Banks and financial institutions in Latin American countries such as Brazil and Mexico continue to be targeted by a malware family called JanelaRAT.
JanelaRAT, a modified version of BX RAT, is known to track mouse inputs, log keystrokes, take screenshots, and collect system metadata, as well as steal financial and cryptocurrency data associated with certain financial entities.
“One of the key differences between these Trojans is that JanelaRAT uses a custom title bar detection mechanism to identify the desired website in the victim’s browser and perform its malicious actions,” Kaspersky said in a report released today. “The attackers behind the JanelaRAT campaign are continually updating their infection chains and malware versions by adding new features.”
According to telemetry data collected by Russian cybersecurity vendors, as many as 14,739 attacks were recorded in Brazil and 11,695 in Mexico in 2025. At this time, it is unclear how many of these were successfully compromised.
First detected in the wild by Zscaler in June 2023, JanelaRAT leveraged a ZIP archive containing Visual Basic Script (VBScript) to download a second ZIP file that contained a legitimate executable and DLL payload. The final stage uses DLL sideloading techniques to launch the Trojan.
In a subsequent analysis published in July 2025, KPMG said the malware is being distributed via malicious MSI installer files disguised as legitimate software hosted on trusted platforms like GitLab. Attacks involving this malware primarily target Chile, Colombia, and Mexico.
“Once executed, the installer begins a multi-step infection process using Go, PowerShell, and a coordinated script written in batch,” KPMG noted at the time. “These scripts unzip ZIP archives containing RAT executables, malicious Chromium-based browser extensions, and supporting components.”
The script is designed to identify an installed Chromium-based browser and covertly modify its startup parameters (such as the “–load-extension” command line switch) to install the extension. The browser add-on then collects system information, cookies, browsing history, installed extensions, tab metadata, and triggers specific actions based on matching URL patterns.
The latest attack chain documented by Kaspersky Lab shows a phishing email disguised as an unpaid invoice tricking the recipient into clicking on a link to download a PDF file, which in turn downloads a ZIP archive and initiates the aforementioned attack chain with DLL sideloading to install JanelaRAT.
Since at least May 2024, JanelaRAT campaigns have migrated from Visual Basic scripts to MSI installers. The MSI installer uses DLL sideloading to act as a malware dropper and establish persistence on the host by creating a Windows shortcut (LNK) in the startup folder that points to the executable file.
Once executed, the malware establishes communication with a command and control (C2) server via TCP sockets to register successful infection, monitor victim activity, and intercept sensitive banking transactions.
JanelaRAT’s main purpose is to obtain the title of the active window and compare it to a hard-coded list of financial institutions. If a match is found, the malware waits 12 seconds before opening a dedicated C2 channel and executing the malicious task received from the server. Supported commands include:
Send screenshots to C2 servers Crop and extract images from specific screen areas Show images in full screen mode (e.g. “Configuring Windows Updates. Please wait”) and collect credentials by disguising banking-themed dialogs via fake overlays Capturing keystrokes Simulating keyboard actions such as DOWN, UP, and TAB for navigation Moving the cursor and simulating clicks Performing a forced system shutdown Scripts that run commands using “cmd.exe” and PowerShell commands Manipulates the Windows Task Manager to prevent windows from being detected Flags the presence of anti-cheat systems Sends system metadata Detects sandboxing and automation tools
“The malware determines if the victim’s machine has been inactive for more than 10 minutes by calculating the time since the last user input,” Kaspersky said. “If the period of inactivity exceeds 10 minutes, the malware sends a corresponding message to notify the C2. When user activity occurs, it again notifies the threat actor. This allows it to track the user’s presence and the time of possible remote operations.”
“This variant represents a significant advancement in the attacker’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control capabilities. The malware is specifically designed to minimize user visibility and adapt its behavior upon detection by anti-malware software.”
Source link
