GoPix banking Trojan targeting Brazilian financial institutions
Essential information
- Published
- 16/03/2026 15:14
- Modified
- 16/03/2026 18:54
- Tags
- 2026-03-16 banking trojan boleto brazil cryptocurrency gopix malvertising man-in-the-middle memory-only implant obfuscation pix powershell
- Related entities
- 10 observables, 1 intrusion sets (apt), 8 techniques (mitre), 1 malware, 12 others
Description
GoPix is an advanced persistent threat targeting Brazilian financial institutions and cryptocurrency users. It uses memory-only implants and obfuscated PowerShell scripts, evolving from previous RAT and ATS threats. The malware employs sophisticated techniques, including malvertising via Google Ads, man-in-the-middle attacks, and monitoring of Pix transactions and Boleto slips. GoPix bypasses security measures, maintains persistence, and uses robust cleanup mechanisms. It leverages multiple obfuscation layers and a stolen code signing certificate to evade detection. The threat actors carefully select victims, including financial bodies of state governments and large corporations, using legitimate anti-fraud services for targeted delivery.