cyber security researchers Kaspersky‘s Global Research and Analysis Team (GReAT) We have uncovered a highly advanced banking Trojan called. GoPix In the detailed statement published on March 16, 2026, it is stated that this Brazilian threat, which has been active for more than three years and has been closely monitored since 2023, has already triggered approximately 90,000 infection attempts and that the annual detection numbers are steadily increasing.
Malware specifically targets Brazilian users banks and cryptocurrency platforms that leverage innovative methods that far exceed the capabilities of previous regional threats.
GoPix spreads mainly through carefully orchestrated malvertising campaigns in Google Ads.
Attackers are spoofing popular services like WhatsApp, the Chrome browser, and Correios, Brazil’s national postal service, to lure victims to fake landing pages.
These pages are legitimate anti-fake Scoring tools to evaluate visitors in real time.
By analyzing the browser data The system determines whether the user is a real high-value target or just a security researcher working in a sandbox.
Unqualified visitors are redirected to harmless content, thus distributing the burden only to promising victims.
The infection sequence is multi-layered and quite complex.
Depends on what is detected security The Trojan arranges its distribution through software such as Avast Safe Banking.
In some cases it serves a signed NSIS installer; in others, a ZIP archive containing shortcut files that trigger remote PowerShell execution.
All subsequent stages simply load into memory via custom shellcode and dropper components, erasing traditional disk traces that security tools typically scan for.
This memory built-in design API hashing and string encryption make YARA-based hunting largely ineffective.
Once installed, GoPix showcases its core innovation: dynamic Proxy Auto-Configuration (PAC) files that enable precise man-in-the-middle intervention.
The malware creates these files on the fly, using CRC32 checksums to mask targeted domains and redirect traffic from legitimate browsers only.
It also injects trusted root certificates directly into browser memory, bypassing the operating system’s certificate store, allowing full decryption and modification of HTTPS sessions.
Attackers can therefore monitor Pix instant payments, hijack Boleto payment receipts by capturing their unique “writable line” format, and silently replace cryptocurrency wallet addresses for Bitcoin or Ethereum transfers copied to the clipboard.
Additional privacy features include process migration between Explorer.exe and browser instances, ephemeral command-and-control servers that stay online for only a few hours, and comprehensive cleaning routines designed to delete forensic evidence.
These tactics reflect advanced persistent threat behavior rarely seen. Latin America The crimeware allows the group to target government financial institutions and large corporations while avoiding detection.
Fabio AssoliniThe person who heads Kaspersky GReAT’s American and European operations emphasized the importance of the malware: The threat has reached a level never seen before in Brazilian banking. malware.
Despite ongoing monitoring since 2023, it continues to adapt, with infection volumes increasing each year.
Security experts demand urgent action.
Users should avoid clicking on sponsored search results, buy apps only from official stores, keep operating systems and browsers fully patched, and deploy advanced protection that performs verification. banking and real-time payment portals.
Organizations dealing with sensitive finance data They are encouraged to adopt memory scanning tools and conduct regular incident response exercises focusing on fileless threats.
GoPix, regional cyber criminals We close the information gap with global actors.
update Kaspersky concluded: Brazil Users and financial institutions must be more skeptical of every online advertisement and software download to avoid falling victim to this evolving danger.
