HomeTechnology

JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in 2025

JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in 2025

In a troubling development for cybersecurity, banks and financial institutions in Latin America, particularly in Brazil and Mexico, have become key targets for a sophisticated malware family known as JanelaRAT. This malware, a modified variant of BX RAT, is designed to extract sensitive financial and cryptocurrency information, track user interactions, log keystrokes, capture screenshots, and collect system metadata.

The Evolution of JanelaRAT

JanelaRAT sets itself apart from other trojans through its unique title bar detection mechanism, enabling it to identify specific websites in victims’ browsers and execute malicious actions accordingly. Threat intelligence from Kaspersky indicates that the actors behind JanelaRAT are continuously refining their infection methods and malware features to enhance their effectiveness.

Telemetry data reveals that Brazil experienced approximately 14,739 attacks in 2025, while Mexico recorded around 11,695. Although the precise number of successful compromises remains undetermined, the scale of these attacks underscores a significant threat to the financial sector in these regions.

Technical Mechanisms and Distribution

First detected in the wild by Zscaler in June 2023, JanelaRAT utilizes ZIP archives containing Visual Basic Scripts (VBScript) to initiate its attack chain. This process involves downloading a second ZIP file that includes a legitimate executable and a DLL payload, ultimately employing DLL side-loading techniques to activate the trojan.

An analysis by KPMG in July 2025 revealed that JanelaRAT is often distributed through rogue MSI installer files disguised as legitimate software on trusted platforms like GitLab. The malware primarily targets countries such as Chile, Colombia, and Mexico.

Upon execution, the installer triggers a multi-stage infection process orchestrated by scripts written in Go, PowerShell, and batch. These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and other supporting components. The scripts are adept at identifying installed Chromium-based browsers and stealthily altering their launch parameters to install the malicious extension.

Phishing Tactics and Infection Vectors

Recent attack vectors documented by Kaspersky involve phishing emails that masquerade as outstanding invoices. These emails entice recipients to download a PDF file, which subsequently leads to the download of a ZIP archive that initiates the DLL side-loading attack to install JanelaRAT.

Since May 2024, the tactics employed by JanelaRAT campaigns have shifted from using Visual Basic scripts to MSI installers, which serve as droppers for the malware. This method establishes persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.

Once activated, JanelaRAT establishes communication with a command-and-control (C2) server via a TCP socket to confirm a successful infection. It monitors the victim’s activities to intercept sensitive banking interactions.

Operational Capabilities and User Monitoring

The primary objective of JanelaRAT is to capture the title of the active window and compare it against a hard-coded list of financial institutions. If a match is found, the malware waits for 12 seconds before opening a dedicated C2 channel to execute commands received from the server. Some of the commands it can execute include:

  • Sending screenshots to the C2 server
  • Cropping specific screen regions and exfiltrating images
  • Displaying images in full-screen mode to impersonate bank-themed dialogs and harvest credentials
  • Capturing keystrokes
  • Simulating keyboard actions for navigation
  • Moving the cursor and simulating clicks
  • Executing forced system shutdowns
  • Running commands via “cmd.exe” and PowerShell scripts
  • Manipulating Windows Task Manager to evade detection
  • Identifying the presence of anti-fraud systems
  • Sending system metadata
  • Detecting sandbox and automation tools

Kaspersky has highlighted that JanelaRAT can determine if a victim’s machine has been inactive for more than 10 minutes by tracking the elapsed time since the last user input. If inactivity exceeds this threshold, the malware notifies the C2 server. Conversely, it alerts the threat actor upon user activity, enabling the tracking of user presence and routine for optimal timing of remote operations.

Implications for the Financial Sector

The emergence of JanelaRAT signifies a notable escalation in the capabilities of cybercriminals. It combines multiple communication channels, extensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically engineered to minimize user visibility and adapt its behavior in response to the detection of anti-fraud software.

As financial institutions in Latin America confront an increasing number of sophisticated cyber threats, the need for enhanced cybersecurity measures becomes paramount. Organizations must remain vigilant and proactive in their defense strategies to mitigate the risks posed by evolving malware like JanelaRAT.

As reported by cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section.

Published on 2026-04-14 08:58:00 • By FAME Delivered News Desk

FAME Delivered News Desk

JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in 2025

JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in 2025

In a troubling development for cybersecurity, banks and financial institutions in Latin America, particularly in Brazil and Mexico, have become key targets for a sophisticated malware family known as JanelaRAT. This malware, a modified variant of BX RAT, is designed to extract sensitive financial and cryptocurrency information, track user interactions, log keystrokes, capture screenshots, and collect system metadata.

The Evolution of JanelaRAT

JanelaRAT sets itself apart from other trojans through its unique title bar detection mechanism, enabling it to identify specific websites in victims’ browsers and execute malicious actions accordingly. Threat intelligence from Kaspersky indicates that the actors behind JanelaRAT are continuously refining their infection methods and malware features to enhance their effectiveness.

