JANELARAT is a malware family that targets banks and financial institutions in Latin America, with a modified BX RAT capable of stealing financial and cryptocurrency data, tracking mouse inputs, logging keystrokes, taking screenshots, and collecting system metadata. According to Kaspersky, it uses a custom title bar detection mechanism to identify the websites in victims’ browsers and perform malicious actions, while threat actors continually update the infection chain and malware versions with new features.
Telemetry from a Russian cybersecurity vendor shows up to 14,739 attacks in Brazil in 2025 and 11,695 in Mexico, though it remains unclear how many of these resulted in successful compromises. JanelaRAT was first detected in the wild by Zscaler in June 2023, and attacks have evolved from VBScript dropper methods to MSI installers that use DLL side-loading, with persistence via a Windows Startup shortcut.
KPMG reported in July 2025 that campaigns are distributed through rogue MSI installers masquerading as legitimate software hosted on platforms like GitLab. The malware establishes a C2 channel after a 12‑second delay once the active window matches a target, enabling commands such as screenshot exfiltration, full-screen overlays to harvest credentials, keystroke capture, and remote control operations.