Banks and financial institutions in Latin American countries such as Brazil and Mexico have been the targets of a malware family called janellarat.
A modified version of the BX RAT, JanellaRAT is known to steal financial and cryptocurrency data associated with specific financial institutions, as well as track mouse inputs, log keystrokes, take screenshots, and collect system metadata.
“A key difference between these Trojans is that GenellaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and take malicious action,” Kaspersky said in a report published today. “The threat actors behind GeneRAT campaigns constantly update infection chains and malware versions by adding new features.”
Telemetry data collected by a Russian cybersecurity vendor shows that 14,739 attacks were recorded in Brazil and 11,695 in Mexico in 2025. At present it is not known how many of these resulted in successful settlement.
First detected in the wild by Zscaler in June 2023, GeneLARAT takes advantage of ZIP archives containing Visual Basic Script (VBScript) to download a second ZIP file, which, in turn, comes with a legitimate executable and a DLL payload. The final stage uses DLL side-loading technology to launch the Trojan.
In a later analysis published in July 2025, KPMG said the malware is distributed through fake MSI installer files disguised as legitimate software hosted on trusted platforms such as GitLab. The attacks involving the malware mainly involved Chile, Colombia and Mexico.
“Upon execution, the installer begins a multi-step infection process using orchestrating scripts written in Go, PowerShell, and Batch,” KPMG noted at the time. “These scripts unpack a zip archive that contains the RAT executable, a malicious Chromium-based browser extension, and supporting components.”
The script is also designed to identify installed Chromium-based browsers and silently modify their launch parameters (such as the “–load-extension” command line switch) to install extensions. The browser add-on then proceeds to trigger specific actions based on URL pattern matching, as well as collect system information, cookies, browsing history, installed extensions, and tab metadata.
The latest attack chain documented by Kaspersky shows that phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, resulting in the download of a ZIP archive that initiates the above attack chain involving DLL side-loading to install GeneRAT.
Since at least May 2024, GeneLARAT campaigns have moved from Visual Basic scripts to MSI installers, which act as droppers for malware using DLL side-loading and install persistence on the host by creating a Windows shortcut (LNK) in the Startup folder that points to the executable.
Upon execution, the malware establishes communication with a command-and-control (C2) server via a TCP socket to register a successful infection and monitor the victim’s activity to intercept sensitive banking interactions.
The main goal of GeneraRAT is to obtain the title of the active window and compare it with a hard-coded list of financial institutions. If there is a match, the malware waits 12 seconds before opening a dedicated C2 channel and executing malicious actions received from the server. Some supported commands include –
- Sending screenshot to C2 server
- Cropping specific screen areas and extruding images
- Displaying images in full-screen mode (for example, “Configuring Windows Update, please wait”) and impersonating bank-themed dialogs via a fake overlay to obtain credentials
- capturing keystrokes
- Simulating keyboard actions like DOWN, UP and TAB for navigation
- Moving the cursor and simulating a click
- Performing a forced system shutdown
- Running commands using “cmd.exe” and PowerShell commands or scripts
- Manipulating Windows Task Manager to prevent its windows from being recognized
- Identifying the presence of anti-fraud systems
- Sending system metadata
- Sandbox and detection automation tools
“The malware determines whether the victim’s machine has been idle for more than 10 minutes by calculating the time elapsed since the last user input,” Kaspersky said. “If the period of inactivity exceeds 10 minutes, the malware notifies C2 by sending a corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track everything from the user’s presence and routines to possible remote operations.”
“This version represents a significant advancement in the actor’s capabilities by combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to reduce the user’s visibility and adapt to anti-fraud software’s behavior when detected.”
