JanelaRAT Banking Trojan Expands Attacks on Latin American Financial Users
Researchers reported that JanelaRAT, a Latin America-focused banking trojan derived from BX RAT, is actively targeting online banking and cryptocurrency users, with the heaviest activity in Brazil and Mexico and additional campaigns observed in Chile and Colombia. Kaspersky said it recorded 14,739 detections in Brazil and 11,695 in Mexico during 2025, as the malware continued to evolve from earlier VBScript-and-ZIP delivery chains to newer phishing-led infections using MSI droppers, DLL sideloading, obfuscated .NET payloads, and persistence through Startup-folder LNK files. Recent activity also included deployment of a malicious Chromium extension disguised as legitimate software.
Once installed, JanelaRAT monitors browser and window titles for hard-coded banking and financial targets, then opens interactive TCP and HTTP command-and-control channels to support screenshots, keylogging, input injection, cursor control, remote command execution, and session hijacking. The malware uses encrypted strings, anti-analysis checks, daily rotating dynamic DNS infrastructure, and user inactivity monitoring to evade detection and help operators time fraudulent transactions. A notable feature is its overlay system, which displays fake banking prompts and Windows update screens to steal credentials and MFA tokens while suppressing user interaction.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Kaspersky publishes technical analysis of JanelaRAT's latest capabilities
Kaspersky detailed JanelaRAT's current functionality, including banking-session monitoring via browser window titles, interactive C2 communications, overlays for credential and MFA theft, keylogging, screenshots, and anti-analysis checks. The report also described dynamic DNS-based infrastructure and decoy banking and Windows update screens used to facilitate fraud.
Researchers identify newer MSI-based JanelaRAT infection chain
Researchers reported that newer JanelaRAT campaigns shifted from an earlier VBScript-and-ZIP delivery method to an MSI-based installer chain using DLL side-loading, Startup-folder persistence, and in some cases a malicious Chromium extension. This reflected an evolution in the malware's delivery and persistence techniques.
JanelaRAT conducts heavy banking malware activity in Brazil and Mexico during 2025
Throughout 2025, Kaspersky recorded substantial JanelaRAT activity aimed at financial users, including 14,739 detections in Brazil and 11,695 in Mexico. The campaigns targeted online banking and cryptocurrency users with phishing-led infection chains.
JanelaRAT activity begins as a modified BX RAT malware family
The new reference states JanelaRAT has been active since June 2023 and describes it as a modified version of BX RAT targeting financial and cryptocurrency data in Latin America. It also notes the malware uses custom browser title-bar detection to identify targeted banking and institutional websites.
KPMG observes JanelaRAT campaigns in Chile, Colombia, and Mexico
KPMG previously documented JanelaRAT activity targeting users in Chile, Colombia, and Mexico, indicating the banking trojan's expansion beyond a single country in Latin America. The reference does not provide a specific date for these observations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
JanelaRAT: A Financial Threat Targeting Users in Latin America | Community Portal | Gurucul
community.gurucul.com
Open sourceJanelaRAT malware continues to target Latin American banks | brief | SC Media
scworld.com
Open sourceNew Janela RAT Campaign Uses Fake MSI Installers and Malicious Browser Extensions to Steal Data - Cyber Security News
cybersecuritynews.com
Open sourceJanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025
thehackernews.com
Open sourceJanelaRAT targeting online banking users in Latin America | Securelist
securelist.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Generated ClickFix Banking Trojan Campaign Delivers SmartRAT in Brazil
Threat actors used an AI-generated typosquatting site impersonating a Brazilian bank to deliver **SmartRAT**, a PowerShell-based banking trojan built for financial theft. Victims were funneled through a fake Cloudflare CAPTCHA and then a fullscreen fake BSOD/system recovery page that pressured them to paste and run a malicious PowerShell command, which fetched additional payload stages from attacker-controlled infrastructure. Researchers linked the campaign to delivery from `64.95.13.238`, command-and-control at `windowsupdate-cdn[.]com`, and a fallback IP of `162.141.111.227`. Once installed, SmartRAT established encrypted raw TCP communications over port `51888`, persisted through scheduled tasks, registry Run keys, and optionally a Windows service named **MicrosoftEdgeUpdateCore**, and could run with elevated privileges while still interacting with the user session. The malware monitored Brazilian banking, payment, and cryptocurrency windows, used keylogging and fake bank-branded overlays to steal credentials, and supported QR-swap fraud by replacing on-screen banking QR codes with attacker-controlled images. It also provided full RAT capabilities including screen streaming, file exfiltration, clipboard manipulation, process and service listing, arbitrary PowerShell execution, and input freezing; researchers additionally found the web-based SmartRAT control panel had a critical authentication weakness, relying on client-side `localStorage` checks without server-side validation.
Jun 18, 2026
Grandoreiro Banking Trojan Resurfaces Against Portuguese Banks and Latin American Firms
The **Grandoreiro** banking trojan has re-emerged in campaigns targeting Portuguese banks and organizations across Spain, Mexico, and Latin America, showing that the malware remains active despite earlier law-enforcement disruption. Researchers reported phishing-led delivery chains using ZIP archives, loaders disguised as PDFs, **DLL side-loading**, and malicious **VBS** scripts hosted through abused legitimate services. In earlier observed activity, the operators impersonated government entities such as the Attorney General's Office of Mexico City and Spain's Public Ministry to lure employees at manufacturing, automotive, machinery, and chemicals companies into opening malicious attachments. The latest variants use stronger evasion and persistence techniques, including binary padding to roughly **400MB**, CAPTCHA-based execution, Windows Registry persistence, geofencing, and anti-analysis checks. Once installed, Grandoreiro can steal credentials, log keystrokes, monitor the clipboard, enumerate antivirus products, cryptocurrency wallets, and e-banking applications, and display fake banking overlays, while blending command-and-control traffic through trusted cloud services including **Google Cloud**, **Microsoft Azure**, and **Amazon**. Brazilian police previously arrested suspects tied to Grandoreiro operations, but the renewed campaigns indicate the financially motivated group continues to operate across multiple countries.
Jun 2, 2026
Grandoreiro Banking Trojan Expands Global Reach and Evasion Tactics
Kaspersky reported that the **Grandoreiro** banking trojan has continued operating globally despite law-enforcement disruptions and arrests, expanding from targeting about **900 banks in 40 countries** in 2023 to roughly **1,700 banks and 276 crypto wallets across 45 countries and territories** in 2024. Telemetry recorded more than **150,000 blocked infection attempts** affecting over **30,000 users** worldwide between January and October 2024, underscoring the malware’s sustained scale and resilience. Recent Grandoreiro campaigns used phishing emails, malvertising, **MSI-based loaders**, **DLL sideloading**, oversized padded binaries, and **CAPTCHA-based sandbox evasion** to infect victims. Kaspersky said newer versions also introduced fragmented codebases, stronger encryption, three domain generation algorithms for command-and-control, and mouse-behavior tracking to evade fraud detection, while preserving core capabilities including remote machine control, credential theft, one-time-password harvesting through overlays, clipboard replacement for cryptocurrency theft, and fraudulent banking transactions; some legacy variants are now concentrating on targets in Mexico.
Jan 1, 2024