JanelaRAT Surge: 14k+ Hits in Brazil and the Evolution of BX RAT
Just caught the latest report on JanelaRAT activity—it's pretty aggressive. With over 14,700 attacks recorded in Brazil alone during 2025, this modified BX RAT variant is clearly targeting the LATAM banking sector hard.
What stands out is the feature set beyond standard credential harvesting. The article mentions it tracks mouse inputs alongside keylogging and screenshots. This likely isn't just for surveillance; tracking mouse movement dynamics is often used to distinguish human interaction from bots during the fraud itself, or perhaps to bypass behavioral heuristics.
Since this is a BX RAT derivative, we should be looking for the usual persistence mechanisms. I've whipped up a quick PowerShell snippet to hunt for suspicious scheduled tasks that often characterize these campaigns—specifically looking for tasks hiding behind obscure names or utilizing powershell.exe for execution:
Get-ScheduledTask | Where-Object {$_.Actions.Execute -like '*powershell*' -and $_.Actions.Arguments -match '-EncodedCommand'} | Select-Object TaskName, @{Name='Args';Expression={$_.Actions.Arguments}}, State
Given the focus on cryptocurrency and banking data, I'm assuming the delivery vector is still phishing lures with malicious attachments. Has anyone seen specific IOCs related to the VBA macros dropping this payload? Or are we seeing shift toward HTML smuggling?
We've seen a similar uptick in our Mexican financial vertical clients. The delivery mechanism in our cases was strictly ISO files containing DLL side-loading loaders rather than the traditional Office macros. The mouse tracking you mentioned is definitely to analyze typing patterns for keystroke injection later. We've had luck detecting the RAT's C2 beaconing by looking for long intervals between POST requests with no User-Agent strings.
Interesting point on the mouse input. I remember the BX RAT source code leaking a few years back, so these mods are expected. From a pentester's perspective, the metadata collection is the real danger here—it grabs system info to generate specific sandbox hashes. If you're Blue Teaming, make sure your sandboxing environment randomizes MAC addresses and CPU info on every run, or this RAT will just phone home dormant.
It’s worth noting the injection targets. JanelaRAT specifically injects into explorer.exe to hook into the GUI for that mouse tracking capability. Given the ISO delivery chain Tanya spotted, spotting the unusual parent-child process relationship is vital. You can hunt for this execution pattern using this KQL query:
DeviceProcessEvents
| where InitiatingProcessFileName == "explorer.exe"
| where FolderPath matches regex "[A-Z]:\\\\"
| where isempty(ProcessVersionInfoCompanyName)
This helps catch the initial execution stage before the C2 beacon even starts.
To catch the mouse tracking activity specifically, monitoring for SetWindowsHookEx calls against non-browser processes can be a solid heuristic. In our environment, we use a simple KQL query to hunt for this behavior flagged by EDR telemetry:
DeviceProcessEvents
| where FileName =~ "user32.dll" and ProcessCommandLine contains "SetWindowsHookEx"
The evolution of the configuration obfuscation is what caught my eye. These BX variants typically rely on single-byte XOR encoding for the C2 address, which static scanners often miss. If you're analyzing the dumped binary, try a quick brute-force XOR script to reveal the Command & Control server.
data = open('malware.bin', 'rb').read()
for key in range(256):
dec = bytes([b ^ key for b in data])
if b'http' in dec:
print(f"Found potential C2 with key {key}: {dec}")
Has anyone observed them switching to AES for the config strings in the latest samples, or is it still simple XOR?
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access