JanelaRAT Uses Fake Windows Updates to Empty LATAM Bank Accounts

In the diverse ecosystem of Latin American cybercrime, one threat continues to refine its ability to peer into the private lives of banking users. Kaspersky Labs has released a comprehensive analysis of JanelaRAT, a sophisticated Remote Access Trojan (RAT) that takes its name from the Portuguese word for “window” (janela).

The malware is far from a one-way pane; it is a highly interactive tool designed to monitor victims, intercept sensitive financial data, and manipulate user sessions in real-time.

JanelaRAT doesn’t simply appear on a system; it arrives through a carefully orchestrated, multi-stage infection chain. It typically begins with a deceptive email mimicking the delivery of a pending invoice.

The report notes: “It starts with emails mimicking the delivery of pending invoices to trick victims into downloading a PDF file by clicking a malicious link”. Once clicked, the victim is redirected to a malicious site that drops a compressed archive. While early versions relied on simple VBScripts and ZIP archives, the malware has significantly evolved. Recent campaigns integrate MSI files to deliver legitimate executables and malicious DLLs, which are then “sideloaded” to bypass traditional security detections.

Unlike broad-spectrum malware, JanelaRAT is a surgical tool.According to Kaspersky: “One of the key differences between these Trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and perform malicious actions”. By constantly monitoring the title of the active window, the malware can wait until a victim navigates to a specific Brazilian or Mexican bank before springing into action.

The threat actors behind JanelaRAT are patient. The malware includes a background routine that meticulously tracks user presence.

“The malware determines if the victim’s machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input,” the report explains. By reporting these inactivity periods back to the Command and Control (C2) server, the operator can “track the user’s presence and routine to time possible remote operations” without fear of being noticed.

Once a live banking session is detected, JanelaRAT moves from observation to active hijacking. It uses a “decoy overlay system” to capture credentials and bypass multi-factor authentication (MFA).The malware can display full-screen modal dialogs that mimic legitimate system alerts, such as fake Windows updates. Victims may see messages in Brazilian Portuguese such as:

• “Configuring Windows updates, please wait.”
• “Do not turn off your computer; this could take some time.”

While the user waits for a “system update,” the attacker is in the background exfiltrating images, injecting keystrokes, and even simulating mouse clicks to authorize unauthorized transfers.

JanelaRAT remains a localized but high-volume threat. In 2025 alone, Kaspersky telemetry detected 14,739 attacks in Brazil and 11,695 in Mexico specifically related to this family.