Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Janela RAT Campaign Uses Fake MSI and Malicious Browser Extensions to Steal Data
Threats

Janela RAT Campaign Uses Fake MSI and Malicious Browser Extensions to Steal Data

Key Takeaways A new Janela RAT campaign is actively targeting financial institutions and cryptocurrency platforms in Latin America, particularly in Chile, Colombia, and Mexico. Attackers are...

Marcus Rodriguez
Marcus Rodriguez
April 14, 2026 3 Min Read
28 0

Key Takeaways

  • A new Janela RAT campaign is actively targeting financial institutions and cryptocurrency platforms in Latin America, particularly in Chile, Colombia, and Mexico.
  • Attackers are deploying the remote access trojan via seemingly legitimate fake MSI installer files and malicious browser extensions.
  • The malware, a likely variant of the older BX RAT, employs a sophisticated multi-stage infection process, including Go, PowerShell, and batch scripts.
  • Janela RAT evades detection through encrypted communications, dynamic C2 address rotation, and periods of inactivity, making it a persistent threat.
  • The campaign aims to steal credentials, bypass authentication, and gain unauthorized access to financial accounts, posing significant operational and reputational risks to affected organizations.

Janela RAT Targets Latin American Financial Sector with Sophisticated Multi-Stage Attacks

A sophisticated new malware campaign leveraging the Janela Remote Access Trojan (RAT) is actively compromising financial institutions and cryptocurrency platforms across Latin America. Threat actors are employing deceptive MSI installer files and malicious browser extensions to infiltrate systems, aiming to exfiltrate sensitive financial data from victims. This campaign primarily targets users and organizations in Chile, Colombia, and Mexico.

Table Of Content

  • Key Takeaways
  • Janela RAT Targets Latin American Financial Sector with Sophisticated Multi-Stage Attacks
  • Multi-Stage Infection and Browser Hijacking
  • What You Should Do

First observed in mid-2023, Janela RAT is believed to be an enhanced version of the previously known BX RAT, featuring advanced capabilities. The financially motivated attackers behind this operation are focused on stealing credentials and gaining illicit access to various accounts.

Analysts at KPMG have identified the advanced, multi-stage nature of these attacks, highlighting a significant threat to the region’s financial infrastructure. Researchers noted that Janela RAT effectively conceals itself as legitimate software hosted on public GitLab repositories, complicating early detection for users. The malware’s ability to covertly manipulate installed browsers and maintain encrypted communications with attacker-controlled servers makes its containment particularly challenging.

The campaign’s impact extends beyond mere data theft. By gaining access to browsers, attackers can harvest cookies, saved credentials, and browsing history, providing a comprehensive view of a victim’s financial activities. This extensive access enables threat actors to bypass multi-factor authentication, take over accounts, or monitor financial transactions in real-time, often without the victim’s knowledge. For banking and fintech organizations, such deep infiltration presents severe operational and reputational risks.

Janela RAT’s dangerous efficacy stems from its combination of multiple scripting tools and layered evasion techniques. Its use of encrypted command-and-control (C2) communications and behavior designed to mimic normal browser activity makes it exceptionally difficult for conventional security tools to detect and neutralize.

Multi-Stage Infection and Browser Hijacking

The infection process initiates when a user executes what appears to be a standard software installer in MSI format. These malicious installers are strategically hosted on public GitLab repositories, designed to appear legitimate and trustworthy. Upon execution, the installer triggers a complex sequence of scripts written in Go, PowerShell, and batch, each contributing to the attack’s setup.

A Go-based unpacker then decrypts a password-protected ZIP archive, decodes base64-encoded C2 domain information, and stores this critical data in a config.json file, essential for the campaign’s ongoing operations.

Concurrently, the scripts scan the compromised system for Chromium-based browsers, silently modifying their startup configurations to load a malicious extension without user awareness. This extension registers itself as a native messaging host, utilizing a built-in function named CollectRefresh. This function is responsible for gathering a wide array of sensitive data, including system specifications, browser cookies, browsing history, installed extensions, and open tab details. Furthermore, the extension actively monitors for specific URL patterns, such as banking or cryptocurrency login pages, to trigger additional RAT actions when a match is identified.

To maintain stealth, Janela RAT establishes encrypted WebSocket connections to its C2 servers, using obfuscated, base64-encoded domain names. The malware also dynamically rotates its C2 addresses and remains dormant during inactive periods, tactics designed to circumvent behavior-based security alerts. These combined techniques allow the malware to persist undetected for extended durations.

What You Should Do

  • Proactively monitor your environment for known Indicators of Compromise (IoCs), including domains, IP addresses, and file hashes associated with this Janela RAT campaign.
  • Ensure all Windows operating systems and applications are fully patched and updated, and enforce multi-factor authentication (MFA) across all accounts, especially for financial services.
  • Conduct regular, full-spectrum threat assessment exercises to identify and address any blind spots or vulnerabilities within your organization’s security posture.
  • Educate users on the dangers of downloading software from unverified sources and recognizing phishing attempts that might distribute fake MSI installers.
  • Implement robust endpoint detection and response (EDR) solutions capable of identifying anomalous browser activity and encrypted C2 communications.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarePatchSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Obsidian Shell Commands Plugin Vulnerability Lets Attackers Run Malware

Next Post

Critical Samsung TV Vulnerability Exploited by Codex to Gain Root Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us