JanelaRAT, a malware family aimed at banks and financial institutions in Latin America, has been used against victims in Brazil and Mexico, with Kaspersky saying it recorded 14,739 attacks in Brazil and 11,695 in Mexico in 2025.
KEY FACTS
- Targets Banks and financial entities in Latin America, especially Brazil and Mexico.
- Volume Kaspersky recorded 14,739 attacks in Brazil and 11,695 in Mexico in 2025.
- Access The malware steals banking and cryptocurrency data, logs keystrokes and takes screenshots.
- Delivery Campaigns have used phishing emails, ZIP archives and MSI installers.
The technical analysis from Kaspersky says JanelaRAT is a modified version of BX RAT and uses a custom title bar detection mechanism to identify targeted websites in victims’ browsers. The malware then adjusts its behavior when it finds a match with a hard-coded list of financial institutions.
Earlier reporting on the malware said it first surfaced in June 2023, when it used ZIP archives and VBScript to download a second archive that carried a legitimate executable and a DLL payload. Later campaigns shifted to rogue MSI installers hosted on trusted platforms, including GitLab, and used DLL side-loading to launch the trojan.
The latest attack chain described in the report begins with phishing emails disguised as outstanding invoices. Recipients are pushed to open a PDF link, which leads to a ZIP archive that starts the infection chain and can install a malicious Chromium-based browser extension.
Once active, the malware creates persistence with a Windows Shortcut in the Startup folder, opens a TCP connection to a command-and-control server and tracks user activity. It can capture screenshots, crop screen regions, exfiltrate images, simulate keyboard input, move the cursor, run PowerShell or cmd.exe commands, and display fake bank or system overlays to harvest credentials.
The report says the malware also checks for inactivity longer than 10 minutes, watches for anti-fraud software and tries to hide its presence from Task Manager. Kaspersky said the design shows more advanced remote-control features and a stronger effort to reduce user visibility.
WHY IT MATTERS
The campaign shows how financial malware is combining browser manipulation, input capture and remote control to target online banking sessions. For victims and defenders, that raises the risk of credential theft and account abuse even when the initial infection appears to come from a routine document or installer.