{"id":583,"date":"2026-04-13T19:27:10","date_gmt":"2026-04-13T19:27:10","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=583"},"modified":"2026-04-13T19:27:10","modified_gmt":"2026-04-13T19:27:10","slug":"janelarat-malware-targets-latin-american-banks-with-14739-attacks-in-brazil-in-2025","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=583","title":{"rendered":"JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 13, 2026<\/span><\/span>Threat Intelligence \/ Malware<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Banks and financial institutions in Latin American countries like Brazil and Mexico have continued to be the target of a malware family called JanelaRAT<\/strong>.<\/p>\n

A modified version of BX RAT, JanelaRAT is known to steal financial and cryptocurrency data associated with specific financial entities, as well as track mouse inputs, log keystrokes, take screenshots, and collect system metadata.<\/p>\n

\u00abOne of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and perform malicious actions,\u00bb Kaspersky said<\/a> in a report published today. \u00abThe threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Telemetry data gathered by the Russian cybersecurity vendor shows that as many as 14,739 attacks were recorded in Brazil in 2025 and 11,695 in Mexico. It’s currently not known how many of these resulted in a successful compromise.<\/p>\n

First detected in the wild by Zscaler in June 2023, JanelaRAT has leveraged ZIP archives containing a Visual Basic Script (VBScript) to download a second ZIP file, which, in turn, comes with a legitimate executable and a DLL payload. The final stage employs the DLL side-loading technique to launch the trojan.<\/p>\n

In a subsequent analysis published in July 2025, KPMG said the malware is distributed via rogue MSI installer files masquerading as legitimate software hosted on trusted platforms like GitLab. Attacks involving the malware have primarily singled out Chile, Colombia, and Mexico.<\/p>\n

\u00abUpon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,\u00bb KPMG noted<\/a> at the time. \u00abThese scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components.\u00bb<\/p>\n

The scripts are also designed to identify installed Chromium-based browsers and stealthily modify their launch parameters (such as the \u00ab–load-extension\u00bb command line switch) to install the extension. The browser add-on then proceeds to gather system information, cookies, browsing history, installed extensions, and tab metadata, along with triggering specific actions based on URL pattern matches.<\/p>\n

The latest attack chain documented by Kaspersky shows that phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, resulting in the download of a ZIP archive that initiates the aforementioned attack chain involving DLL side-loading to install JanelaRAT.<\/p>\n

At least since May 2024, JanelaRAT campaigns have shifted from Visual Basic scripts to MSI installers, which act as a dropper for the malware using DLL side-loading and establish persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.<\/p>\n

Upon execution, the malware establishes communications with a command-and-control (C2) server via a TCP socket to register a successful infection and keeps tabs on the victim’s activity to intercept sensitive banking interactions.\u00a0<\/p>\n

JanelaRAT’s main goal is to obtain the title of the active window and compare it against a hard-coded list of financial institutions. If there is a match, the malware waits 12 seconds before opening a dedicated C2 channel and executing malicious tasks received from the server. Some of the supported commands include –<\/p>\n