{
  "name": "New NGate variant hides in a trojanized NFC payment app",
  "slug": "new-ngate-variant-hides-in-a-trojanized-nfc-payment-app",
  "description": "ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Pr\u00eamios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.",
  "published": "2026-04-21T14:32:32+00:00",
  "created_at": "2026-04-21T14:32:32+00:00",
  "modified_at": "2026-04-22T06:29:46+00:00",
  "created_at_opencti": "2026-04-21T14:32:32+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-21",
    "ai-generated code",
    "brazil targeting",
    "fake lottery",
    "handypay trojanization",
    "nfc relay",
    "ngate",
    "payment card fraud",
    "phantomcard",
    "pin theft"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "108.165.230.223"
      },
      {
        "id": "",
        "name": "162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784"
      },
      {
        "id": "",
        "name": "17a16f08108e25af1c8b058adbaca2cada6a93c2d38c9854148f9e9caac76ac3"
      },
      {
        "id": "",
        "name": "ddd9e5cfa9e1ddd8d849baef2b487a1608d1695f44c70f246c101de1275887dd"
      },
      {
        "id": "",
        "name": "95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad"
      },
      {
        "id": "",
        "name": "6e3eea7fb31b8e81026021307247f6eecc5b7f97f35e900796f4786746cde3b8"
      }
    ],
    "malware": [
      {
        "id": "ba76733f-a6e6-4bb4-9963-1806805c5878",
        "name": "PhantomCard",
        "slug": "phantomcard"
      },
      {
        "id": "legacy:malware:a3023e33b0ff0a19",
        "name": "NGate",
        "slug": "ngate"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Brazil"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "protecaocartao.online"
      },
      {
        "id": "",
        "name": "app.mobil-csob-cz.eu"
      },
      {
        "id": "",
        "name": "raiffeisen-cz.eu"
      },
      {
        "id": "",
        "name": "nfc.cryptomaker.info"
      },
      {
        "id": "",
        "name": "spy.ngate.cc"
      }
    ]
  },
  "external_refs": [
    "https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/",
    "https://otx.alienvault.com/pulse/69e7a6a0bb463e49c9b7572e"
  ]
}