JANELARAT is a malware family that targets financial data from banks and financial institutions in the Latin America region, with a focus on Brazilian and Mexican banking users. The latest analysis notes that JanelaRAT campaigns employ a multi-stage infection chain beginning with malicious invoices via email, leading victims to a malicious website that delivers a ZIP archive containing components for DLL sideloading and the final JanelaRAT payload.
A variant discussed, JanelaRAT version 33, masquerades as a legitimate pixel art app and uses a protected .NET obfuscation method, with C2 communication over a non-TLS 443 channel and a decoy overlay system to capture credentials. The researchers describe live banking session hijacking capabilities, including screenshots, keylogging, overlay windows, and forced system shutdown, along with anti-analysis checks to detect sandbox environments.
According to Kaspersky telemetry, in 2025 there were 14,739 JanelaRAT-related attacks in Brazil and 11,695 in Mexico, showing the threat’s continued focus on Latin American banking users. The report also notes that the threat actors rotate C2 infrastructure and frequently update infection chains to stay ahead of detections.