# JanelaRAT Malware Campaign Escalates Against Latin American Banks with 14,739 Attacks in Brazil Alone During 2025


## The Threat


JanelaRAT, a sophisticated remote access trojan (RAT) designed specifically to target financial institutions across Latin America, has become an increasingly urgent threat to the region's banking sector. Security researchers confirmed 14,739 distinct attack attempts across Brazil in 2025 alone—a staggering volume that underscores the severity and persistence of what has become a coordinated, large-scale campaign against the continent's financial infrastructure.


The malware operates as a full-featured RAT, granting attackers complete control over compromised systems and enabling them to harvest banking credentials, intercept transactions, and conduct wire fraud operations against financial institutions and their customers. The sheer attack volume, coupled with the malware's technical sophistication, signals a well-resourced threat actor or criminal organization with sustained interest in Latin American banking assets.


## Background and Context


Banking trojans and RATs targeting Latin America represent a persistent and evolving threat landscape. The region has long been a strategic target for cybercriminals due to several factors: robust financial systems with valuable transaction volumes, varying levels of cybersecurity maturity across institutions, and established money laundering and cash-out networks that facilitate fast conversion of stolen funds into usable currency.


JanelaRAT builds on a legacy of banking malware threats in Latin America. Previous campaigns have targeted the region with malware families including Banpak, Grandoreiro, and Astaroth—each advancing in sophistication and evasion capabilities. What distinguishes JanelaRAT is the scale and sustained operational tempo evident in 2025 figures.


### Geographic Focus


Brazil, the region's largest economy and financial hub, has borne the heaviest burden of JanelaRAT attacks. The concentration reflects both the attractiveness of Brazilian banking systems and the established cybercriminal infrastructure within the country that supports distributed attack coordination and fraud execution.


However, security researchers indicate that attacks have been observed in Argentina, Chile, Mexico, and Colombia, suggesting the threat actor is systematically targeting major financial centers across the continent rather than limiting operations to a single jurisdiction.


## Technical Details


### Attack Vector and Distribution


JanelaRAT primarily reaches target systems through spear-phishing campaigns that leverage highly localized social engineering. Attack emails impersonate legitimate Brazilian and Latin American entities—including financial institutions themselves, government agencies, and commercial enterprises—to establish initial credibility.


Emails typically contain weaponized attachments (Microsoft Office documents with embedded macros) or malicious links directing users to credential-harvesting pages designed to capture banking access credentials before malware deployment occurs.


### Malware Capabilities


Once executed on a victim's system, JanelaRAT provides attackers with comprehensive remote access capabilities:


| Capability | Description |

|-----------|-------------|

| Keystroke Logging | Captures all keyboard input, including banking credentials and two-factor authentication codes |

| Screen Capture | Records desktop activity to monitor transaction approval workflows |

| Credential Theft | Extracts stored passwords from browsers and password managers |

| File Exfiltration | Steals banking software configurations and transaction data |

| Banking Session Hijacking | Intercepts and manipulates active banking sessions in real-time |

| Persistent Backdoor Access | Maintains long-term presence on compromised systems for sustained exploitation |


### Evasion Techniques


Analysis of captured JanelaRAT samples reveals multiple anti-analysis and evasion mechanisms designed to evade security detection:


  • Polymorphic code that changes structural signatures across samples
  • VM detection to prevent execution in sandbox environments used by security researchers
  • Code obfuscation that complicates static analysis
  • Command-and-control (C2) communication encryption to hide traffic from network monitoring
  • Living-off-the-land tactics that abuse legitimate Windows utilities (PowerShell, WMI) to avoid deploying suspicious executables

    • ## Implications for Financial Institutions and Organizations


    The scale of JanelaRAT attacks carries severe implications for the banking sector and broader organizational security:


    ### Direct Financial Impact

    Victim institutions report transaction losses ranging from thousands to millions of USD per incident. Individual customer account compromises frequently involve unauthorized transfers, fraudulent wire transactions, and credential theft enabling account takeover. The financial damage extends beyond stolen funds to include fraud investigation costs, customer remediation, and regulatory fines.


    ### Systemic Risk

    A coordinated campaign affecting 14,739+ systems across Brazil's banking landscape suggests potential infrastructure-level exposure. If attack clustering indicates shared vulnerability patterns, a single security flaw could affect multiple institutions—creating systemic risk comparable to software supply chain compromises.


    ### Regulatory and Reputational Damage

    Brazil's Central Bank (Banco Central do Brasil) and financial regulators have increased scrutiny of institution cybersecurity practices. Institutions experiencing JanelaRAT compromises face:


  • Mandatory breach notifications and regulatory investigations
  • Reputational damage affecting customer confidence and retention
  • Potential fines under Brazil's Lei Geral de Proteção de Dados (LGPD, Brazil's data protection law)
  • Operational disruption during incident response and forensics

    • ### Supply Chain Considerations

    The targeting of banking software and financial processing applications used across multiple institutions suggests attackers may be identifying shared vulnerabilities or leveraging compromised vendor environments to reach financial institution networks indirectly.


    ## Recommendations for Financial Organizations


    ### Immediate Actions


    Credential Reset and Access Control Review

  • Force password resets for all personnel with financial transaction authority
  • Implement emergency account access audits to identify unauthorized sessions
  • Review transaction approval logs for 90+ days prior for suspicious activity patterns

    • Endpoint Detection and Response (EDR) Deployment

  • Deploy or enhance EDR tooling across all user-facing systems and administrative workstations
  • Configure behavioral detection rules specifically targeting RAT indicators (screen capture, credential access, persistence mechanisms)
  • Enable threat intelligence feeds specifically covering JanelaRAT C2 infrastructure

    • Email Gateway Hardening

  • Implement multi-layer email filtering with machine learning-based phishing detection
  • Block executable attachments and macros by default; require business justification for exceptions
  • Scan all URLs in emails against current threat intelligence databases

    • ### Strategic Improvements


  • Zero Trust Architecture: Implement micro-segmentation to limit lateral movement from compromised endpoints into banking application environments
  • Multi-Factor Authentication (MFA): Enforce MFA on all banking system access, particularly for privileged accounts, using hardware security keys where possible
  • Security Awareness Training: Conduct targeted training for employees on Latin American-specific phishing tactics and social engineering vectors
  • Threat Intelligence Integration: Maintain active subscriptions to threat intelligence feeds covering JanelaRAT indicators and broader Latin American banking malware trends
  • Incident Response Planning: Conduct tabletop exercises simulating large-scale endpoint compromise to ensure rapid containment and forensic capability

    • ## Conclusion


    JanelaRAT represents an escalating threat to Latin American financial institutions and a reminder that regional banking sectors remain prime targets for sophisticated, well-resourced threat actors. The 14,739 attacks recorded in Brazil during 2025 underscore the campaign's scale and persistence.


    However, the threat is neither inevitable nor insurmountable. Financial institutions that implement defense-in-depth strategies—combining robust endpoint detection, email security hardening, access control enforcement, and behavioral monitoring—can substantially reduce both compromise likelihood and dwell time. Organizations that remain informed about emerging threats and maintain proactive hunting programs can identify and remediate compromises before attackers achieve their financial objectives.


    The next critical window is now: institutions should treat JanelaRAT response as an urgent operational priority rather than a routine security concern.