JanelaRAT Malware Launches Over 14,000 Attacks on Latin American Banks in 2025
What Happened — A modified BX‑RAT variant, JanelaRAT, has been observed conducting 14,739 targeted attacks against banks and financial institutions in Brazil during 2025, with spill‑over activity in Mexico and other Latin American markets. The malware steals financial and cryptocurrency credentials, logs keystrokes, captures screenshots, and harvests system metadata.
Why It Matters for TPRM —
- High‑volume, credential‑stealing RATs increase the likelihood of downstream data exposure for any third‑party service providers linked to the compromised banks.
- Financial institutions are a critical supply‑chain node; compromise can cascade to payment processors, fintech platforms, and SaaS vendors handling transaction data.
- Persistent RAT activity signals a mature threat actor capable of evading traditional AV, demanding stronger endpoint controls from all vendors.
Who Is Affected — Financial Services (banks, credit unions, payment processors), fintech SaaS providers, and any third‑party vendors that integrate with Latin American banking APIs.
Recommended Actions —
- Verify that all banking vendors have up‑to‑date EDR/EDR‑plus solutions and conduct regular threat‑intel feeds for RAT activity.
- Enforce MFA for all remote and privileged access to banking environments.
- Review and test incident‑response playbooks that include RAT detection, containment, and forensic analysis.
- Require vendors to provide evidence of recent security assessments covering malware‑resilience.
Technical Notes — JanelaRAT is delivered via phishing emails and compromised remote‑desktop tools, leveraging a custom loader that bypasses standard AV signatures. It records mouse movements, keystrokes, screenshots, and exfiltrates cryptocurrency wallet files and banking credentials via encrypted C2 channels. No specific CVE is associated; the threat relies on social‑engineering and stealth techniques. Source: The Hacker News