Kaspersky GReAT researchers detected and analyzed a new version of JanelaRAT, which masqueraded as a legitimate pixel art application. Consistent with previous intrusions and campaigns, the primary targets of the threat actors distributing JanelaRAT are banking users in Latin America, with specific focus on users of financial institutions in Brazil and Mexico. With the new version of the malware, the attackers manipulate the user into interacting with a customized overlay screen on top of the real online banking interface and thus initiate banking session hijacking. According to our telemetry, in 2025 there were 14,739 attacks in Brazil and 11,695 in Mexico related to JanelaRAT.
JanelaRAT is a Remote Access Trojan, a heavily modified variant of the old BX RAT from 2014 that primarily targets users in Latin America, especially those in banking, fintech and cryptocurrency sectors. The malware employs a multi-stage infection chain starting with phishing emails containing malicious VBS scripts in archives that are subsequently opened by users.
A malicious email used in JanelaRAT campaigns
JanelaRAT is deployed using the DLL sideloading technique. The malware monitors the victim’s activity, intercepts sensitive banking interactions, and establishes an interactive channel to report changes to the attackers. The malware also tracks the user's presence and routine to time possible remote operations.
Decoy overlay system
The new version of JanelaRAT implements a special interactive tactic designed to capture banking credentials and bypass multi-factor authentication. When a target banking window is detected, the malware displays a full-screen overlay window with an image sent by the attackers mimicking legitimate banking or system interfaces. The malware then blocks the victim’s interaction by displaying dialog boxes that are dictated by the attackers. The actions in these dialog boxes correspond to specific operations, such as password capture, token/MFA capture, fake loading screen, fake Windows update full-screen modal and more. The malware resizes the overlay, scans multiple screens, and loads deceptive elements to distract the user or temporarily hide legitimate application windows.
Examples of MS
Windows dialog boxes displayed by attackers to the victim: password capture,
token/MFA capture, fake loading screen
“JanelaRAT remains an active and evolving threat, with intrusions exhibiting consistent characteristics despite ongoing modifications. We have tracked the evolution of JanelaRAT infections for some time, observing variations in both the malware itself and its infection chain, including targeted variants for specific countries. The new variant represents a significant advancement in the actor’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize visibility and adapt its behavior upon detection of anti-fraud software,” comments Maria Isabel Manjarrez, Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT).
Read the full report on Securelist.com to learn more about CrystalX RAT and its indicators of compromise.
To stay safe Kaspersky recommends that users:
- Be cautious when opening or downloading files received via messengers or emails, as they may be able to execute malware.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent any infection.
- Enable the ‘show file extensions’ option in the Windows settings. This will make it much easier to distinguish potentially malicious files. As Trojans are programs, you should be warned to stay away from file extensions like “exe”, “vbs” and “scr”. Cybercriminals could use several extensions to masquerade a malicious file as a video, photo, or a document.
- Be attentive with notifications sent by email. Cybercriminals often distribute fake email messages mimicking email notifications from an online store or a bank, luring a user to click on a malicious link and distribute malware.
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.
