Kaspersky: New Version of JanelaRAT Hijacks Banking Sessions of Users in Latin America

Kaspersky announced that their GReAT researchers detected and analyzed a new version of JanelaRAT, which masqueraded as a legitimate pixel art application. Consistent with previous intrusions and campaigns, the primary targets of the threat actors distributing JanelaRAT are banking users in Latin America, with specific focus on users of financial institutions in Brazil and Mexico. With the new version of the malware, the attackers manipulate the user into interacting with a customized overlay screen on top of the real online banking interface and thus initiate banking session hijacking. According to our telemetry, in 2025 there were 14,739 attacks in Brazil and 11,695 in Mexico related to JanelaRAT.

JanelaRAT is a Remote Access Trojan, a heavily modified variant of the old BX RAT from 2014 that primarily targets users in Latin America, especially those in banking, fintech and cryptocurrency sectors. The malware employs a multi-stage infection chain starting with phishing emails containing malicious VBS scripts in archives that are subsequently opened by users.

JanelaRAT is deployed using the DLL sideloading technique. The malware monitors the victim’s activity, intercepts sensitive banking interactions, and establishes an interactive channel to report changes to the attackers. The malware also tracks the user's presence and routine to time possible remote operations.

The new version of JanelaRAT implements a special interactive tactic designed to capture banking credentials and bypass multi-factor authentication. When a target banking window is detected, the malware displays a full-screen overlay window with an image sent by the attackers mimicking legitimate banking or system interfaces. The malware then blocks the victim’s interaction by displaying dialog boxes that are dictated by the attackers. The actions in these dialog boxes correspond to specific operations, such as password capture, token/MFA capture, fake loading screen, fake Windows update full-screen modal and more. The malware resizes the overlay, scans multiple screens, and loads deceptive elements to distract the user or temporarily hide legitimate application windows.

“JanelaRAT remains an active and evolving threat, with intrusions exhibiting consistent characteristics despite ongoing modifications. We have tracked the evolution of JanelaRAT infections for some time, observing variations in both the malware itself and its infection chain, including targeted variants for specific countries. The new variant represents a significant advancement in the actor’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize visibility and adapt its behavior upon detection of anti-fraud software,” comments Maria Isabel Manjarrez, Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT).

To stay safe Kaspersky recommends that users: