TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Kaspersky Securelist

JanelaRAT: a financial threat targeting users in Latin America

GReAT · 2026-04-13 · Read original ↗

ATT&CK techniques detected

16 predictions
T1574.001DLL
69%
“file is downloaded. throughout our monitoring of these malware campaigns, the compressed files have typically contained vbscripts, xml files, other zip archives, and bat files. they ultimately lead to downloading a zip archive that contains components for dll sideloading and exec…”
T1204.002Malicious File
68%
“janelarat : a financial threat targeting users in latin america background janelarat is a malware family that takes its name from the portuguese word “ janela ” which means “ window ”. janelarat looks for financial and cryptocurrency data from specific banks and financial institu…”
T1573.001Symmetric Cryptography
61%
“’ s machine. the malware collects system information, including os version, processor architecture ( 32 - bit, 64 - bit, or unknown ), username, and machine name. the trojan evaluates the current user ’ s privilege level and assigns different nicknames for administrators, users, …”
T1573Encrypted Channel
56%
“’ s machine. the malware collects system information, including os version, processor architecture ( 32 - bit, 64 - bit, or unknown ), username, and machine name. the trojan evaluates the current user ’ s privilege level and assigns different nicknames for administrators, users, …”
T1059.001PowerShell
55%
“callbacks for connection events and message handling. it registers all known message types, executing specific system tasks based on the received message. following socket initialization, the malware launches two background routines : - user inactivity and session tracking this r…”
T1547.001Registry Run Keys / Startup Folder
50%
“, ok, yes / no ), and icon type ( e. g., warning, error ). the malware then creates a maximized message box positioned at the top of the screen, ensuring it captures user focus and blocks the visibility of other windows, mimicking a system or security alert. an obfuscated acknowl…”
T1547.009Shortcut Modification
49%
“an lnk shortcut is created in the user ’ s startup folder, pointing to the renamed nevasca. exe executable, ensuring persistence. finally, the nevasca. exe file is executed, which in turn loads the pixelpaint. dll file that is janelarat. malicious implant in this case, we analyze…”
T1071Application Layer Protocol
41%
“##ing the pixelpaint. dll file once again. the routine then builds and executes periodic http requests to the c2, reporting the malware ’ s version and the victim machine ’ s security environment. it loops continuously as long as a specific local file does not exist, ensuring rep…”
T1056.001Keylogging
40%
“the user ’ s visits to banking websites and reporting any activity of interest to the threat actor. janelarat 33v is specifically engineered to target brazilian financial institutions. however, we have also observed other versions of the malware targeting other specific countries…”
T1568Dynamic Resolution
39%
“we recommend that defenders block dynamic dns services at the corporate perimeter or internal dns resolvers. this will disrupt the communication channels used by janelarat and similar threats. indicators of compromise 808c87015194c51d74356854dfb10d9e msi dropper d7a68749635604d6d…”
T1056Input Capture
38%
“the user ’ s visits to banking websites and reporting any activity of interest to the threat actor. janelarat 33v is specifically engineered to target brazilian financial institutions. however, we have also observed other versions of the malware targeting other specific countries…”
T1204.002Malicious File
35%
“file is downloaded. throughout our monitoring of these malware campaigns, the compressed files have typically contained vbscripts, xml files, other zip archives, and bat files. they ultimately lead to downloading a zip archive that contains components for dll sideloading and exec…”
T1053.005Scheduled Task
31%
“, ok, yes / no ), and icon type ( e. g., warning, error ). the malware then creates a maximized message box positioned at the top of the screen, ensuring it captures user focus and blocks the visibility of other windows, mimicking a system or security alert. an obfuscated acknowl…”
T1071Application Layer Protocol
31%
“the persistence method previously described in the subroutines responsible for periodic http beaconing section. victimology consistent with previous intrusions and campaigns, the primary targets of the threat actors distributing janelarat are banking users in latin america, with …”
T1036.005Match Legitimate Resource Name or Location
31%
“changing over time, showing how the threat actors have adapted these infections in an effort to avoid detection. initial dropper the msi file acts as an initial dropper designed to install the final implant and establish persistence on the system. it obfuscates file paths and nam…”
T1071.001Web Protocols
30%
“’ s machine. the malware collects system information, including os version, processor architecture ( 32 - bit, 64 - bit, or unknown ), username, and machine name. the trojan evaluates the current user ’ s privilege level and assigns different nicknames for administrators, users, …”

Summary

Kaspersky GReAT experts describe the latest JanelaRAT campaign detailing infection chain and malware functionality updates.