216.73.217.139

GoPix banking Trojan targeting Brazilian financial institutions

· Published 16/03/2026 15:14 · Modified 16/03/2026 18:54

Export JSON

Essential information

Published
16/03/2026 15:14
Modified
16/03/2026 18:54
Tags
2026-03-16 banking trojan boleto brazil cryptocurrency gopix malvertising man-in-the-middle memory-only implant obfuscation pix powershell
Related entities
10 observables, 1 intrusion sets (apt), 8 techniques (mitre), 1 malware, 12 others

Description

is an advanced persistent threat targeting Brazilian financial institutions and users. It uses memory-only implants and obfuscated scripts, evolving from previous RAT and ATS threats. The malware employs sophisticated techniques, including via Google Ads, attacks, and monitoring of transactions and slips. bypasses security measures, maintains persistence, and uses robust cleanup mechanisms. It leverages multiple layers and a stolen code signing certificate to evade detection. The threat actors carefully select victims, including financial bodies of state governments and large corporations, using legitimate anti-fraud services for targeted delivery.

External references