JanelaRAT Malware: A Growing Threat to Latin American Banks in 2025
Executive Summary
In 2025, Latin American financial institutions, particularly in Brazil and Mexico, faced a significant surge in cyber threats, notably from the JanelaRAT malware. This sophisticated malware, a modified variant of the BX RAT trojan, was designed to steal financial and cryptocurrency data by capturing window titles, tracking mouse inputs, logging keystrokes, taking screenshots, and collecting system metadata. The attackers employed DLL side-loading techniques to evade detection, leveraging legitimate executables to load the malicious payload. The campaign's focus on Latin American banks underscores the region's growing vulnerability to targeted cyber attacks. (thehackernews.com)
The rise of JanelaRAT coincided with a broader increase in cyber threats across Latin America. Reports indicated a 155% increase in social engineering scams and a 225% rise in malware attacks in 2025. (biocatch.com) This trend highlights the evolving tactics of cybercriminals who are increasingly targeting financial institutions in the region, emphasizing the urgent need for enhanced cybersecurity measures and cross-institution collaboration to mitigate these threats.
Why This Matters Now
The emergence of JanelaRAT and the significant uptick in cyber attacks against Latin American financial institutions in 2025 underscore the region's escalating cybersecurity challenges. As cybercriminals refine their tactics, leveraging sophisticated malware like JanelaRAT, it is imperative for financial institutions to bolster their defenses, implement advanced threat detection systems, and foster collaboration to effectively combat these evolving threats.
Attack Path Analysis
The JanelaRAT malware campaign targeting Latin American financial institutions unfolds through a multi-stage attack. Initially, adversaries deliver a ZIP archive containing a malicious Visual Basic Script (VBScript) to the victim, likely via phishing emails. Upon execution, the VBScript downloads additional payloads and employs DLL side-loading techniques to evade detection. The malware then establishes persistence on the system, potentially escalating privileges to maintain control. Subsequently, JanelaRAT monitors user activities, capturing sensitive financial and cryptocurrency data through keylogging, screenshot capture, and mouse input tracking. The collected data is exfiltrated to the attacker's command and control (C2) server, enabling further exploitation. Finally, the adversary may leverage the compromised system to launch additional attacks or sell the harvested data, impacting the victim's financial security.
Kill Chain Progression
Initial Compromise
Description
Adversaries deliver a ZIP archive containing a malicious VBScript to the victim, likely via phishing emails.
MITRE ATT&CK® Techniques
User Execution
Masquerading
Obfuscated Files or Information
Process Injection
Screen Capture
Keylogging
File and Directory Discovery
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target of JanelaRAT infostealer with 14,739 attacks in Brazil, requiring encrypted traffic and egress security to prevent financial data exfiltration.
Financial Services
High exposure to cryptocurrency and financial data theft through keylogging and screenshots, necessitating zero trust segmentation and anomaly detection capabilities.
Computer/Network Security
Critical need for threat detection capabilities against Latin American banking malware, requiring multicloud visibility and inline IPS protection for client networks.
Information Technology/IT
Essential role in implementing cloud firewall and kubernetes security measures to protect financial sector clients from remote access tool infiltration.
Sources
- JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025https://thehackernews.com/2026/04/janelarat-malware-targets-latin.htmlVerified
- New Financial Malware 'JanelaRAT' Targets Latin American Usershttps://thehackernews.com/2023/08/new-financial-malware-janelarat-targets.htmlVerified
- JanelaRAT Version 33: Evolving Latin American Banking Trojan with Advanced Overlay and Session Hijacking Capabilitieshttps://threat.cstromblad.com/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the JanelaRAT incident as it could likely limit the malware's ability to move laterally, establish command and control channels, and exfiltrate sensitive data, thereby reducing the attack's overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The initial delivery of the malicious VBScript may not be directly constrained by CNSF, as it primarily focuses on internal network segmentation and control.
Control: Zero Trust Segmentation
Mitigation: By implementing Zero Trust Segmentation, CNSF could likely limit the malware's ability to escalate privileges by restricting access to critical systems and services.
Control: East-West Traffic Security
Mitigation: CNSF's East-West Traffic Security could likely constrain the malware's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: With Multicloud Visibility & Control, CNSF could likely detect and limit unauthorized outbound communications to external C2 servers.
Control: Egress Security & Policy Enforcement
Mitigation: CNSF's Egress Security & Policy Enforcement could likely restrict unauthorized data exfiltration by controlling outbound data flows.
By limiting lateral movement and data exfiltration, CNSF could likely reduce the overall impact of the attack, potentially preventing further exploitation and financial loss.
Impact at a Glance
Affected Business Functions
- Online Banking Services
- Customer Account Management
- Financial Transactions Processing
Estimated downtime: 7 days
Estimated loss: $500,000
Sensitive financial and personal data of customers, including account credentials and transaction histories.
Recommended Actions
Key Takeaways & Next Steps
- • Implement advanced email filtering and user training to mitigate phishing attacks.
- • Deploy endpoint detection and response (EDR) solutions to identify and block malicious scripts and DLL side-loading attempts.
- • Utilize network segmentation and least privilege access controls to limit lateral movement opportunities.
- • Monitor network traffic for unusual outbound connections to detect and block unauthorized data exfiltration.
- • Regularly update and patch systems to address vulnerabilities exploited by malware like JanelaRAT.
