Back to Intelligence

JanelaRAT (BX RAT Variant): Detection and Defense for Latin American Financial Institutions

SA
Security Arsenal Team
April 14, 2026
6 min read

A sophisticated malware campaign has aggressively targeted the financial sector in Latin America, with Brazil reporting over 14,739 attacks attributed to the JanelaRAT family in early 2025. This threat, a modified variant of the notorious BX RAT, poses a severe risk to banking institutions and customers in Brazil and Mexico.

JanelaRAT is not a standard commodity malware; it is designed specifically for financial fraud. It combines credential harvesting, cryptocurrency theft, and extensive surveillance capabilities—including keystroke logging, mouse input tracking, and screenshot capture—to bypass standard authentication controls. Given the active exploitation and the high value of the data at risk, security teams must immediately shift to a defensive posture focused on behavioral detection and endpoint hardening.

Technical Analysis

Threat Overview: JanelaRAT is a modular Remote Access Trojan (RAT) derived from the BX RAT source code. While BX RAT has been a staple in the cybercrime underground for years, JanelaRAT represents a tailored evolution specifically optimized for Latin American banking targets.

Capabilities & Attack Chain:

  • Initial Vector: Typically distributed via phishing emails containing malicious attachments or links, often spoofing legitimate financial services or tax authorities.
  • Execution & Persistence: Upon execution, the RAT establishes persistence (often via Registry Run keys or Scheduled Tasks) and initiates a C2 channel. Being a modified .NET-based RAT, it may inject into legitimate processes (e.g., explorer.exe) to evade detection.
  • Data Exfiltration & Surveillance: The core functionality described in the intelligence reports includes:
    • Keylogging & Mouse Tracking: Hooking into user32.dll and kernel32.dll to capture raw inputs. This allows attackers to reconstruct user behavior even if the target application uses virtual keyboards or anti-screen-scraping measures.
    • Screen Capture: Periodically capturing screenshots to identify 2FA tokens or account balances.
    • System Metadata: Harvesting system information to fingerprint the victim for further targeting.

Affected Platforms:

  • OS: Microsoft Windows (Primary target for banking customers).
  • Sector: Financial Services and Banking (Brazil, Mexico).

Exploitation Status:

  • Active Exploitation: Confirmed. The reported 14,739 attacks in Brazil indicate an active, large-scale campaign.
  • CISA KEV: Not currently listed (as of the report), but the active targeting of critical financial infrastructure elevates the priority.

Detection & Response

Given the lack of static hashes in the initial reporting and the malware's ability to modify itself, defenders must rely on behavioral Indicators of Compromise (IoCs). The following detection logic focuses on the RAT's core mechanisms: process injection (keylogging), persistence, and suspicious execution flows.

SIGMA Rules

YAML
---
title: Potential Keylogger via Process Access (Winlogon/Explorer)
id: 8a4b1c92-9e4b-4d67-bc12-3e5a8f901235
status: experimental
description: Detects potential keylogging behavior consistent with JanelaRAT/BX RAT. A process accessing Winlogon or Explorer with specific access rights (VM_READ) often indicates input hook injection.
references:
  - https://attack.mitre.org/techniques/T1056/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1056.001
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith:
      - '\winlogon.exe'
      - '\explorer.exe'
    GrantedAccess|contains:
      - '0x1410'
      - '0x1010'
      - '0x143A'
    SourceImage|contains:
      - '\AppData\'
      - '\Temp\'
  condition: selection
falsepositives:
  - Legitimate security software scanning memory
  - Unknown
level: high
---
title: Suspicious Screen Capture via PowerShell
id: 9b5c2d03-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects PowerShell scripts attempting to load Windows API libraries for screen capturing (user32.dll), a technique used by JanelaRAT for surveillance.
references:
  - https://attack.mitre.org/techniques/T1113/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1113
logsource:
  category: script_block_log
  product: windows
detection:
  selection:
    ScriptBlockText|contains:
      - 'Add-Type -MemberDefinition'
      - 'user32.dll'
      - 'GetWindowDC'
      - 'BitBlt'
  condition: selection
falsepositives:
  - Legitimate administrative scripts
level: medium
---
title: Persistence via Unsigned Binary in Startup Folder
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects unsigned executables placed in the Startup folder, a common persistence mechanism for BX RAT variants like JanelaRAT.
references:
  - https://attack.mitre.org/techniques/T1547/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup'
    TargetFilename|endswith: '.exe'
  filter:
    Signed: 'true'
  condition: selection and not filter
falsepositives:
  - Authorized IT software deployment
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for processes spawned from user directories that establish network connections, typical of RAT behavior.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious processes from User directories making network connections
let UserDirs = dynamic(["C:\\Users\\", "C:\\ProgramData\\"]);
DeviceProcessEvents
| whereFolderPath in~ UserDirs
| where InitiatingProcessFolderPath in~ UserDirs
| join kind=inner DeviceNetworkEvents on DeviceId, InitiatingProcessId
| where RemotePort in (443, 80, 8080) // Common C2 ports, adjust as needed
| where isnotempty(RemoteUrl)
| summarize StartTime = min(Timestamp), EndTime = max(Timestamp), ConnectionCount = count() by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, RemoteUrl
| order by ConnectionCount desc

