# JanelaRAT Malware Persistently Targets Latin American Financial Institutions  Banks and financial institutions in Latin American countries like Brazil and Mexico are still under attack by a malware family called **JanelaRAT**. ## JanelaRAT: A Deep Dive A modified version of BX RAT, **JanelaRAT** is designed to steal financial and cryptocurrency data. It targets specific financial entities and can track mouse inputs, log keystrokes, take screenshots, and collect system metadata. "One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions," **Kaspersky** said in a report. "The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features." Telemetry data from **Kaspersky** indicates that Brazil saw 14,739 attacks in 2025, while Mexico experienced 11,695. The success rate of these attacks remains unknown. ## Infection Vectors and Techniques First detected by **Zscaler** in June 2023, **JanelaRAT** initially used ZIP archives containing a Visual Basic Script (VBScript) to download a second ZIP file. This second archive contained a legitimate executable and a DLL payload. The malware then used DLL side-loading to launch the trojan.  A subsequent analysis by **KPMG** in July 2025 revealed that the malware is now distributed via rogue MSI installer files disguised as legitimate software hosted on trusted platforms like **GitLab**. These attacks primarily targeted Chile, Colombia, and Mexico. "Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch," **KPMG** noted. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components." These scripts also identify installed Chromium-based browsers and modify their launch parameters (such as the "--load-extension" command line switch) to install the malicious extension. The browser add-on then gathers system information, cookies, browsing history, installed extensions, and tab metadata, triggering specific actions based on URL pattern matches. ## Recent Attack Chains **Kaspersky's** latest analysis shows that phishing emails, disguised as outstanding invoices, trick recipients into downloading a PDF file. Clicking a link in the PDF downloads a ZIP archive that initiates the DLL side-loading attack chain to install **JanelaRAT**. Since May 2024, **JanelaRAT** campaigns have shifted from Visual Basic scripts to MSI installers, which act as droppers for the malware using DLL side-loading. Persistence is established by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable. ## Malware Functionality Upon execution, the malware communicates with a command-and-control (C2) server via a TCP socket to register the infection and monitor the victim's activity, intercepting sensitive banking interactions. **JanelaRAT's** primary goal is to obtain the title of the active window and compare it against a hard-coded list of financial institutions. If there is a match, the malware waits 12 seconds before opening a dedicated C2 channel and executing malicious tasks from the server. Supported commands include: * Sending screenshots to the C2 server * Cropping specific screen regions and exfiltrating images * Displaying images in full-screen mode (e.g., "Configuring Windows updates, please wait") and impersonating bank-themed dialogs via fake overlays to harvest credentials * Capturing keystrokes * Simulating keyboard actions * Moving the cursor and simulating clicks * Executing a forced system shutdown * Running commands using "cmd.exe" and PowerShell commands or scripts * Manipulating Windows Task Manager to hide its window * Flagging the presence of anti-fraud systems * Sending system metadata * Detecting sandbox and automation tools **Kaspersky** noted, "The malware determines if the victim's machine has been inactive for more than 10 minutes... This makes it possible to track the user's presence and routine to time possible remote operations." This variant represents a significant advancement, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize user visibility and adapt its behavior upon detection of anti-fraud software.