Cybersecurity professionals at Kaspersky have uncovered a freshly updated version of the JanelaRAT malware, which is actively targeting online banking users throughout Latin America. Researchers from the company’s Global Research and Analysis Team (GReAT) identified the threat after it disguised itself as a harmless pixel-art program. This latest iteration builds on earlier campaigns, zeroing in on customers of major financial institutions in Brazil and Mexico.
Kaspersky also noted that JanelaRAT belongs to the family of Remote Access Trojans (RATs). It is a heavily customized descendant of the BX RAT first spotted back in 2014.
The malware’s creators have long focused on Latin American victims involved in banking, fintech, and cryptocurrency services. Attackers deliver it through a multi-stage process that typically begins with phishing messages.
These emails often contain archived files holding malicious Visual Basic Script (VBS) components.
Once opened, the malware installs itself using a technique known as DLL sideloading, allowing it to run quietly in the background.
What makes the new variant particularly dangerous is its ability to hijack live banking sessions rather than simply stealing passwords.
The trojan constantly watches the victim’s screen activity. When it detects a banking website or application window, it springs into action.
Attackers can push a custom full-screen overlay image that perfectly mimics the legitimate bank interface or even a Windows system screen.
This overlay blocks normal mouse and keyboard interaction while displaying fake dialog boxes.
These prompts can request passwords, one-time tokens, or multi-factor authentication codes. Other tricks include fake loading animations or full-screen “Windows update” warnings designed to distract users and keep them from noticing the deception.
The malware also adapts cleverly to multi-monitor setups, resizes its overlays, and hides legitimate windows to maintain the illusion.
It tracks user routines, waiting for moments of inactivity before launching remote commands.
This includes taking screenshots, logging keystrokes, simulating mouse clicks, and even shutting down the system if needed. All data flows back to the attackers through encrypted channels, giving them real-time control.
According to Kaspersky’s telemetry for 2025, the campaign generated 14,739 attack attempts in Brazil and 11,695 in Mexico.
These numbers highlight the persistent focus on the region’s growing digital banking sector.
Security researcher Maria Isabel Manjarrez of Kaspersky GReAT noted that the group behind JanelaRAT keeps refining both the malware and its delivery methods.
The latest changes add multiple communication paths, deeper system monitoring, and advanced anti-detection features that help it evade banking security tools.
To protect themselves, users should remain vigilant at all times. And they should train themselves to avoid opening unexpected email attachments or files received through messaging apps. Also, enabling the display of file extensions in Windows settings can help spot suspicious files ending in .exe, .vbs, or .scr.
A proper security solution with real-time protection is essential, as is skepticism toward urgent-looking bank or store notifications. By staying alert while engaging with various apps online and using the most updated defenses, individuals can reduce the risk of falling victim to these financial threats.