Janela RAT Steals Data via Fake MSI & Malicious Campaign Uses

A new malware campaign, deploying the Remote Access Trojan (RAT) known as Janela RAT, is actively targeting financial institutions and cryptocurrency platforms across Latin America.

The threat actors behind this attack are using fake MSI installer files and malicious browser extensions to infiltrate systems and steal sensitive financial data from unsuspecting victims.

Janela RAT was first identified in mid-2023 and is widely believed to be a modified variant of BX RAT, an older trojan repurposed with more advanced capabilities.

The malware specifically targets users in Chile, Colombia, and Mexico, and has been built to strike at the banking, fintech, and cryptocurrency sectors.

The threat actors running this campaign are financially motivated, with a clear goal of stealing credentials and gaining unauthorized access to accounts.

KPMG analysts noted and identified the advanced multi-stage structure of this attack, flagging it as a significant threat to Latin America’s financial infrastructure.

Researchers highlighted how Janela RAT disguises itself as trusted software on public GitLab repositories, making it harder for users to spot the danger before damage is done.

The campaign’s ability to quietly manipulate installed browsers while maintaining encrypted communication with attacker-controlled servers makes it particularly difficult to contain.

The overall impact of this campaign goes well beyond simple data theft. By accessing browsers and harvesting cookies, saved credentials, and browsing history, the attackers gain complete visibility into a victim’s financial activity.

This level of access allows them to bypass authentication steps, take over accounts, or monitor live financial transactions without the victim realizing what is happening.

For organizations operating in the banking and fintech space, this kind of infiltration poses a serious operational and reputational risk.

What makes Janela RAT especially dangerous is how it combines multiple scripting tools and layers of techniques to stay hidden long after the initial infection.

Encrypted command-and-control communications, alongside behavior that mimics normal browser activity, makes this malware very hard to detect with standard security tools.

Multi-Stage Infection and Browser Hijacking

The infection begins the moment a user runs what appears to be a regular software installer in MSI format. These installer files are hosted on public GitLab repositories and are carefully disguised to appear trustworthy and legitimate.

Once executed, the installer quietly triggers a chain of scripts written in Go, PowerShell, and batch, each playing a specific role in setting up the full attack.

A Go-based unpacker then extracts a password-protected ZIP file, decodes base64-encoded command-and-control domain details, and writes all of it into a config.json file for operational use during the campaign.

At the same time, the scripts scan the infected machine for any Chromium-based browsers and quietly modify their startup settings to silently load a malicious extension without the user’s knowledge.

This extension registers itself as a native messaging host and uses a built-in function called CollectRefresh to collect a wide range of sensitive data — including system details, browser cookies, browsing history, installed extensions, and open tab information.

It also monitors for specific URL patterns, triggering further RAT actions whenever a match is found, such as a banking or cryptocurrency login page.

To avoid detection, Janela RAT establishes encrypted WebSocket connections to its C2 servers using obfuscated, base64-encoded domains.

The malware also rotates its C2 addresses dynamically and stays quiet during idle periods to avoid triggering behavior-based security alarms. Together, these techniques allow the malware to operate for extended periods without being noticed.

Security teams are advised to take the following steps to reduce exposure to this threat:-

• Monitor your environment for known Indicators of Compromise (IoCs), including the domains, IP addresses, and file hashes associated with this campaign.
• Ensure all Windows systems are fully patched and protected with multi-factor authentication (MFA).
• Conduct a full-spectrum threat assessment exercise to uncover blind spots and gaps in your security posture.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.