JanelaRAT Malware Intensifies Attacks on Latin American Financial Institutions
In recent years, financial institutions across Latin America, particularly in Brazil and Mexico, have faced escalating threats from a sophisticated malware known as JanelaRAT. This malicious software, a modified variant of the BX RAT, is engineered to exfiltrate sensitive financial and cryptocurrency data, monitor user activities, and gather comprehensive system information.
Evolution and Distribution Methods
Initially identified by Zscaler in June 2023, JanelaRAT employed ZIP archives containing Visual Basic Scripts (VBScript) to initiate its infection process. These scripts would download additional ZIP files housing legitimate executables alongside malicious DLL payloads. The malware utilized DLL side-loading techniques to execute its payload, effectively evading detection by security systems.
By July 2025, KPMG reported a shift in JanelaRAT’s distribution strategy. The malware began disseminating through deceptive MSI installer files masquerading as legitimate software on trusted platforms like GitLab. Upon execution, these installers initiated a multi-stage infection process using scripts written in Go, PowerShell, and batch files. This process unpacked a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components. The scripts also identified installed Chromium-based browsers and clandestinely modified their launch parameters to install the extension, enabling the collection of system information, cookies, browsing history, installed extensions, and tab metadata.
Recent Attack Patterns
Kaspersky’s latest analysis reveals that JanelaRAT campaigns have evolved to employ phishing emails disguised as outstanding invoices. These emails entice recipients to download a PDF file, which, when accessed, triggers the download of a ZIP archive. This archive initiates the infection chain involving DLL side-loading to install JanelaRAT. Since May 2024, the malware has transitioned from using Visual Basic scripts to MSI installers, which act as droppers for the malware and establish persistence by creating a Windows Shortcut (LNK) in the Startup folder.
Functionality and Impact
Once executed, JanelaRAT communicates with a command-and-control (C2) server via a TCP socket to register the infection and monitor the victim’s activities, particularly focusing on banking interactions. The malware captures the title of the active window and compares it against a hard-coded list of financial institutions. If a match is found, it waits 12 seconds before opening a dedicated C2 channel to execute malicious tasks received from the server. These tasks include:
– Sending screenshots to the C2 server
– Cropping specific screen regions and exfiltrating images
– Displaying deceptive full-screen images (e.g., Configuring Windows updates, please wait) and impersonating bank-themed dialogs to harvest credentials
– Capturing keystrokes
– Simulating keyboard actions for navigation
– Moving the cursor and simulating clicks
– Executing forced system shutdowns
– Running commands using cmd.exe and PowerShell
– Manipulating Windows Task Manager to conceal its window
– Detecting the presence of anti-fraud systems
– Sending system metadata
– Identifying sandbox and automation tools
The malware also monitors user inactivity. If the system remains idle for over 10 minutes, JanelaRAT notifies the C2 server, allowing threat actors to time their remote operations effectively.
Statistical Overview
Telemetry data from Kaspersky indicates that in 2025 alone, Brazil experienced 14,739 JanelaRAT attacks, while Mexico reported 11,695 incidents. The exact number of successful compromises remains undetermined.
Conclusion
JanelaRAT represents a significant advancement in cyber threats targeting Latin American financial institutions. Its continuous evolution, sophisticated infection chains, and comprehensive monitoring capabilities underscore the need for robust cybersecurity measures and heightened vigilance among financial entities in the region.
