Everyone figured Brazilian banking malware topped out with Grandoreiro—those lumbering RATs that left footprints everywhere, easy pickings for decent forensics. Clunky. Predictable. Banks patted themselves on the back, rolling out half-baked anti-fraud tweaks.
Then GoPix shows up. Memory-only implants. Obfuscated PowerShell. This GoPix banking Trojan doesn’t just evolve; it mocks the old playbook, turning your PC into its personal ATM without touching the disk.
And here’s the kicker—it’s been lurking for over three years, feasting on Pix transactions, Boleto slips, even crypto wallets. Changes everything. Detection? Good luck.
Free Rent in Your RAM
GoPix doesn’t bother with files. Why would it? Disk scans are for amateurs. It loads modules straight into memory, swaps processes like a shell game—disabling your antivirus on the fly, maybe. Living-off-the-land binaries, LOLBins, make it blend right in.
The Brazilian crew behind it? They’re cribbing from APT playbooks—short-lived C2s that vanish after hours, abusing legit anti-fraud services to cherry-pick victims. State governments. Big corps. No sandboxes allowed.
“GoPix has reached a level of sophistication never before seen in malware originating in Brazil. It’s been over three years since we first identified it, and it remains highly active.”
That’s from the analysts tracking it. Spot on. But let’s call the bluff: this isn’t just ‘sophisticated.’ It’s a middle finger to every EDR tool out there.
Short-lived C2s mean YARA rules flop—nothing to hunt. Cleanup? Brutal. DFIR teams chase ghosts.
Malvertising: Google’s Dirty Little Secret?
Starts with Google Ads. Bait: WhatsApp Web fixes, Chrome updates, Correios tracking. Click-happy victims land on poisoned pages.
But smart. First, it pings a real anti-fraud service—browser fingerprints, env checks. Bot or sandbox? Bounce to dummy page. Real target? Unleash hell.
Check.php spits JSON with two URLs. Port 27275 open? That’s Avast Safe Banking—huge in Brazil. If yes, ZIP with LNK and PowerShell downloader. No? Fake NSIS exe.
We thought exploit at first. Nope. Just tailored delivery. Avast users get the scenic route.
Clever. Malvertising since ‘22, stolen code-signing certs. Evades everything traditional.
How Does GoPix Actually Steal Your Money?
MITM attacks, baby. Monitors Pix keys—Brazil’s instant payments, remember? Intercepts Boleto, crypto txns. Bypasses bank security like it’s tissue paper.
Persistence via memory. Switches procs for tasks—web injects, keylogs, whatever. Unseen MITM trick: proxies your traffic, swaps details mid-flight.
Unique insight time: this reeks of Lazarus Group echoes, but homegrown. North Korea hid malware in mem for years; now Brazilian thugs do it sans nation-state cash. Prediction? It’ll hop borders soon—Mexico, Argentina next. LATAM banks, brace.
Banks spin ‘we’re safe.’ Bull. Their anti-fraud? GoPix laughs, uses it against them.
Victim selection’s ruthless. No randos. High-value only. That’s why it’s raking it in.
Is Your Avast (or Anything Else) Useless Now?
Port check proves it: attackers map defenses. Avast popular? Pivot. Expect more.
Infection chain’s a beauty. Landing page → score → URLs → payload. PowerShell obfuscated to hell—downloads next stage, implants in mem.
No disk artifacts. Forensics nightmare. Analysts say it’s ‘unique.’ Understatement.
But here’s the acerbic truth: security vendors sleepwalked into this. Memory hunting? Rare. Most chase files. GoPix exploits that laziness.
Three years active. Still? Pathetic response.
Banks could patch—better bot checks, mem scans. Won’t. Too busy with PR.
Why Brazilian Banks Are a Sitting Duck
Pix exploded—fast cash, no fees. Crooks love it. GoPix tunes for it: txn manipulation, smoothly steals.
Crypto users? Bonus. Wallets drained mid-tx.
Historical parallel: like Zeus in 2010, but stealthier. Zeus wrote checks; GoPix ghosts.
Crew’s learning fast. From RAT/ATS to this? APT envy.
Short punch: Wake up.
Expect variants. Global reach.
🧬 Related Insights
- Read more: Claude Mythos Preview: Why Frontier AI Demands Endpoint Armor from CrowdStrike
- Read more: APT28’s FrostArmada: How Russian Spies Hijacked 18,000 Routers for Stealthy Global Espionage
Frequently Asked Questions
What is GoPix malware?
GoPix is a memory-resident banking Trojan targeting Brazilian Pix, Boleto, and crypto. Delivers via malvertising, evades AV with LOLBins and MITM attacks.
How does GoPix infect your computer?
Google Ads lure to fake pages. Anti-fraud checks filter bots. Tailored payloads—PowerShell or NSIS—implant in RAM, no disk traces.
How to protect against GoPix banking Trojan?
Disable Google Ads for banking searches. Run mem forensics tools like Volatility. Banks: mandate mem scans. Users: VPN, script blockers. But honestly? Good luck—it’s built to win.
