Banks and financial institutions in Latin American countries like Brazil and Mexico have continued to be the target of a malware family called JanelaRAT.
A modified version of BX RAT, JanelaRAT is known to steal financial and cryptocurrency data associated with specific financial entities, as well as track mouse inputs, log keystrokes, take screenshots, and collect system metadata.
"One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions," Kaspersky said in a report published today. "The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features."
Telemetry data gathered by the Russian cybersecurity vendor shows that as many as 14,739 attacks were recorded in Brazil in 2025 and 11,695 in Mexico. It's currently not known how many of these resulted in a successful compromise.
First detected in the wild by Zscaler in June 2023, JanelaRAT has leveraged ZIP archives containing a Visual Basic Script (VBScript) to download a second ZIP file, which, in turn, comes with a legitimate executable and a DLL payload. The final stage employs the DLL side-loading technique to launch the trojan.
In a subsequent analysis published in July 2025, KPMG said the malware is distributed via rogue MSI installer files masquerading as legitimate software hosted on trusted platforms like GitLab. Attacks involving the malware have primarily singled out Chile, Colombia, and Mexico.
"Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch," KPMG noted at the time. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components."
The scripts are also designed to identify installed Chromium-based browsers and stealthily modify their launch parameters (such as the "--load-extension" command line switch) to install the extension. The browser add-on then proceeds to gather system information, cookies, browsing history, installed extensions, and tab metadata, along with triggering specific actions based on URL pattern matches.
The latest attack chain documented by Kaspersky shows that phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, resulting in the download of a ZIP archive that initiates the aforementioned attack chain involving DLL side-loading to install JanelaRAT.
At least since May 2024, JanelaRAT campaigns have shifted from Visual Basic scripts to MSI installers, which act as a dropper for the malware using DLL side-loading and establish persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.
Upon execution, the malware establishes communications with a command-and-control (C2) server via a TCP socket to register a successful infection and keeps tabs on the victim's activity to intercept sensitive banking interactions.
JanelaRAT's main goal is to obtain the title of the active window and compare it against a hard-coded list of financial institutions. If there is a match, the malware waits 12 seconds before opening a dedicated C2 channel and executing malicious tasks received from the server. Some of the supported commands include -
- Sending screenshots to the C2 server
- Cropping specific screen regions and exfiltrating images
- Displaying images in full-screen mode (e.g., "Configuring Windows updates, please wait") and impersonating bank-themed dialogs via fake overlays to harvest credentials
- Capturing keystrokes
- Simulating keyboard actions like DOWN, UP, and TAB for navigation
- Moving the cursor and simulating clicks
- Executing a forced system shutdown
- Running commands using "cmd.exe" and PowerShell commands or scripts
- Manipulating Windows Task Manager to hide its window from being detected
- Flagging the presence of anti-fraud systems
- Sending system metadata
- Detecting sandbox and automation tools
"The malware determines if the victim's machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input," Kaspersky said. "If the inactivity period exceeds 10 minutes, the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user's presence and routine to time possible remote operations."
"This variant represents a significant advancement in the actor’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize user visibility and adapt its behavior upon detection of anti-fraud software."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.