Agregátor RSS

Nizozemský státní úřad pro silniční dopravu RDW pustil na veřejné komunikace FSD Supervised, tedy systém autonomního řízení v elektromobilech Tesla. Rozhodnutí předcházelo 18 měsíců testů a fanoušci značky k němu vzhlíželi jako k oficiálnímu vstupu FSD do Evropy. Ale tak jednoduché to není – FSD ...

Every company has a "Shadow IT" layer''a collection of developer-built dashboards, AI workflow runners, and data-science notebooks that weren't built by the central IT team. They are the convenient tools that let your teams push features faster, train models quicker, and visualize data on the fly.

Travel giant says names, contact details, dates, and hotel messages potentially exposed

Booking.com is warning customers that their reservation details may have been exposed to unknown attackers, in the latest reminder that the travel giant still can't quite keep a lid on the data flowing through its platform.…

New "Storm" infostealer skips local decryption, sending browser data to attacker servers. Varonis shows how server-side decryption enables session hijacking, bypassing passwords and MFA. [...]

Země letos zažívá nečekaně vysoký nárůst extrémně jasných a hmotných bolidů • Zvýšený počet sonických třesků potvrzuje vstup větších objektů do atmosféry • Mnoho těles přilétá z opačné strany oblohy a vědci zkoumají jejich původ

Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A pak že za vším stojí Trump a Jeffrey Epstein… V hororovém i komediálním světě Krvavé nevěsty se veškerá moc soustředí do rukou Nejvyšší rady jednoho satanistického koncilu, jehož pravidla a určování hierarchie jsou poněkud svérázná. Samara Weaving v roli nevěsty Grace před sedmi lety sotva ...

Podobná cena a téměř stejná cílová skupina • Porovnali jsme odlehčené telefony od Googlu a Applu • Pixel 10a a iPhone 17e se mezigeneračně vydaly trochu odlišnými směry

Anthropic restricted its Mythos Preview model last week after it autonomously found and exploited zero-day vulnerabilities in every major operating system and browser. Palo Alto Networks' Wendi Whitmore warned that similar capabilities are weeks or months from proliferation. CrowdStrike's 2026 Global Threat Report puts average eCrime breakout time at 29 minutes. Mandiant's M-Trends [email protected]

Names, addresses, dates of birth, and bank details accessed, though not passwords

Basic-Fit, Europe's largest gym chain, has confirmed data including the bank details of around a million customers was stolen from its systems.…

The great hope for AI agents is that they will automate many of the repetitive tasks office workers perform, such as writing and emailing weekly project updates. These tools combine rules-based automation with generative AI models to perform a series of tasks that make up a workflow.

In this vein, Google late last year announced Workspace Studio, a no-code application that lets non-programmers choose from prebuilt steps or use natural language descriptions to create and customize agents that automate workflows in Google Workspace. These “flows” integrate with Workspace apps including Gmail, Docs, Sheets, Drive, Calendar, Chat, Forms, and Tasks, and also (in limited preview) some third-party apps such as Asana, Mailchimp, and Salesforce. Google’s genAI assistant, Gemini, helps you create and execute flows.

Who can use Workspace Studio: Announced in December 2025, Workspace Studio is now rolling out to Google Workspace business, enterprise, and education customers. (Your administrator may need to enable access to Gemini.) It’s also available to users with Google AI Pro for Education and Google AI Ultra for Business accounts.

This quick guide will show you how to navigate Google Workspace Studio, how to set up a flow, and how to manage your flows.

In this article:

• What is a flow?
• The Workspace Studio home page
• Build your first flow
• Create a flow from a template
• Prompt Gemini to build a flow
• Manage your flows
• Tips for building flows

What is a flow?

In Google’s parlance, a flow is a series of steps that automatically run in the background of your Google Workspace environment. The flow waits for a “starter” event to happen, and when it does, one or more actions is triggered in response. Some examples:

• When you receive an email with an attachment, the flow examines the attachment to see if it has certain financial data in it. If so, then it extracts this information and sets it into a specific Google Sheets spreadsheet in your Google Drive.
• Two hours before your weekly department meeting, the flow reviews the current statuses of projects listed in a specified Sheets spreadsheet or Tasks task list, writes a summary of them, and then emails this summary to the meeting invitees.

In the background, Gemini is used to “reason” through the execution of a flow, analyzing your documents or other content that the flow references, to help ensure that the actions taken by the flow go through successfully.

A flow can also be set on a schedule or in response to an event to enter a prompt into Gemini, or to execute a Gem. (Gems are customized AI agents trained on specific topics. See our guide to Gemini Gems for details about using them.) For example, you could create a flow that runs every Friday and prompts Gemini to write and send an email summarizing the latest data in a Google Sheet that you and your co-workers update frequently.

There are three ways you can create a flow in Workspace Studio:

• Using a template (a premade flow that you customize)
• Prompting Gemini to design one for you
• Using the builder tool within Workspace Studio

But first, we’ll cover how to get around in Workspace Studio.

The Workspace Studio home page

When you open the Workspace Studio home page (also known as the Discover page), you’re greeted with a text entry box for Gemini. You can type a prompt inside it describing the actions (a.k.a. “steps”) that you want a flow to take when something happens (a “starter” event or schedule).

Three suggested flow templates appear below the Gemini text entry box. (In the screenshot below, the templates are Label emails with action items, Streamline my follow-up, and Catch up on news.) You can click a template to activate it.

On the Workspace Studio home page, you can type in a prompt for Gemini to create a flow, select a flow template, or click the big + sign to start a new flow.

Howard Wen / Foundry

Below these three suggested flows, there are even more flow templates. They’re organized under categories describing what they’re for, such as “Email boosters,” “Better meetings,” and “Tasks and action items.”

The vertical toolbar along the left has three icons:

+ symbol (for “New flow”): This opens the tool for building a flow.

Discover: This is the default home page with the Gemini text entry box and templates below it. If you’re in another page of the Workspace Studio, such as the “New flow” page above, clicking this takes you back home.

My flows: This opens a page that lists the flows you’ve created. You can manage your flows: delete, edit, rename, or share them with others. This page also has a tab you can click to view an activity log that lists which flows are active, when they were executed, what steps they took, and if their execution was successful or not.

Build your first flow

On the home page, you can use Gemini or a template to start a new flow. But it helps to learn by using the flow builder tool first. This way, you’ll understand more clearly how flows work. (Even if you use Gemini or a template, you’ll be taken to the flow builder interface, because you must review and test the flow before you can activate it.)

On the left toolbar, click the + symbol. The flow builder tool will open in the main window to the right.

Workspace Studio’s tool builder, with the flow in the main window and suggested “starters” to the right.

Howard Wen / Foundry

First, give your new flow a name. Toward the upper left, click Untitled flow and type in a name for your flow.

Selecting an event (a.k.a. “starter”)

Below the flow name, click Choose a starter. Then, in the pane along the right, select an event that will trigger the flow to take action. Once you’ve selected a starter event, the pane on the right may show additional parameters to fill in. Examples:

• On a schedule: The action will happen on a day, date, and/or time that you set. This can be recurring, such as every Wednesday at 9:00 a.m.
• When I get an email: The action will happen when an email arrives in your Gmail inbox. You can select certain attributes for the email, such as who it’s from, what words it contains, or if it has attachment.
• When a sheet changes: Whenever a change is made to a spreadsheet in your Google Drive, the flow triggers an action such as sending you an email or a Chat notification. This flow is handy if you’ve shared a spreadsheet with co-workers to collaborate on.
• Based on a meeting: The flow can take an action before a meeting you’ve scheduled in Google Calendar, or it can perform an action after the meeting has happened.

This flow is set to start 5 minutes after every meeting ends.

Howard Wen / Foundry

A flow can have only one starter, which becomes Step 1.

Selecting one or more actions (a.k.a. “steps”)

Once you’ve selected a starter event for the flow, click Choose a step in the main window.

In the right pane, there are several actions (steps) that you can select from. They’re presented under categories such as “AI skills,” “Tools,” and individual Workspace apps (Gmail, Chat, Sheets, etc.) and can include anything from adding a label to a Gmail message to sending Gemini a prompt. There are also steps that can integrate with your accounts on Asana, QuickBooks, and Salesforce.

For example: If a document is added to a specified folder in your Google Drive (the starter), the flow can trigger Gemini to generate a summary of the document’s content (the step).

You can add more actions that your flow will execute when the starter event happens. In the main pane, and below the first step of your flow, click + Add step, then select a second step from the right pane that the flow will take after it executes the first step. The maximum number of steps that you can add to a flow is 20.

A flow with a starter event, steps, and a substep to execute.

Howard Wen / Foundry

You can add a substep to a step (click Add substep in the main pane); indeed, certain steps require you to do so. A regular step is a main, sequential action in the overall flow, executed one after another. A substep is subordinate; it is only executed after and as a result of its parent step. For example, a step could identify a document, with its substep sending the document to a specific folder. (In the screenshot above, Step 4 is a substep of Step 3.)

You may also opt (or be required) to add a variable for a step (by clicking the + Variables button in the right pane). For example, a variable could be a time or date that you want the action to be executed, or text that you select, such as the title for a document that you want an action to generate.

Adding a document title variable to a step.

Howard Wen / Foundry

There are currently about a dozen starters and two dozen steps to choose from in Workspace Studio. See Google’s comprehensive list of Workspace Studio starters and steps for descriptions, examples, and configuration details for each one.

Testing and activating your new flow

When you’re finished building your flow, click the Test run button at the bottom of the main pane.

The right pane guides you through what will happen: When you click the Start button in this pane, your flow will be executed. Note that the test run takes real actions, such as changing a document or setting up a meeting. Google recommends temporarily setting up the flow with a test document or a meeting where you’re the only invitee. If the test run works, you can go back and swap in the real document or meeting before deploying the flow.

Click Start in the right pane to test the flow.

Howard Wen / Foundry

If the test run is successful (or not), you’ll see a notice at the bottom of the right pane. If the test isn’t successful, you’ll be advised on what fixes you can make to the steps in your flow.

After you’ve confirmed that your new flow will work according to the test run and made any final adjustments, click the Turn on button at the bottom of the main pane.

Note: You can create a maximum of 100 flows, and other limits apply, such as how many times your flows can run each day.

Create a flow from a template

Now that you know how flows work, check out the Workspace Studio templates to see if any fit your workflows. Click Discover in the left toolbar to return to the Workspace Studio home page, scroll down to see all the available templates, then click on a template. The flow builder tool opens with all the steps already in place.

A flow template in the flow builder tool. You set parameters such as start date and scheduling, and you can customize it further if you wish.

Howard Wen / Foundry

Click on each step (including the Starter step), configuring each one for your needs, such as selecting a specific file to take action on. You can also add, delete, or reorder steps in the flow using the three-dot (“More”) icon next to a step.

Prompt Gemini to build a flow

The fastest way to build a flow is to have Gemini do it. On the Workspace Studio home page, type a description of the flow you want into the text box and click the Create button.

Describe the flow you want Gemini to create.

Howard Wen / Foundry

Generally, you want to describe three things in your prompt:

• What is the action that you want the flow to do?
• When should this action happen, or what event should happen that triggers this action?
• Where do you want the flow to put the results of this action?

Example prompts:

• Every morning, summarize yesterday’s unread emails and chat messages and put this summary in my Google Drive.
• When I get an email with the word “budget,” label it appropriately.

The possibilities for prompting Gemini to build a flow are very broad. So it helps if you’re familiar with the Google Workspace apps that flows can interact with and have the imagination and savvy for experimenting with writing AI prompts.

Once you’ve clicked Create, the generated flow opens in the flow builder tool, where you can review and edit it if needed.

Manage your flows

On the toolbar along the left, click the My flows icon. A list of your flows will open to the right in the main window.

You can manage your flows on the “My flows” page.

Howard Wen / Foundry

Click the three-dot icon to the right of a flow’s name. This will open a menu with selections for you to manage the flow: Edit, Make a copy, Activity, Turn off, Delete.

• Edit will open the builder tool page for the flow. Its starter and steps will be listed in the main pane, and the descriptions for each appear in the right pane. You can make changes to each or delete them.
• Make a copy is handy if you want to create a new flow that’s a variation of the original one. You can make a copy, give it a different name, and customize it.
• Activity opens a page in the main window that shows when the flow was most recently executed and whether it was successful.

Reviewing the activity for a flow.

Howard Wen / Foundry

Clicking the Activity tab on the “My flows” page takes you to a page that lists the activities for all your flows.

To share a flow with others in your organization, select it in the list of flows, then click Get a link to copy at the top of the page. Change the permission to Anyone in your organization with the link can make a copy, then click Copy link. You can share the link with co-workers via email or in Chat.

Using the Studio sidebar in Workspace apps

In Gmail and Google Chat, you can open a sidebar that helps you manage your flows. Look to the upper-right corner of the Workspace app for the Studio icon — it’s between the Settings gear icon and Ask Gemini nova star. Click this and the Studio sidebar will open along the right. It has three tabs in it:

Discover: Like the Workspace Studio home page, this tab presents suggested flows that are ready for you to activate.

When you add a new flow by selecting a template in the Discover tab, you’ll be taken to the flow builder tool in the Workspace Studio app. You have to customize and test run it from here before you can activate it.

My flows: This lists your flows. You can delete, edit, rename, or share them from this tab.

Activity: This tab shows the activity log of your flows — when they went into action and the steps that they took.

The Studio sidebar lets you manage flows from within Gmail and Google Chat.

Howard Wen / Foundry

Tips for building flows

Learn by example: Select a flow template and customize it in the tool builder. This will help you learn how a flow works.

Reference files: Use the @ to directly reference a file in your Google Drive when you’re customizing a step in the flow builder tool or writing a Gemini prompt to generate a flow.

Experiment: Don’t be afraid to experiment with your prompts to Gemini. Describe the flow you want, using everyday language. Remember, your prompt should answer what, when, and where.

Review flow activity: After a flow is executed, review its activity log to understand how it played out its steps.

Related reading:

• 6 ways Gemini supercharges Google Sheets
• 5 ways Gemini can help you make Google Slides presentations
• How to use Gemini AI to write (and rewrite) in Google Docs and Gmail
• A beginner’s guide to Google Gemini Gems
• Google Workspace: 7 great ways to use the Gemini AI sidebar
• Google Workspace power tips: Tap into cross-app productivity
• More Google Workspace tips and tutorials

Seniorní ředitel designu potvrdil, že práce na migraci pokračují. • Nastavení jednoho dne zcela nahradí letité Ovládací panely. • Letošní snaha o vyřešení nedodělků by mohla migraci popohnat.

ShinyHunters claims it accessed Snowflake metrics via third-party tool

ShinyHunters is back, this time pinning Rockstar Games to its leak site and claiming it didn't so much hack its way in as walk through a door someone else left wide open.…

SpaceX se o víkendu pochlubilo čerstvými fotografiemi třetí generace prvního stupně Starshipu (Super Heavy) a samotné lodi. Na snímcích zaujmou hlavně nové a na první pohled jednodušší motory Raptor 3, které jsou jednou z klíčových novinek. Březen a duben nevyšel, tak snad květen Změť ...

Obdivuhodná průchodnost terénem překonává jiné sekačky • Unikátní řiditelná přední náprava šetří trávník při otáčení na místě • šířka záběru i rychlost pojezdu pomáhá rychlému a spolehlivému sekání

Benchmarking contract lays groundwork for renegotiating £774M software agreement

NHS England is spending £46,000 on "benchmarking" as it gears up for what looks like the next round of negotiations behind one of the UK public sector's biggest software deals.…

The North Korean hacking group tracked as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage, social engineering campaign in which threat actors approached targets on Facebook and added them as friends on the social media platform, turning the trust-building exercise into a delivery channel for a remote access trojan called RokRAT. "The threat actor used two Facebook Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Americká vláda zažalovala Apple kvůli jeho údajnému monopolnímu chování • Výrobce iPhonů nyní nutně potřebuje tajné statistiky firmy Samsung • Předání těchto dokumentů mohou výrazně zkomplikovat přísné jihokorejské zákony

Background

JanelaRAT is a malware family that takes its name from the Portuguese word “janela” which means “window”. JanelaRAT looks for financial and cryptocurrency data from specific banks and financial institutions in the Latin America region.

JanelaRAT is a modified variant of BX RAT that has targeted users since June 2023. One of the key differences between these Trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and perform malicious actions.

The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features.

Kaspersky solutions detect this threat as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen.

Initial infection

JanelaRAT campaigns involve a multi-stage infection chain. It starts with emails mimicking the delivery of pending invoices to trick victims into downloading a PDF file by clicking a malicious link. Then the victims are redirected to a malicious website from which a compressed file is downloaded.

Malicious email used in JanelaRAT campaigns

Throughout our monitoring of these malware campaigns, the compressed files have typically contained VBScripts, XML files, other ZIP archives, and BAT files. They ultimately lead to downloading a ZIP archive that contains components for DLL sideloading and executing JanelaRAT as the final payload.

However, we have observed variations in the infection chains depending on the delivered version of the malware. The latest observed campaign evolved by integrating MSI files to deliver a legitimate PE32 executable and a DLL, which is then sideloaded by the executable. This DLL is actually JanelaRAT, delivered as the final payload.

Based on our analysis of previous JanelaRAT intrusions, the updates in the infection chain represent threat actors’ attempts to streamline the process, with a reduced number of malware installation steps. We’ve observed a logical sequence in how components, such as MSI files, have been incorporated and adapted over time. Moreover, we have observed the use of auxiliary files — additional components that aid in the infection — such as configuration files that have been changing over time, showing how the threat actors have adapted these infections in an effort to avoid detection.

JanelaRAT infection flow evolution

Initial dropper

The MSI file acts as an initial dropper designed to install the final implant and establish persistence on the system. It obfuscates file paths and names with the objective to hinder analysis. This code is designed to create several ActiveX objects to manipulate the file system and execute malicious commands.

Among the actions taken, the MSI defines paths based on environment variables for hosting binaries, creating a startup shortcut, and storing a first-run indicator file. The dropper file checks for the existence of the latter and for a specific path, and if either is missing, it creates them. If the file exists, the MSI file redirects the user to an external website as a decoy, showing that everything is “normal”.

The MSI dropper places two files at a specified path: the legitimate executable nevasca.exe and the PixelPaint.dll library, renaming them with obfuscated combinations of random strings before relocating. An LNK shortcut is created in the user’s Startup folder, pointing to the renamed nevasca.exe executable, ensuring persistence. Finally, the nevasca.exe file is executed, which in turn loads the PixelPaint.dll file that is JanelaRAT.

Malicious implant

In this case, we analyzed JanelaRAT version 33, which was masqueraded as a legitimate pixel art app. Similar to other malware versions, it was protected with Eazfuscator, a common .NET obfuscation tool. We have also seen previous JanelaRAT samples that used the ConfuserEx obfuscator or its custom builds. The malware uses Control Flow Flattening method and renames classes and variables to make the code unreadable without deobfuscation.

JanelaRAT monitors the victim’s activity, intercepts sensitive banking interactions, and establishes an interactive C2 channel to report changes to the threat actor. While screen monitoring is also present, the core functionality focuses on financial fraud and real-time manipulation of the victim’s machine. The malware collects system information, including OS version, processor architecture (32-bit, 64-bit, or unknown), username, and machine name. The Trojan evaluates the current user’s privilege level and assigns different nicknames for administrators, users, guests, and an additional one for any other role.

