A sophisticated malware campaign involving the JanelaRAT trojan is actively targeting banks and financial institutions across Latin America, with a sharp rise in attacks observed in countries such as Brazil and Mexico. According to cybersecurity researchers, the malware has been used in over 14,700 attacks in Brazil alone in 2025, along with more than 11,000 incidents in Mexico.
JanelaRAT is a modified version of the older BX RAT malware and is specifically designed to steal financial and cryptocurrency-related data. In addition to data theft, it is capable of tracking user activity through keystroke logging, capturing screenshots, monitoring mouse movements, and collecting system-level information from infected devices.
One of the key features that differentiates JanelaRAT from similar threats is its ability to detect specific banking websites using a custom “title bar detection” mechanism. This allows the malware to identify when a user is accessing targeted financial platforms and trigger malicious actions accordingly.
The infection process is multi-layered and highly evasive. It typically begins with ZIP files containing Visual Basic scripts that download additional payloads. These payloads include legitimate executables paired with malicious DLL files, which are executed using DLL side-loading techniques to bypass security defenses.
Further analysis has revealed that attackers also distribute the malware through rogue installer packages disguised as legitimate software on trusted platforms. Once executed, these installers deploy scripts written in languages such as Go, PowerShell, and batch scripting to establish persistence and load additional components, including malicious browser extensions.
These browser extensions are used to collect sensitive information such as cookies, browsing history, and session data, while also enabling targeted actions based on specific banking URLs. This makes the malware particularly dangerous for online banking users, as it can silently monitor and manipulate financial transactions.
The campaign highlights the increasing sophistication of financial malware targeting emerging markets, where attackers are continuously evolving techniques to evade detection and maximize impact. Security experts warn that organizations and individuals in the region must strengthen endpoint security, monitor suspicious installations, and remain cautious of unsolicited downloads to mitigate the risks associated with such advanced threats.
