The JanelaRAT malware has been aggressively targeting financial institutions across Latin America, specifically in countries such as Brazil and Mexico. This malicious software, a variant of the BX RAT, is designed to pilfer sensitive financial and cryptocurrency data from specific organizations. Additionally, it records keystrokes, monitors mouse activities, captures screenshots, and collects significant system information.
JanelaRAT’s Unique Mechanism
One noteworthy aspect of JanelaRAT is its use of a specialized title bar detection method to identify targeted websites in users’ browsers, enabling it to execute harmful activities. According to a recent Kaspersky report, the cybercriminals behind these operations are continually enhancing the malware’s infection pathways and capabilities by integrating new functionalities.
Data from Kaspersky indicates a staggering 14,739 attack attempts in Brazil throughout 2025, alongside 11,695 in Mexico. The exact number of successful breaches remains uncertain. Initially identified by Zscaler in June 2023, JanelaRAT employs ZIP archives containing VBScript to download another ZIP file with a legitimate executable and a DLL payload, ultimately executing the trojan through DLL side-loading.
Distribution and Attack Tactics
Subsequent analysis by KPMG in July 2025 revealed that JanelaRAT is distributed via misleading MSI installer files, posing as genuine software on reputable platforms like GitLab. These attacks primarily target regions such as Chile, Colombia, and Mexico. The MSI installers initiate a complex infection process using scripts written in languages like Go and PowerShell, which unpack a ZIP archive containing the RAT executable and a malicious browser extension.
The operation involves the scripts identifying installed Chromium-based browsers and modifying their launch settings to install the extension stealthily. This add-on accumulates system data, browsing history, and more, while executing specific tasks based on URL patterns.
Advanced Attack Strategies
Recent Kaspersky findings highlight phishing emails disguised as invoices that lure victims into downloading a PDF, triggering a download of a ZIP file that initiates the attack chain. Since May 2024, JanelaRAT has transitioned from using VBScript to MSI installers, which employ DLL side-loading to establish persistence by creating a startup folder shortcut.
Upon activation, the malware connects to a command-and-control (C2) server to track the victim’s activities and intercept sensitive financial interactions. It monitors active windows to identify financial institutions listed in its code. If a match is found, it opens a dedicated C2 channel to execute malicious tasks. These tasks range from capturing screenshots to executing system commands and simulating user interactions.
Kaspersky notes that the malware can detect inactivity on the victim’s machine and notify the C2 server after 10 minutes of inactivity, resuming its operations upon detecting user activity. This version of JanelaRAT signifies a major leap in the attackers’ capabilities, featuring multiple communication channels, extensive monitoring, and sophisticated remote control mechanisms, all while evading detection by anti-fraud systems.