The malware then retrieves the current date and constructs a beacon to register the victim on the C2 server, along with the malware version. To prevent multiple instances, the malware creates the mutex and exits if it already exists.

String encryption

All JanelaRAT samples utilize encrypted strings for sending information to the C2 and obfuscating embedded data. The encryption algorithm remains consistent across campaigns, combining base64 encoding with Rijndael (AES). The encryption key is derived from the MD5 hash of a 4-digit number and the IV is composed of the first 16 bytes of the decoded base64 data.

C2 communication and command handling

After initialization, JanelaRAT establishes a TCP socket, configuring callbacks for connection events and message handling. It registers all known message types, executing specific system tasks based on the received message.

Following socket initialization, the malware launches two background routines:

1. User inactivity and session tracking
   This routine activates timers and launches secondary threads, including an internal timer and a user inactivity monitor. The malware determines if the victim’s machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input. If the inactivity period exceeds 10 minutes, the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user’s presence and routine to time possible remote operations.

   Timer that looks for 10 minutes of inactivity

2. Victim registration and further malicious activity
   This routine is launched immediately after the socket setup. It triggers two subroutines responsible for periodic HTTP beaconing and downloading additional payloads.
   1. The first subroutine executes a PowerShell downloaded from a staging server during post-exploitation. Its main objective is to establish persistence by downloading the PixelPaint.dll file once again. The routine then builds and executes periodic HTTP requests to the C2, reporting the malware’s version and the victim machine’s security environment. It loops continuously as long as a specific local file does not exist, ensuring repeated telemetry transmission. The file was not observed being extracted or created by the malware itself; rather, it appears to be placed on the system by the threat actor during other post-exploitation activities. Based on previous incidents, this file likely contains instructions for establishing persistence.

      This JanelaRAT version constructs a second C2 URL for beaconing, using several decrypted strings and following a pattern that uses different parameters to report information about new victims:

      <C2Domain>?VS=<malwareversion>&PL=<profilelevel>&AN=<presenceofbankingsoftware>

      We have observed constant changes in the parameters across campaigns. A new parameter “AN” was introduced in this version. It is used to detect the presence of a specific process associated with banking security software. If such software is found on the victim’s device, the malware notifies the threat actor.

      Parameter Description VS JanelaRAT version PL OFF by default AN Yes or No depending on whether banking security software process exists
   2. The second subroutine is responsible for monitoring the user’s visits to banking websites and reporting any activity of interest to the threat actor. JanelaRAT 33v is specifically engineered to target Brazilian financial institutions. However, we have also observed other versions of the malware targeting other specific countries in the region, such as the “Gold-Label” version targeting banking users in Mexico that we described earlier.

      This subroutine creates a timer to enable an active system monitoring cycle. During this cycle, the malware obtains the title of the active window and checks if it matches entries of interest using a hardcoded but obfuscated list of financial institutions. Although the threat actors behind JanelaRAT primarily focus on one country as a target, the list of financial institutions is constantly updated.

      If a title bar matches one of the listed targets, the malware waits 12 seconds before establishing a dedicated communication channel to the C2. This channel is used to execute malicious tasks, including taking screenshots, monitoring keyboard and mouse input, displaying messages to the user, injecting keystrokes or simulating mouse input, and forcing system shutdown.

      To perform these actions, the malware uses a dedicated C2 handler that interprets incoming commands from the C2. Notably, 33v supports live banking session hijacking, not just credential theft.

