New NGate variant hides in a trojanized NFC payment app
ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Prêmios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.
AI Analysis
Technical Summary
ESET researchers discovered a NGate malware variant active since November 2025 targeting Brazilian Android users. The attackers trojanized the legitimate HandyPay NFC payment app, likely using AI-generated code, to intercept NFC data from victims' payment cards and exfiltrate PINs to command-and-control servers. This enables unauthorized ATM withdrawals and payments. Distribution occurs through two channels hosted on the same domain: a fake Rio de Prêmios lottery website that tricks victims with rigged prizes, and a fraudulent Google Play page offering a fake card protection app. This campaign marks a shift from malware-as-a-service to patching legitimate applications for NFC-based fraud.
Potential Impact
The malware compromises NFC payment card data and PINs, allowing attackers to perform unauthorized ATM withdrawals and payments. Victims are deceived into installing trojanized apps from fraudulent sources, leading to financial theft. The campaign specifically targets Android users in Brazil, impacting their payment security and privacy.
Mitigation Recommendations
No official patch or remediation guidance is provided. Users should avoid installing apps from untrusted sources, especially those linked from suspicious websites such as the fake lottery site or fraudulent Google Play pages described. Verify the authenticity of payment apps before installation. Monitor vendor advisories for updates regarding the legitimate HandyPay app. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Affected Countries
Brazil
Indicators of Compromise
- domain: raiffeisen-cz.eu
- domain: app.mobil-csob-cz.eu
- domain: nfc.cryptomaker.info
- hash: 633c3636b646bd08af271584c0e41ff9
- hash: 7cecbdfdf2e7a7ae7cc226ae26cd3797
- hash: 84361aaf11cde2df075e65fc31082358
- hash: ea6a6666616f6b02c7b679782a676eab
- hash: 103d78a180eb973b9ffc289e9c53425d29a77229
- hash: 11be9715be9b41b1c8527c9256f0010e26534fdb
- hash: 66de1e0a2e9a421dd16bd54b371558c93e59874f
- hash: 7225ed2cba9cb6c038d8615a47423e45522a9ad1
- hash: da84bc78ff2117ddbfdcba4e5c4e3666eea2013e
- hash: e7ae59cd44204461edbddf292d36eeed38c83696
- hash: 162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784
- hash: 17a16f08108e25af1c8b058adbaca2cada6a93c2d38c9854148f9e9caac76ac3
- hash: 95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad
- hash: ddd9e5cfa9e1ddd8d849baef2b487a1608d1695f44c70f246c101de1275887dd
- hash: d142bb04f32a50db476b63bbe1ac2ee7
- hash: 48a0de6a43fc6e49318ad6873ea63fe325200dbc
- hash: 94af94ca818697e1d99123f69965b11ead9f010c
- hash: a4f793539480677241ef312150e9c02e324c0aa2
- hash: 6e3eea7fb31b8e81026021307247f6eecc5b7f97f35e900796f4786746cde3b8
- ip: 108.165.230.223
- domain: protecaocartao.online
- domain: spy.ngate.cc
New NGate variant hides in a trojanized NFC payment app
Description
ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Prêmios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ESET researchers discovered a NGate malware variant active since November 2025 targeting Brazilian Android users. The attackers trojanized the legitimate HandyPay NFC payment app, likely using AI-generated code, to intercept NFC data from victims' payment cards and exfiltrate PINs to command-and-control servers. This enables unauthorized ATM withdrawals and payments. Distribution occurs through two channels hosted on the same domain: a fake Rio de Prêmios lottery website that tricks victims with rigged prizes, and a fraudulent Google Play page offering a fake card protection app. This campaign marks a shift from malware-as-a-service to patching legitimate applications for NFC-based fraud.
Potential Impact
The malware compromises NFC payment card data and PINs, allowing attackers to perform unauthorized ATM withdrawals and payments. Victims are deceived into installing trojanized apps from fraudulent sources, leading to financial theft. The campaign specifically targets Android users in Brazil, impacting their payment security and privacy.
Mitigation Recommendations
No official patch or remediation guidance is provided. Users should avoid installing apps from untrusted sources, especially those linked from suspicious websites such as the fake lottery site or fraudulent Google Play pages described. Verify the authenticity of payment apps before installation. Monitor vendor advisories for updates regarding the legitimate HandyPay app. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/"]
- Adversary
- null
- Pulse Id
- 69e7a6a0bb463e49c9b7572e
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainraiffeisen-cz.eu | — | |
domainapp.mobil-csob-cz.eu | — | |
domainnfc.cryptomaker.info | — | |
domainprotecaocartao.online | — | |
domainspy.ngate.cc | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash633c3636b646bd08af271584c0e41ff9 | — | |
hash7cecbdfdf2e7a7ae7cc226ae26cd3797 | — | |
hash84361aaf11cde2df075e65fc31082358 | — | |
hashea6a6666616f6b02c7b679782a676eab | — | |
hash103d78a180eb973b9ffc289e9c53425d29a77229 | — | |
hash11be9715be9b41b1c8527c9256f0010e26534fdb | — | |
hash66de1e0a2e9a421dd16bd54b371558c93e59874f | — | |
hash7225ed2cba9cb6c038d8615a47423e45522a9ad1 | — | |
hashda84bc78ff2117ddbfdcba4e5c4e3666eea2013e | — | |
hashe7ae59cd44204461edbddf292d36eeed38c83696 | — | |
hash162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784 | — | |
hash17a16f08108e25af1c8b058adbaca2cada6a93c2d38c9854148f9e9caac76ac3 | — | |
hash95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad | — | |
hashddd9e5cfa9e1ddd8d849baef2b487a1608d1695f44c70f246c101de1275887dd | — | |
hashd142bb04f32a50db476b63bbe1ac2ee7 | — | |
hash48a0de6a43fc6e49318ad6873ea63fe325200dbc | — | |
hash94af94ca818697e1d99123f69965b11ead9f010c | — | |
hasha4f793539480677241ef312150e9c02e324c0aa2 | — | |
hash6e3eea7fb31b8e81026021307247f6eecc5b7f97f35e900796f4786746cde3b8 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip108.165.230.223 | — |
Threat ID: 69e8876919fe3cd2cd808c42
Added to database: 4/22/2026, 8:31:37 AM
Last enriched: 5/26/2026, 7:54:20 PM
Last updated: 6/6/2026, 11:18:03 AM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.