Janela RAT campaign uses fake installers and browser abuse to target Latin American banking users
5 min. read 
Published on
Janela RAT has returned in a new form, and the latest version looks more refined than earlier campaigns. Security researchers say the malware now uses a multi-stage infection chain that can include MSI installers, DLL sideloading, browser monitoring, and deceptive overlays designed to steal banking data and other sensitive information from users in Latin America.
The campaign targets financial activity, not random browsing. Kaspersky says JanelaRAT primarily targets banking users in Latin America, with a specific focus on users tied to financial institutions in Brazil and Mexico, while Securelist says the malware looks for financial and cryptocurrency data from selected banks and institutions across the region.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This matters because the malware does more than steal passwords from disk. Researchers say newer JanelaRAT variants can monitor browser activity, detect when a victim opens a banking page, and then place fake screens or prompts over the real interface to capture passwords, tokens, and even multi-factor authentication data during a live session.
How the infection chain works
According to Kaspersky, JanelaRAT campaigns usually begin with phishing emails that push victims toward malicious downloads. Securelist says older infection chains often used archives containing VBScripts, XML files, ZIP archives, and BAT files, while the latest observed campaign evolved to include MSI files that help deliver the final payload with fewer steps.
Securelist says the MSI file acts as an initial dropper. It installs the implant, sets up persistence, obscures file names and paths, creates startup items, and can redirect the victim to an external site as a decoy so the infection appears harmless.
From there, the malware relies on DLL sideloading. Kaspersky says the latest campaign used an MSI package to deliver a legitimate PE32 executable and a DLL, with the DLL actually serving as JanelaRAT. That approach helps the malware blend into normal software behavior and makes the chain harder to spot during a quick review.
Why this version is more dangerous
The biggest shift in this campaign is how JanelaRAT interacts with the victim after infection. Kaspersky says the new variant can display customized full-screen overlay windows on top of real banking pages, then guide the victim through fake prompts that capture credentials, MFA tokens, and other inputs while the real banking session remains active underneath.
Researchers also say JanelaRAT does not behave like a simple smash-and-grab trojan. Kaspersky describes it as an active and evolving threat with multiple communication channels, broad victim monitoring, remote-control features, and behavior designed to reduce visibility, especially when anti-fraud tools are present.
Securelist adds that threat actors behind JanelaRAT keep changing both the malware and the infection chain over time. That means defenders should not treat this as a one-off signature problem. They need to expect constant small changes in delivery methods, helper files, and lure formats.
What the latest research shows
| Item | What researchers found |
|---|---|
| Malware family | JanelaRAT, a modified BX RAT variant |
| Main target | Banking and financial users in Latin America |
| Recent delivery method | Phishing-led infection chain with MSI-based delivery in recent campaigns |
| Execution technique | DLL sideloading |
| Main objective | Steal financial data, credentials, session data, and MFA input |
| Notable behavior | Fake overlays placed on top of real banking pages |
| Countries specifically cited in fresh reporting | Brazil and Mexico |
Sources: Kaspersky and Securelist.
What organizations and users should do now
- Treat unexpected MSI installers, archived scripts, and banking-themed downloads as high risk.
- Show file name extensions in Windows so users can better spot suspicious file types such as .exe, .vbs, and .scr. Microsoft documents how to enable this in File Explorer, and Kaspersky specifically recommends showing file extensions as a defense step.
- Restrict browser extension installation in managed environments. Google documents enterprise policies for extension allowlisting and blocklisting, which can reduce the chance of unauthorized or rogue extensions loading in corporate browsers.
- Standardize and harden browser settings. CISA recommends securing browsers and limiting risky content paths because browser-based abuse remains a common entry and data-theft channel.
- Report malicious hosting quickly. GitLab documents abuse-reporting options for suspicious profiles, projects, and content, including direct reporting to its Trust and Safety team.
FAQ
JanelaRAT is a remote access trojan that researchers describe as a modified version of BX RAT. It targets financial users in Latin America and has evolved to support browser monitoring, overlay-based credential theft, and remote attacker interaction.
Recent reporting says the campaign starts with phishing and malicious downloads, then uses MSI-based delivery and DLL sideloading to install the malware. Older chains also used VBScripts, ZIP archives, BAT files, and other helper components.
Because they can appear on top of a legitimate banking session and trick users into entering passwords, tokens, or MFA codes into attacker-controlled prompts while they believe they are interacting with their bank.
The clearest risk falls on banking and financial users in Latin America, especially in Brazil and Mexico based on the latest Kaspersky reporting. Securelist also says the malware seeks financial and cryptocurrency data from targeted institutions in the region.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages