Back to Home

Trojan JanelaRAT steals banking data under the guise of updates

The JanelaRAT family poses a threat to banking customers in Brazil and Mexico, disguising itself as system updates. The trojan monitors browser windows, intercepts data, and uses full-screen overlays. In 2025, over 26 thousand attacks were recorded.

JanelaRAT: hidden trojan attacks banks in Brazil and Mexico
Advertisement 728x90

JanelaRAT: Trojan Disguises as Updates to Steal Financial Data

Financial trojans are evolving, utilizing fake system updates to intercept bank card data. The JanelaRAT family targets users in Latin America, tracking browser sessions and blocking interfaces under the guise of legitimate processes.

Distribution and Installation Mechanism

Infection occurs via phishing emails mimicking debt notifications. Links direct users to sites hosting archives containing MSI installers. These files deploy malware, masquerading it as Windows system components.

  • Autostart: Added to the registry to launch upon OS boot.
  • Obfuscation: Code encrypted using tools designed to evade antivirus software.
  • System Masking: Creation of files with neutral names and library loading.

After installation, the trojan analyzes the environment: determines access rights, collects system data, and establishes contact with C2 servers over port 443 without TLS.

Google AdInline article slot

Surveillance and Attack Functions

JanelaRAT monitors active browser windows, reacting to financial websites. The name reflects a focus on the Portuguese word "janela" (window), highlighting its method of detecting targets.

The program interferes with sessions:

  • Capturing keystrokes.
  • Taking screenshots.
  • Simulating mouse movements.
  • Blocking the system via forced shutdown.

A key element is fullscreen overlays mimicking bank interfaces or OS updates. These force users to enter credentials, tokens, and 2FA codes.

Google AdInline article slot

Geography and Threat Statistics

Attacks are concentrated in Brazil and Mexico. In 2025, over 14,000 incidents were recorded in Brazil and approximately 12,000 in Mexico. The trojan adapts to local banks, with regular updates to the target list.

C2 infrastructure is dynamic: servers change daily, and traffic is masked as HTTPS.

Threat Context and Consequences

Financial trojans like JanelaRAT reflect a trend of simplifying infection while complicating the payload. This increases attack success rates by 20–30% compared to earlier versions like BX RAT, thanks to autonomous window analysis.

Google AdInline article slot

Reasons for Success:

  • Growth of phishing in regions with high mobile banking penetration.
  • Lack of awareness regarding fake updates.
  • Adaptation to regional payment systems.

Consequences for the Industry:

Losses from data theft exceed billions of dollars annually in Latin America. Banks are strengthening multi-factor authentication and behavioral analysis, but users remain the weak link. Regulators are introducing traffic monitoring requirements, stimulating the development of AI detectors.

General context: In 2025, Latin America leads in financial fraud among emerging markets, with trojans accounting for 40% of cyber incidents.

Key Takeaways

  • JanelaRAT combines stealthy window monitoring with real-time session interference.
  • MSI installers simplify the infection chain, increasing attack conversion.
  • Dynamic C2 servers complicate infrastructure blocking.
  • Primary victims are clients of Brazilian and Mexican banks.
  • Evolution from BX RAT has enhanced targeting precision.

— Editorial Team

Advertisement 728x90

Read Next