifically designed to reduce user visibility and adapt its behavior when detected by anti-fraud software.”