Telemetry data reveals that Brazil experienced approximately 14,739 attacks in 2025, while Mexico recorded around 11,695. Although the precise number of successful compromises remains undetermined, the scale of these attacks underscores a significant threat to the financial sector in these regions.

Technical Mechanisms and Distribution

First detected in the wild by Zscaler in June 2023, JanelaRAT utilizes ZIP archives containing Visual Basic Scripts (VBScript) to initiate its attack chain. This process involves downloading a second ZIP file that includes a legitimate executable and a DLL payload, ultimately employing DLL side-loading techniques to activate the trojan.

An analysis by KPMG in July 2025 revealed that JanelaRAT is often distributed through rogue MSI installer files disguised as legitimate software on trusted platforms like GitLab. The malware primarily targets countries such as Chile, Colombia, and Mexico.

Upon execution, the installer triggers a multi-stage infection process orchestrated by scripts written in Go, PowerShell, and batch. These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and other supporting components. The scripts are adept at identifying installed Chromium-based browsers and stealthily altering their launch parameters to install the malicious extension.

Phishing Tactics and Infection Vectors

Recent attack vectors documented by Kaspersky involve phishing emails that masquerade as outstanding invoices. These emails entice recipients to download a PDF file, which subsequently leads to the download of a ZIP archive that initiates the DLL side-loading attack to install JanelaRAT.

Since May 2024, the tactics employed by JanelaRAT campaigns have shifted from using Visual Basic scripts to MSI installers, which serve as droppers for the malware. This method establishes persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.

Once activated, JanelaRAT establishes communication with a command-and-control (C2) server via a TCP socket to confirm a successful infection. It monitors the victim’s activities to intercept sensitive banking interactions.

Operational Capabilities and User Monitoring

The primary objective of JanelaRAT is to capture the title of the active window and compare it against a hard-coded list of financial institutions. If a match is found, the malware waits for 12 seconds before opening a dedicated C2 channel to execute commands received from the server. Some of the commands it can execute include:

  • Sending screenshots to the C2 server
  • Cropping specific screen regions and exfiltrating images
  • Displaying images in full-screen mode to impersonate bank-themed dialogs and harvest credentials
  • Capturing keystrokes
  • Simulating keyboard actions for navigation
  • Moving the cursor and simulating clicks
  • Executing forced system shutdowns
  • Running commands via “cmd.exe” and PowerShell scripts
  • Manipulating Windows Task Manager to evade detection
  • Identifying the presence of anti-fraud systems
  • Sending system metadata
  • Detecting sandbox and automation tools

Kaspersky has highlighted that JanelaRAT can determine if a victim’s machine has been inactive for more than 10 minutes by tracking the elapsed time since the last user input. If inactivity exceeds this threshold, the malware notifies the C2 server. Conversely, it alerts the threat actor upon user activity, enabling the tracking of user presence and routine for optimal timing of remote operations.

Implications for the Financial Sector

The emergence of JanelaRAT signifies a notable escalation in the capabilities of cybercriminals. It combines multiple communication channels, extensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically engineered to minimize user visibility and adapt its behavior in response to the detection of anti-fraud software.

As financial institutions in Latin America confront an increasing number of sophisticated cyber threats, the need for enhanced cybersecurity measures becomes paramount. Organizations must remain vigilant and proactive in their defense strategies to mitigate the risks posed by evolving malware like JanelaRAT.

As reported by cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section.

Published on 2026-04-14 08:58:00 • By FAME Delivered News Desk

RELATED ARTICLES

Technology

Digital Trust Becomes Central to Cyber Resilience Strategy Amid 2,554 Weekly Attacks in the Middle East

FAME Delivered News Desk -
Digital Trust Becomes Central to Cyber Resilience Strategy Amid 2,554 Weekly Attacks in the Middle East Diego Arrabal, Vice President for EEMEA at Check Point...
Technology

UAE Strengthens Global Fight Against Desertification and Drought with Innovative Strategies

FAME Delivered News Desk -
UAE Strengthens Global Fight Against Desertification and Drought with Innovative Strategies Leading Global Efforts Abu Dhabi: The United Arab Emirates (UAE) is taking a prominent role...
Technology

Hollywood Reporter Critics Highlight 10 Must-See Films of 2026

FAME Delivered News Desk -
Hollywood Reporter Critics Highlight 10 Must-See Films of 2026 As the film industry continues to evolve, a selection of standout films has emerged in 2026,...
Technology

AI Takes Centre Stage as Ransomware Attacks Surge 48% Amid Evolving Cybersecurity Landscape

FAME Delivered News Desk -
AI Takes Centre Stage as Ransomware Attacks Surge 48% Amid Evolving Cybersecurity Landscape Artificial intelligence is increasingly becoming a pivotal force in shaping the global...
Technology

New York Dominates as Los Angeles Struggles to Keep Up

FAME Delivered News Desk -
New York Dominates as Los Angeles Struggles to Keep Up Los Angeles has long been viewed as a rival to New York City, but recent...

Latest Posts

Latest Posts

Don't Miss

Subscribe

To be updated with all the latest news, offers and special announcements.