Kaspersky GReAT experts have identified new, unprecedentedly complex campaigns by GoPix, a Brazilian banking Trojan that has stayed active for the last three years. The malware employs memory-only implants, Proxy AutoConfig (PAC) files for man-in-the-middle attacks and malvertising via Google Ads to target Brazilian financial institution customers and cryptocurrency users.
Initial infection is achieved through malvertising campaigns: threat actors often use Google Ads to distribute bait by abusing popular services such as WhatsApp, Google Chrome, and the Brazilian postal service Correios, luring victims to malicious landing pages. When the user lands on the GoPix landing page, the malware leverages legitimate IP scoring systems to determine whether the visitor is a target of interest or a bot running in a malware analysis environment. The malware is not delivered if the user is not considered a valuable target.
“GoPix has reached a level of sophistication never seen before in malware originating from Brazil. We have been monitoring this threat since 2023, it remains highly active and detections are increasing steadily every year: as of March 2026, a total of 90,000 infection attempts have already been detected. The threat uses stealthy infection methods and evades detection by security software, employing new techniques to remain operational,” says Fabio Assolini, Head of the Americas & Europe units at Kaspersky GReAT.
GoPix is now capable of executing man-in-the-middle attacks, monitoring Pix transactions and Boleto slips, and manipulating cryptocurrency transactions — this enables GoPix to intercept, monitor and manipulate network traffic effectively. The malware strategically bypasses security mechanisms implemented by financial institutions while maintaining persistence and employing robust cleanup routines designed to hinder Digital Forensics and Incident Response (DFIR) efforts.
According to the conducted research, the Brazilian group behind GoPix appears to be adopting techniques commonly associated with APT groups to maintain persistence and conceal their malware. Their approach includes loading modules directly into memory and leaving minimal artifacts on disk, which reduces the effectiveness of YARA-based threat hunting, besides using C2s with a very short lifespan. The malware can also switch between processes to perform specific functions and potentially disable security software.
Read the full report on Securelist.com
- To mitigate the risk of banking Trojans such as GoPix, experts from Kaspersky GReAT recommend:
- Be cautious when clicking on advertisements while surfing the internet to avoid accessing malicious landing pages. If you are interested in an application, it is safer to download it from the official app store.
- Use a сomprehensive digital protection solution to secure your financial transactions — it verifies the authenticity of known online payment systems and banking websites.
- Keep all software on your computer up to date.
- Stay vigilant when applying updates.
- Download software only from official sources and avoid optional add-on packages.
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis
Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs,
cyber-espionage campaigns, major malware, ransomware and underground
cyber-criminal trends across the world. Today GReAT consists of 35+ experts working
globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented
security professionals provide company leadership in anti-malware research and
innovation, bringing unrivaled expertise, passion and curiosity to the
discovery and analysis of cyberthreats.