      Action Performed Description Capture desktop image Send compressed screenshots to the C2 Specific screenshots Crop specific screen regions and exfiltrate images Overlay windows Display images in full-screen mode, limit user interactions, and mimic bank dialogs to harvest credentials Keylogging Keystroke capture Simulate keyboard Inject keys such as DOWN, UP, and TAB to navigate or trigger new elements Track mouse input Move the cursor, simulate clicks, and report the cursor position Display message Show message boxes (custom title, text, buttons, or icons) System shutdown Execute a forced shutdown sequence Command execution Run CMD or PowerShell scripts/commands Task Manager
      manipulation Launch Task Manager, find its window, and hide it to prevent discovery by the user Check for banking security software process Detect the presence of anti-fraud systems Beaconing Send host information (malware version, profile, presence of banking software) Toggle internal modes Enable and disable modes such as screenshot flow, key injection, or overlay visibility Anti-analysis Detect sandbox or automation tools

C2 infrastructure

Unlike other versions, this variant rotates its C2 server daily. Once a title bar matches the one in the list, the software dynamically constructs the C2 channel domain by concatenating an obfuscated string, the current date, and a suffix domain related to a legitimate dynamic DNS (DDNS) service. This communication is established using port 443, but not TLS.

Decoy overlay system

This version of JanelaRAT implements a decoy overlay system designed to capture banking credentials and bypass multi-factor authentication. When a target banking window is detected, the malware requests further instructions from the C2 server. The C2 responds with a command identifier and a Base64-encoded image, which is then displayed as a full-screen overlay window mimicking legitimate banking or system interfaces. The malware ensures the fake window completely covers the screen and limits the victim’s interaction with the system.

The malware blocks the victim’s interaction by displaying modal dialogs. Each modal dialog corresponds to a specific operation, such as password capture, token/MFA capture, fake loading screen, fake Windows update full-screen modal and more. The malware resizes the overlay, scans multiple screens, and loads deceptive elements to distract the user or temporarily hide legitimate application windows.

Among other fake elements, the malware displays fake Windows update notifications, often accompanied by messages in Brazilian Portuguese, such as:

• “Configuring Windows updates, please wait.”
• “Do not turn off your computer; this could take some time.”

When a message command is received from the operator, the malware constructs a custom message box based on parameters sent from the server. These parameters include the message title, text content, button type (e.g., OK, Yes/No), and icon type (e.g., Warning, Error). The malware then creates a maximized message box positioned at the top of the screen, ensuring it captures user focus and blocks the visibility of other windows, mimicking a system or security alert.

An obfuscated acknowledgement string is sent back to the C2 to confirm successful execution of this task.

Anti-analysis techniques

In addition to the conditional behavior based on whether the process of banking security software is detected, the malware includes anti-analysis routines and computer environment checks, such as sandbox detection through the Magnifier and MagnifierWindow components. These components are used to determine if accessibility tools are active on the infected computer indicating a possible malware analysis environment.

Persistence

The malware establishes persistence by writing a command script into the Windows Startup directory. This script forces the execution chain to run at each user logon enabling malicious activity without triggering privilege escalation prompts. The script is executed silently to evade user awareness.

This method is either an alternative or a supplement to the persistence method previously described in the subroutines responsible for periodic HTTP beaconing section.

Victimology

Consistent with previous intrusions and campaigns, the primary targets of the threat actors distributing JanelaRAT are banking users in Latin America, with specific focus on users of financial institutions in Brazil and Mexico.

According to our telemetry, in 2025 we detected 14,739 attacks in Brazil and 11,695 in Mexico related to JanelaRAT.

Conclusions

JanelaRAT remains an active and evolving threat, with intrusions exhibiting consistent characteristics despite ongoing modifications. We have tracked the evolution of JanelaRAT infections for some time, observing variations in both the malware itself and its infection chain, including targeted variants for specific countries.

This variant represents a significant advancement in the actor’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize user visibility and adapt its behavior upon detection of anti-fraud software.

To mitigate the risk of communication with the C2 infrastructure utilizing similar evasive techniques, we recommend that defenders block dynamic DNS services at the corporate perimeter or internal DNS resolvers. This will disrupt the communication channels used by JanelaRAT and similar threats.

Indicators of compromise

808c87015194c51d74356854dfb10d9e         MSI Dropper
d7a68749635604d6d7297e4fa2530eb6        JanelaRAT
ciderurginsx[.]com         Primary C2