Banks and financial institutions in Latin American countries like Brazil and Mexico have continued to be the target of a malware family called JanelaRAT. A modified version of BX RAT, JanelaRAT is known to steal financial and cryptocurrency data associated with specific financial entities, as well as track mouse inputs, log keystrokes, take screenshots, and collect system metadata. "One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions," Kaspersky said in a report published today. "The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features." Telemetry data gathered by the Russian cybersecurity vendor shows that as many as 14,739 attacks were recorded in Brazil in 2025 and 11,695 in Mexico. It's currently not known how many of these resulted in a successful compromise. First detected in the wild by Zscaler in June 2023, JanelaRAT has leveraged ZIP archives containing a Visual Basic Script (VBScript) to download a second ZIP file, which, in turn, comes with a legitimate executable and a DLL payload. The final stage employs the DLL side-loading technique to launch the trojan. In a subsequent analysis published in July 2025, KPMG said the malware is distributed via rogue MSI installer files masquerading as legitimate software hosted on trusted platforms like GitLab. Attacks involving the malware have primarily singled out Chile, Colombia, and Mexico. "Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch," KPMG noted at the time. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components." The latest attack chain documented by Kaspersky shows that phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, resulting in the download of a ZIP archive that initiates the aforementioned attack chain involving DLL side-loading to install JanelaRAT. At least since May 2024, JanelaRAT campaigns have shifted from Visual Basic scripts to MSI installers, which act as a dropper for the malware using DLL side-loading and establish persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the ex