Key Findings

• JanelaRAT is a modified BX RAT variant targeting financial institutions across Latin America, with 14,739 recorded attacks in Brazil and 11,695 in Mexico during 2025

• The malware uses a custom title bar detection mechanism to identify banking websites and execute fraudulent actions in real-time

• Initial infection relies on phishing emails mimicking invoice notifications, leading to multi-stage infection chains using MSI installers and DLL side-loading

• Recent campaigns have evolved to use MSI files as droppers, replacing earlier VBScript-based infection methods

• Core functionality includes keystroke logging, screenshot capture, credential harvesting through fake overlays, and interactive command-and-control communications

• Threat actors continuously update the malware with new obfuscation techniques and infection chain variations to evade detection

Background

JanelaRAT takes its name from the Portuguese word for "window" and has been actively targeting users since June 2023. First detected by Zscaler, it represents a significant evolution of the BX RAT family. The malware specifically focuses on stealing financial and cryptocurrency data from banks and financial institutions operating in Latin America, with particular emphasis on Chile, Colombia, Mexico, and Brazil.

Initial Infection Chain

Attack campaigns begin with phishing emails designed to appear as notifications about pending invoices. Recipients are tricked into clicking malicious links that download compressed files containing VBScripts, XML files, ZIP archives, and BAT files. These eventually lead to a final payload delivery mechanism.

The infection approach has evolved over time. Earlier variants used multiple stages with various script types, but more recent campaigns have shifted toward MSI installer files. These installers are sometimes hosted on seemingly legitimate platforms like GitLab, adding credibility to the delivery mechanism. The latest observed versions use orchestrating scripts written in Go, PowerShell, and batch commands to manage the unpacking process.

MSI Dropper and Installation

The MSI file functions as the initial dropper, designed to establish persistence while obfuscating its activities. It creates ActiveX objects to manipulate the file system and executes malicious commands. The dropper creates an LNK shortcut in the user's Startup folder that points to a renamed legitimate executable, ensuring the malware launches automatically upon system restart.

The dropper places two key files: the legitimate nevasca.exe executable and PixelPaint.dll library, both renamed with random obfuscated strings. When executed, nevasca.exe loads the PixelPaint.dll file, which is actually JanelaRAT. A first-run indicator file checks whether the infection is already established. If it is, the user is redirected to an external website displaying normal content as a decoy.

The Malware Implant

JanelaRAT version 33 was observed masquerading as a legitimate pixel art application. Like other variants, it employs Eazfuscator or ConfuserEx obfuscators combined with Control Flow Flattening methods to render the code unreadable without deobfuscation.

Upon execution, the malware collects extensive system information including OS version, processor architecture, username, and machine name. It evaluates user privilege levels and assigns different identifiers for administrators, regular users, guests, and others. A mutex is created to prevent multiple instances from running simultaneously.

C2 Communication and Malicious Capabilities

The malware establishes TCP socket connections with command-and-control servers to register infections and maintain persistent communication. The core detection mechanism monitors the active window title bar against a hard-coded list of financial institutions. When a match occurs, the malware waits 12 seconds before opening a dedicated C2 channel and awaiting commands from operators.

Supported commands allow threat actors to send screenshots, crop and exfiltrate specific screen regions, display full-screen fake Windows update dialogs, harvest credentials through bank-themed overlays, capture keystrokes, simulate keyboard and mouse inputs, execute system commands via cmd.exe or PowerShell, manipulate Task Manager windows, and run forced shutdowns.

The malware monitors user inactivity by tracking elapsed time since the last input. If a machine remains inactive for more than 10 minutes, it notifies the C2 server. This capability allows threat actors to time operations when users are actively engaged with their systems.

Anti-Detection Features

All JanelaRAT samples utilize encrypted strings for C2 communications and embedded data obfuscation. The malware includes detection mechanisms for sandbox and automation tools, and specifically flags the presence of anti-fraud systems. These features work together to minimize user visibility and adapt behavior when security software is detected, making the threat particularly effective at avoiding traditional endpoint protection measures.

Sources

• https://securelist.com/janelarat-financial-threat-in-latin-america/119332/

• https://thehackernews.com/2026/04/janelarat-malware-targets-latin.html

• https://x.com/TheCyberSecHub/status/2043615524756812239

• https://x.com/StopMalvertisin/status/2043622736270946515

• https://www.linkedin.com/posts/the-cyber-security-hub_janelarat-a-financial-threat-targeting-users-activity-7449381209039605760-vxo5

• https://www.reddit.com/r/SecOpsDaily/comments/1sk6cwb/janelarat_a_financial_threat_targeting_users_in/