In recent years there has been a sustained increase in campaigns directed against financial institutions in Latin America, and one of the most prominent actors in this scenario is a remote trojan known as JanelaRAT. This is an evolution of a previous tool called BX RAT, and its modus operandi combines traditional infection techniques with very advanced espionage and remote control capabilities to intercept bank operations and cryptomoneda data.
JanelaRAT is not a raw malware, but a set of components that act orchestrated. Your campaigns have been used from ZIP files with scripts on Visual Basic, to MSI installers who pose as legitimate software hosted on trusted platforms. In several analyses a sequence is described in several stages: one initial file (for example, a ZIP or a installer) download additional components, including a legitimate executable and a malicious DLL, and use DLL side-rolling technique to run the malicious code without raising immediate suspicion.
Input vectors have changed over time. Public investigations point out that in the first detections VBScript was used integrated into tablet attachments; then the campaigns evolved to MSI installers acting as "droppers" and that they also seek persistence by creating direct access in the Windows Start folder. It has also documented the use of malicious extensions for Chromium-based browsers, installed silently when modifying browser launch parameters to include the switch --load-extension. This extension acts as an additional layer to capture cookies, history, installed extensions and tabs metadata, and to execute actions when the user visits specific pages.
One of the identity signs of malware is your interest in active system windows. The code obtains the title of the window that is in the foreground and compares it to a preconfigured list of financial institutions. When you detect a coincidence wait a short period - technical reports mention about 12 seconds - and then set a dedicated channel with your command and control server (C2) to receive orders. This logic allows the attacker to focus exclusively on the relevant interactions, reducing the noise and the probability of being detected.
The remote capacities of JanelaRAT are wide and aimed at avoiding controls. The orders you can run include the capture of full screen or specific areas, the presentation of false windows that mimic bank dialogues to steal credentials, the recording of keyboard pulses, the simulation of mouse movements and clicks, and even the injection of keys to navigate interfaces. The malware can force the computer off, run commands using cmd.exe or PowerShell, and manipulate system tools like the Task Manager to try to stay hidden. It also incorporates routines to identify anti-fraud solutions, sandbox environments or automation mechanisms, and adjust your behavior if you detect these defenses.
An interesting operational detail is that JanelaRAT monitors the user's activity: it calculates the time that has elapsed since the last interaction and notifies the C2 if the team has remained inactive for more than ten minutes, again reporting when the activity is resumed. This tactic allows attackers to choose the right time to run visible operations and minimize the chances of being surprised by the team owner.
The telemetry metrics that have published security signatures show the scale of the phenomenon in the region. For example, suppliers analysing these campaigns have reported tens of thousands of attack attempts in countries such as Brazil and Mexico for a specific period, while other campaigns have particularly affected nations such as Chile and Colombia. It is important to stress that not all attempts involve a successful commitment, but the presence and persistence of this actor make it clear that banks and their customers are constant objectives.
The researcher and reader concerned can deepen these dynamics in the technical analyses published by cybersecurity companies; for example, the Zscaler research team recorded the first appearances of this malware family in 2023 and has documented its evolution, and groups such as Kaspersky and other firms have published complementary assessments on variants and incidence statistics. In order to understand the techniques it uses, such as the capture of inputs or the taking of screens, reference technical resources which classify these capabilities and their countermeasures should be consulted ( Zscaler Research, Kaspersky Lab and the tactical descriptions in the MITRE knowledge base Input Capture and Screen Capture).
For users and security officials in financial institutions the implications are clear: there is a need for a layer approach that includes education to detect phishing emails (for example, false invoices that induce downloading files), rigorous controls on the provenance and integrity of installers, hardening of browsers and extensions, and monitoring of unusual behavior in endpoints and output traffic. Organizations should also review their software deployment policies to prevent unverified installers from spreading from apparently legitimate repositories.
There is no single miraculous cure, but practical measures that greatly reduce the risk. Maintain up-to-date systems and browsers, check digital installer signatures, use multifactor for sensitive accesses, apply behavior detection / anti-malware solutions and segment networks to limit what a malicious agent can achieve are concrete steps. If an infection is suspected, early response - isolating equipment, analysing persistence and communication channels and, if appropriate, reprinting the system - reduces impact.
What makes JanelaRAT's trajectory clear is that Latin American and global attackers invest in the sophistication of their tools and the adaptability of their infection chains. The combination of social engineering techniques, abuse of legitimate system mechanisms and malicious extensions creates a wide attack surface. Keeping yourself informed through specialized sources and adopting behaviour-based defences is today the best way to protect both banking institutions and their customers from this threat.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...