Kaspersky GReAT researchers detail the latest JanelaRAT campaign, a financial RAT targeting online banking users in Brazil and Mexico. The malware, a modified BX RAT variant active since 2023, uses a multi-stage infection chain starting with phishing emails, progressing through VBScripts, ZIP archives, and MSI droppers that perform DLL sideloading to deploy the final payload. Version 33 of JanelaRAT is obfuscated with Eazfuscator, uses AES/Rijndael string encryption, and features daily C2 domain rotation via dynamic DNS. Key capabilities include window title monitoring to detect banking sessions, full-screen overlay injection to harvest credentials and bypass MFA, keylogging, mouse simulation, screenshot exfiltration, live session hijacking, and anti-analysis sandbox detection. In 2025, Kaspersky telemetry recorded over 14,700 attacks in Brazil and 11,700 in Mexico. Defenders are advised to block dynamic DNS services at the network perimeter.
Table of contents
BackgroundInitial infectionInitial dropperMalicious implantVictimologyConclusionsIndicators of compromiseSort: