Janela RAT
Janela RAT is a remote access trojan used in an active malware campaign targeting financial institutions, fintech firms, and cryptocurrency platforms across Latin America, particularly in Chile, Colombia, and Mexico. First identified in mid-2023, it is assessed to be a modified variant of BX RAT and is associated with financially motivated operators seeking to steal credentials and gain unauthorized access to accounts.
The infection chain begins when a victim executes a malicious MSI installer disguised as legitimate software and hosted on public GitLab repositories. The installer launches a multi-stage sequence involving Go, PowerShell, and batch scripts. A Go-based unpacker extracts a password-protected ZIP archive, decodes base64-encoded command-and-control domain details, and writes the decoded C2 information into a config.json file. The malware then scans the host for Chromium-based browsers and modifies browser startup settings to silently load a malicious extension.
The browser extension registers as a native messaging host and uses a built-in function called CollectRefresh to gather system details, browser cookies, saved credentials, browsing history, installed extensions, and open tab information. It monitors for specific URL patterns, including banking and cryptocurrency login pages, and can trigger additional RAT actions when those patterns are matched. This enables theft of browser data that can support account takeover, bypass authentication steps, and monitor financial activity and live transactions.
Janela RAT communicates with attacker-controlled infrastructure over encrypted WebSocket connections and uses obfuscated, base64-encoded domains for C2. It also rotates C2 addresses dynamically and remains quiet during idle periods to reduce behavioral detection. KPMG analysts described the campaign as an advanced multi-stage threat and assessed it as a significant risk to Latin America’s financial infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
Once executed, the installer quietly triggers a chain of scripts written in Go, PowerShell, and batch, each playing a specific role in setting up the full attack.
Persistence
2 techniques
Persistence
Stealth
2 techniques
Stealth
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Collection
2 techniques
Collection
This extension registers itself as a native messaging host and uses a built-in function called CollectRefresh to collect a wide range of sensitive data — including system details, browser cookies, browsing history, installed extensions, and open tab information.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan used to infiltrate systems via fake MSI installers and malicious browser extensions, steal financial data, harvest cookies and saved credentials, monitor browsing activity, hijack Chromium-based browsers, and communicate with attacker-controlled servers over encrypted WebSocket C2 channels.
RAT distributed in a campaign that also checks for Chromium browsers to install a data-stealing browser extension.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.