Ethical Hacking News
JanelaRAT Malware, a modified version of BX RAT, has been targeting banks and financial institutions in Latin American countries, including Brazil and Mexico. The malware has resulted in 14,739 attacks in Brazil alone in 2025, with 11,695 instances reported in Mexico. This article provides an in-depth analysis of the JanelaRAT malware, its features, and its capabilities, highlighting the potential risks it poses to financial institutions and users.
JanelaRAT Malware targets banks and financial institutions in Latin American countries. The malware has resulted in 14,739 attacks in Brazil alone in 2025. JanelaRAT steals financial and cryptocurrency data, tracks mouse inputs, and logs keystrokes. The malware uses ZIP archives to download a second file containing the trojan. Attacks involving this malware have primarily targeted Chile, Colombia, and Mexico. The malware uses orchestrating scripts in Go, PowerShell, and batch to initiate a multi-stage infection process. JanelaRAT establishes communications with a C2 server via TCP socket to register successful infection and intercept sensitive activity. The malware captures keystrokes, simulates keyboard actions, and executes system shutdowns among other capabilities.
JanelaRAT Malware, a modified version of BX RAT, has been targeting banks and financial institutions in Latin American countries, including Brazil and Mexico. According to recent data, the malware has resulted in 14,739 attacks in Brazil alone in 2025, with 11,695 instances reported in Mexico.
The JanelaRAT malware is designed to steal financial and cryptocurrency data associated with specific financial entities, as well as track mouse inputs, log keystrokes, take screenshots, and collect system metadata. One of the key features of this malware is its custom title bar detection mechanism, which allows it to identify desired websites in victims' browsers and perform malicious actions.
The malware uses a ZIP archive containing a Visual Basic Script (VBScript) to download a second ZIP file, which contains a legitimate executable and a DLL payload. The final stage employs the DLL side-loading technique to launch the trojan. In addition, JanelaRAT has been distributed via rogue MSI installer files masquerading as legitimate software hosted on trusted platforms like GitLab.
Attacks involving this malware have primarily targeted Chile, Colombia, and Mexico. Once executed, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch. These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components.
The scripts are designed to identify installed Chromium-based browsers and stealthily modify their launch parameters (such as the "--load-extension" command line switch) to install the extension. The browser add-on then proceeds to gather system information, cookies, browsing history, installed extensions, and tab metadata, along with triggering specific actions based on URL pattern matches.
The latest attack chain documented by Kaspersky shows that phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, resulting in the download of a ZIP archive that initiates the aforementioned attack chain involving DLL side-loading to install JanelaRAT.
At least since May 2024, JanelaRAT campaigns have shifted from Visual Basic scripts to MSI installers, which act as a dropper for the malware using DLL side-loading and establish persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.
Upon execution, the malware establishes communications with a command-and-control (C2) server via a TCP socket to register a successful infection and keeps tabs on the victim's activity to intercept sensitive banking interactions. Some of the supported commands include sending screenshots to the C2 server, cropping specific screen regions and exfiltrating images, displaying images in full-screen mode and impersonating bank-themed dialogs via fake overlays to harvest credentials.
The malware also captures keystrokes, simulates keyboard actions like DOWN, UP, and TAB for navigation, moves the cursor and simulates clicks, executes a forced system shutdown, runs commands using "cmd.exe" and PowerShell commands or scripts, manipulates Windows Task Manager to hide its window from being detected, flags the presence of anti-fraud systems, sends system metadata, detects sandbox and automation tools.
The JanelaRAT malware represents a significant advancement in the capabilities of cyber threat actors. It combines multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features to adapt its behavior upon detection of anti-fraud software.
In conclusion, JanelaRAT is a sophisticated malware that poses a significant threat to Latin American banking systems. Its advanced features and capabilities make it a complex and challenging threat to detect and remove. As such, it is essential for financial institutions to remain vigilant and implement robust security measures to prevent and mitigate the impact of this malware.
Related Information:
https://www.ethicalhackingnews.com/articles/JanelaRAT-Malware-A-Sophisticated-Threat-to-Latin-American-Banking-Systems-ehn.shtml
https://thehackernews.com/2026/04/janelarat-malware-targets-latin.html
https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech
Published: Mon Apr 13 15:26:38 2026 by llama3.2 3B Q4_K_M