Velociraptor VQL

This artifact hunts for unsigned executables running from user profile AppData directories, a key drop point for JanelaRAT.

VQL — Velociraptor
-- Hunt for unsigned executables in user AppData directories
SELECT FullPath, Name, Size, Mtime, Username, Sig_Status, Sig_Subject
FROM glob(globs='C:\\Users\\*\\AppData\\*\\*.exe')
LEFT JOIN SELECT
  FullPath as SignedPath,
  Status as Sig_Status,
  Subject as Sig_Subject
FROM authenticode(filename=FullPath)
ON SignedPath = FullPath
WHERE Sig_Status != 'Valid'

Remediation Script (PowerShell)

Use this script to identify and remove potential persistence mechanisms associated with JanelaRAT in the Registry Run keys and Startup folders.

PowerShell
# Remediation Script: Hunt for JanelaRAT/BX RAT Persistence Mechanisms

# Check Registry Run Keys for suspicious binaries in AppData
$Paths = @(
    "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
    "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
    "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
    "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
)

Write-Host "[+] Checking Registry Persistence Keys..."

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue | Get-Member | Where-Object {$_.MemberType -eq "NoteProperty"} | ForEach-Object {
            $PropertyName = $_.Name
            $PropertyValue = (Get-ItemProperty -Path $Path).$PropertyName
            if ($PropertyValue -match "AppData" -or $PropertyValue -match "Temp") {
                Write-Host "[!] Suspicious Persistence Found: $Path\\$PropertyName -> $PropertyValue" -ForegroundColor Yellow
                # Uncomment to remove automatically (Use with caution)
                # Remove-ItemProperty -Path $Path -Name $PropertyName -Force
            }
        }
    }
}

# Check Startup Folders
Write-Host "[+] Checking Startup Folders..."
$StartupPath = [Environment]::GetFolderPath("Startup")
if (Test-Path $StartupPath) {
    Get-ChildItem -Path $StartupPath -Filter *.exe | ForEach-Object {
        # Check signature
        $sig = Get-AuthenticodeSignature $_.FullName
        if ($sig.Status -ne "Valid") {
            Write-Host "[!] Unsigned executable found in Startup: $($_.FullName)" -ForegroundColor Red
        }
    }
}
Write-Host "[+] Scan Complete."

Remediation

  1. Isolate and Re-image: For endpoints confirmed to be infected with JanelaRAT, isolation from the network is the immediate first step. Given the RAT's ability to steal credentials and session cookies, the only trustworthy remediation is a complete OS re-image or a rollback to a known-good clean backup.

  2. Credential Reset: Assume all credentials entered on the infected machine are compromised. Force a password reset for all banking and financial applications used from the affected device. Enforce MFA re-registration where possible.

  3. Application Allowlisting: Implement application allowlisting (e.g., AppLocker) to prevent unsigned executables from running in user-writable directories like %AppData% or %Temp%.

  4. Network Segmentation: Ensure critical banking workstations are isolated from the general internet and restricted to only necessary internal and external financial gateways.

  5. User Education: Conduct targeted phishing simulations for staff in Latin American branches. Emphasize the dangers of downloading attachments claiming to be invoices or financial statements.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsjanelaratbanking-malwarebx-ratlatin-americarat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action