Kaspersky GReAT researchers detected and analyzed a new version of JanelaRAT, which masqueraded as a legitimate pixel art application. Consistent with previous intrusions and campaigns, the primary targets of the threat actors distributing JanelaRAT are banking users in Latin America, with specific focus on users of financial institutions in Brazil and Mexico. With the new version of the malware, the attackers manipulate the user into interacting with a customized overlay screen on top of the real online banking interface and thus initiate banking session hijacking. According to our telemetry, in 2025 there were 14,739 attacks in Brazil and 11,695 in Mexico related to JanelaRAT.
JanelaRAT is a Remote Access Trojan, a heavily modified variant of the old BX RAT from 2014 that primarily targets users in Latin America, especially those in banking, fintech and cryptocurrency sectors. The malware employs a multi-stage infection chain starting with phishing emails containing malicious VBS scripts in archives that are subsequently opened by users.
JanelaRAT is deployed using the DLL sideloading technique. The
malware monitors the victim’s activity, intercepts sensitive banking
interactions, and establishes an interactive channel to report changes to the
attackers. The malware also tracks the user's presence and routine to time
possible remote operations.
Decoy overlay system
The new version of JanelaRAT implements a
special interactive tactic designed to capture banking credentials and bypass
multi-factor authentication. When a target banking window is detected, the
malware displays a full-screen overlay window with an image sent by the
attackers mimicking legitimate banking or system interfaces. The malware then
blocks the victim’s interaction by displaying dialog boxes that are dictated by
the attackers. The actions in these dialog boxes correspond to specific
operations, such as password capture, token/MFA capture, fake loading screen,
fake Windows update full-screen modal and more. The malware resizes the
overlay, scans multiple screens, and loads deceptive elements to distract the
user or temporarily hide legitimate application windows.
“JanelaRAT remains an active and evolving threat, with intrusions exhibiting consistent characteristics despite ongoing modifications. We have tracked the evolution of JanelaRAT infections for some time, observing variations in both the malware itself and its infection chain, including targeted variants for specific countries. The new variant represents a significant advancement in the actor’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize visibility and adapt its behavior upon detection of anti-fraud software,” comments Maria Isabel Manjarrez, Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT).
Read the full report on Securelist.com to learn
more about CrystalX RAT and its indicators of compromise.
To stay safe Kaspersky recommends that users:
- Be cautious when opening
or downloading files received via messengers or emails, as they may be able to
execute malware.
- Use a strong security
solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent any infection.
- Enable the ‘show file
extensions’ option in the Windows settings. This will make it much easier to
distinguish potentially malicious files. As Trojans are programs, you should be
warned to stay away from file extensions like “exe”, “vbs” and “scr”.
Cybercriminals could use several extensions to masquerade a malicious file as a
video, photo, or a document.
- Be attentive with
notifications sent by email. Cybercriminals often distribute fake email
messages mimicking email notifications from an online store or a bank, luring a
user to click on a malicious link and distribute malware.
About the Global
Research & Analysis Team
Established in 2008, Global Research & Analysis
Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs,
cyber-espionage campaigns, major malware, ransomware and underground
cyber-criminal trends across the world. Today GReAT consists of 35+ experts working
globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented
security professionals provide company leadership in anti-malware research and
innovation, bringing unrivaled expertise, passion and curiosity to the
discovery and analysis of cyberthreats.
