New NGate variant hides in a trojanized NFC payment app
ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Prêmios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.
AI Analysis
Technical Summary
ESET researchers discovered a NGate malware variant active since November 2025 targeting Brazilian Android users. The attackers trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to intercept and relay NFC payment card data to attacker-controlled devices. The malware also captures payment card PINs and exfiltrates them to command-and-control servers. Distribution occurs through two channels hosted on the same domain: a fake Rio de Prêmios lottery website offering rigged prizes and a fraudulent Google Play page with a fake card protection app. This approach bypasses traditional malware distribution by patching a legitimate app, facilitating unauthorized ATM withdrawals and payments.
Potential Impact
The malware enables attackers to perform unauthorized ATM withdrawals and payments by relaying NFC payment card data and stealing PINs from infected devices. This compromises victims' financial security and can lead to direct monetary loss. The targeting of Brazilian Android users and the use of legitimate app trojanization increase the likelihood of successful infection and fraud.
Mitigation Recommendations
No official patch or remediation guidance is currently available. Users should avoid downloading apps from untrusted sources, including suspicious lottery websites and unofficial app stores. Verification of the HandyPay app's authenticity through official channels is recommended. Monitoring vendor advisories for updates or patches is advised. Since this is not a cloud service, remediation depends on user vigilance and app source validation.
Affected Countries
Brazil
Indicators of Compromise
- domain: raiffeisen-cz.eu
- domain: app.mobil-csob-cz.eu
- domain: nfc.cryptomaker.info
- hash: 633c3636b646bd08af271584c0e41ff9
- hash: 7cecbdfdf2e7a7ae7cc226ae26cd3797
- hash: 84361aaf11cde2df075e65fc31082358
- hash: ea6a6666616f6b02c7b679782a676eab
- hash: 103d78a180eb973b9ffc289e9c53425d29a77229
- hash: 11be9715be9b41b1c8527c9256f0010e26534fdb
- hash: 66de1e0a2e9a421dd16bd54b371558c93e59874f
- hash: 7225ed2cba9cb6c038d8615a47423e45522a9ad1
- hash: da84bc78ff2117ddbfdcba4e5c4e3666eea2013e
- hash: e7ae59cd44204461edbddf292d36eeed38c83696
- hash: 162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784
- hash: 17a16f08108e25af1c8b058adbaca2cada6a93c2d38c9854148f9e9caac76ac3
- hash: 95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad
- hash: ddd9e5cfa9e1ddd8d849baef2b487a1608d1695f44c70f246c101de1275887dd
- hash: d142bb04f32a50db476b63bbe1ac2ee7
- hash: 48a0de6a43fc6e49318ad6873ea63fe325200dbc
- hash: 94af94ca818697e1d99123f69965b11ead9f010c
- hash: a4f793539480677241ef312150e9c02e324c0aa2
- hash: 6e3eea7fb31b8e81026021307247f6eecc5b7f97f35e900796f4786746cde3b8
- ip: 108.165.230.223
- domain: protecaocartao.online
- domain: spy.ngate.cc
New NGate variant hides in a trojanized NFC payment app
Description
ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Prêmios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ESET researchers discovered a NGate malware variant active since November 2025 targeting Brazilian Android users. The attackers trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to intercept and relay NFC payment card data to attacker-controlled devices. The malware also captures payment card PINs and exfiltrates them to command-and-control servers. Distribution occurs through two channels hosted on the same domain: a fake Rio de Prêmios lottery website offering rigged prizes and a fraudulent Google Play page with a fake card protection app. This approach bypasses traditional malware distribution by patching a legitimate app, facilitating unauthorized ATM withdrawals and payments.
Potential Impact
The malware enables attackers to perform unauthorized ATM withdrawals and payments by relaying NFC payment card data and stealing PINs from infected devices. This compromises victims' financial security and can lead to direct monetary loss. The targeting of Brazilian Android users and the use of legitimate app trojanization increase the likelihood of successful infection and fraud.
Mitigation Recommendations
No official patch or remediation guidance is currently available. Users should avoid downloading apps from untrusted sources, including suspicious lottery websites and unofficial app stores. Verification of the HandyPay app's authenticity through official channels is recommended. Monitoring vendor advisories for updates or patches is advised. Since this is not a cloud service, remediation depends on user vigilance and app source validation.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/"]
- Adversary
- null
- Pulse Id
- 69e7a6a0bb463e49c9b7572e
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainraiffeisen-cz.eu | — | |
domainapp.mobil-csob-cz.eu | — | |
domainnfc.cryptomaker.info | — | |
domainprotecaocartao.online | — | |
domainspy.ngate.cc | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash633c3636b646bd08af271584c0e41ff9 | — | |
hash7cecbdfdf2e7a7ae7cc226ae26cd3797 | — | |
hash84361aaf11cde2df075e65fc31082358 | — | |
hashea6a6666616f6b02c7b679782a676eab | — | |
hash103d78a180eb973b9ffc289e9c53425d29a77229 | — | |
hash11be9715be9b41b1c8527c9256f0010e26534fdb | — | |
hash66de1e0a2e9a421dd16bd54b371558c93e59874f | — | |
hash7225ed2cba9cb6c038d8615a47423e45522a9ad1 | — | |
hashda84bc78ff2117ddbfdcba4e5c4e3666eea2013e | — | |
hashe7ae59cd44204461edbddf292d36eeed38c83696 | — | |
hash162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784 | — | |
hash17a16f08108e25af1c8b058adbaca2cada6a93c2d38c9854148f9e9caac76ac3 | — | |
hash95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad | — | |
hashddd9e5cfa9e1ddd8d849baef2b487a1608d1695f44c70f246c101de1275887dd | — | |
hashd142bb04f32a50db476b63bbe1ac2ee7 | — | |
hash48a0de6a43fc6e49318ad6873ea63fe325200dbc | — | |
hash94af94ca818697e1d99123f69965b11ead9f010c | — | |
hasha4f793539480677241ef312150e9c02e324c0aa2 | — | |
hash6e3eea7fb31b8e81026021307247f6eecc5b7f97f35e900796f4786746cde3b8 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip108.165.230.223 | — |
Threat ID: 69e8876919fe3cd2cd808c42
Added to database: 4/22/2026, 8:31:37 AM
Last enriched: 4/22/2026, 9:03:40 AM
Last updated: 4/23/2026, 1:04:53 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.