JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025
JanelaRAT كايتنشر فـ أمريكا اللاتينية: كتر من 26 ألف هجمة كتستهدف المؤسسات المالية فالبرازيل والمكسيك
JanelaRAT Surges Across Latin America: Over 26,000 Attacks Target Financial Institutions in Brazil and Mexico
The Latin American financial sector is facing an intensive wave of cyberattacks as the "JanelaRAT" malware family continues to evolve. Recent telemetry data highlights a massive surge in activity, with tens of thousands of recorded attacks targeting users in Brazil and Mexico throughout 2025.
TL;DR
JanelaRAT, a sophisticated derivative of BX RAT, has launched over 14,000 attacks in Brazil and 11,000 in Mexico. The malware uses advanced DLL side-loading, MSI installers, and a unique window-title detection mechanism to compromise banking and cryptocurrency data.
A Growing Threat to Latin American Finance
JanelaRAT is a banking trojan designed specifically to target financial institutions and cryptocurrency users in Latin America. According to recent findings from Kaspersky, the malware tracked a staggering 14,739 attacks in Brazil and 11,695 in Mexico in 2025 alone.
While the malware was first identified by Zscaler in June 2023, its developers have continuously refined the infection chain. What began as a VBScript-based downloader has evolved into a multi-stage process involving legitimate executables and malicious DLL side-loading.
The Evolution of the Infection Chain
The threat actors behind JanelaRAT have shifted their distribution methods to increase success rates and bypass security measures.
- Phishing Origins: The latest campaigns often begin with phishing emails disguised as outstanding invoices. These emails contain links to a PDF file which, when clicked, triggers the download of a malicious ZIP archive.
- Malicious MSI Installers: Since May 2024, the group has moved toward using rogue MSI installers. These are often hosted on trusted platforms like GitLab and masquerade as legitimate software.
- Orchestration via Go and PowerShell: Organizations like KPMG have noted that these installers use complex scripts written in Go, PowerShell, and Batch to unpack the final payload and establish persistence.
- Persistence: The malware ensures it remains on the system by creating a Windows Shortcut (.LNK) in the Startup folder, pointing to the malicious executable.
Specialized Capabilities: The Window Title Match
What sets JanelaRAT apart from its predecessor, BX RAT, is its custom title bar detection mechanism.
Once active on a victim's machine, the malware monitors the titles of all active windows. It compares these titles against a hard-coded list of target financial entities. If a match is found (indicating the user is visiting a banking site), the malware waits 12 seconds before opening a dedicated Command-and-Control (C2) channel to receive instructions from the attackers.
Comprehensive Control and Surveillance
JanelaRAT is a full-featured Remote Access Trojan (RAT) with a wide list of capabilities designed to exfiltrate data and manipulate the user’s experience:
- Credential Harvesting: It can display full-screen fake overlays—such as "Configuring Windows updates" or bank-themed dialogs—to trick users into entering sensitive information.
- Screen and Input Capture: The malware logs keystrokes, takes screenshots, and can even crop specific regions of the screen to steal visual data.
- System Manipulation: Attackers can move the cursor, simulate keyboard actions (like Tab and Enter) for navigation, and execute arbitrary commands via
cmd.exeor PowerShell. - Stealth Features: JanelaRAT is designed to hide its window from the Windows Task Manager and can detect the presence of anti-fraud systems, sandboxes, and automation tools.
- Activity Monitoring: The malware tracks user inactivity. If a user is idle for more than 10 minutes, it notifies the C2 server, allowing threat actors to time their remote operations when the user is away from the keyboard.
Unknown Impact
While the number of recorded attacks is high, it is currently unknown how many of these 26,000+ attempts resulted in a successful compromise of funds or data. However, the sophisticated nature of the trojan—combining DLL side-loading with interactive overlays and robust remote control—represents a significant advancement in the capabilities of regional cybercriminals.
As JanelaRAT continues to update its code and delivery methods, financial institutions and their customers in LATAM must remain hyper-vigilant against increasingly convincing phishing lures and unofficial software installers.
Source: https://thehackernews.com/2026/04/janelarat-malware-targets-latin.html
