GoPix Malware Targets Brazilian Banking and Crypto Users with Advanced Stealth Attacks

CyberDefender 9 mins0

GoPix is a highly advanced banking malware campaign primarily targeting users of Brazilian financial systems and cryptocurrency platforms. Unlike traditional banking Trojans, this threat uses modern techniques such as fileless execution, in-memory implants, and heavily obfuscated PowerShell scripts.

What makes GoPix stand out is how it blends multiple attack strategies into one operation. It borrows ideas from earlier Remote Access Trojans (RATs) and Automated Transfer Systems (ATS), but evolves them into something more stealthy and difficult to detect. Instead of relying on obvious malicious binaries, it operates using legitimate system tools (Living-off-the-Land Binaries), which helps it stay under the radar.

Source : Kaspersky

The campaign also uses malvertising—mainly through platforms like Google Ads—to reach victims. This allows attackers to target users actively searching for trusted software such as WhatsApp or Chrome.

Threat Overview

Over the past few years, GoPix has matured into one of the most sophisticated malware families seen in Brazil. It has remained active for more than three years and continues to evolve with new evasion techniques.

Key highlights:

  • Uses fileless execution to avoid leaving traces on disk
  • Deploys short-lived command-and-control (C2) servers
  • Selects victims carefully using anti-fraud and reputation services
  • Focuses on financial theft and transaction manipulation

Unlike older Brazilian banking malware such as Grandoreiro, GoPix does not rely on persistent infrastructure. Its servers often remain active only for a few hours, making tracking and analysis much harder.

Initial Infection Vector

The infection begins through malicious advertisements. Attackers create fake ads that mimic popular services like:

  • WhatsApp
  • Google Chrome
  • Correios (Brazilian postal service)

When a user clicks on one of these ads, they are redirected to a fake landing page designed to look legitimate.

Before delivering the malware, the site performs a validation check. It sends system and browser details to a legitimate anti-fraud service. Based on the response:

  • Non-targets (bots/sandboxes) → redirected to harmless pages
  • Valid targets → served the malicious payload

This filtering step helps attackers avoid security researchers and automated analysis systems.

Infection Chain

1. Delivery Mechanism

Depending on the victim’s environment, two delivery paths are used:

Path A (No Avast detected):

  • Victim downloads a fake installer (NSIS executable)
  • Signed using a stolen certificate
  • Installer launches an obfuscated PowerShell script

Path B (Avast detected via port 27275):

  • Victim receives a ZIP file containing an LNK shortcut
  • The shortcut executes obfuscated PowerShell commands
  • Used to bypass browser download restrictions

Both paths ultimately lead to the same next stage: downloading and executing additional payloads via PowerShell.

2. PowerShell-Based Execution

Once triggered, PowerShell scripts:

  1. Collect system information
  2. Send data to the C2 server
  3. Receive configuration and encrypted payloads

The payload includes:

  • Obfuscated scripts
  • Encrypted shellcode
  • Main malware implant
  • Configuration files

A key detail here is that decrypted code never touches the disk. Everything runs in memory, making detection significantly harder.

3. In-Memory Execution

The malware uses multiple layers of shellcode:

  • Dropper shellcode
  • Dropper DLL
  • Main payload shellcode
  • Main implant DLL

To evade detection:

  • PE headers (MZ signatures) are removed
  • API calls are resolved using hashing instead of names

This design prevents memory scanning tools from easily identifying malicious components.

Persistence and Evasion Techniques

GoPix demonstrates strong anti-detection capabilities:

  • Executes only inside trusted processes like explorer.exe
  • Injects payloads into browser processes (Chrome, Edge, Firefox, Opera)
  • Uses direct system calls instead of standard APIs
  • Encrypts strings with custom algorithms
  • Avoids writing artifacts to disk

Additionally, it can switch between processes to perform different tasks, making behavior tracking more complex.

Core Capabilities

1. Clipboard Manipulation

The malware monitors clipboard activity and targets:

  • Pix payment data
  • Boleto bancário payment lines
  • Cryptocurrency wallet addresses

Behavior:

  • Pix/Boleto → data is exfiltrated
  • Crypto wallets → addresses are replaced with attacker-controlled ones

2. Man-in-the-Middle (MITM) Attacks

GoPix introduces a more advanced MITM technique using Proxy AutoConfig (PAC) files.

Instead of redirecting users to fake pages, it:

  • Intercepts traffic on legitimate banking websites
  • Manipulates sessions in real time

To hide its targets:

  • Uses CRC32 hashing for domain obfuscation
  • Dynamically selects proxy servers

3. HTTPS Interception

To bypass encryption:

  • Injects a trusted root certificate directly into browser memory
  • Allows decryption and modification of HTTPS traffic

This method is stealthy because:

  • The certificate is not visible through standard OS tools
  • It operates entirely in memory

Command and Control (C2) Behavior

  • Extremely short-lived infrastructure (often only hours)
  • Dynamic endpoints
  • Payload delivery through multiple domains

Example C2:

paletolife[.]com

This approach reduces the window for detection and takedown.

Indicators of Compromise (IOCs)

File Hashes

  • EB0B4E35A2BA442821E28D617DD2DAA2 (NSIS installer)
  • C64AE7C50394799CE02E97288A12FFF (ZIP/LNK)
  • D3A17CB4CDBA724A0021F5076B33A103 (Dropper)
  • 28C314ACC587F1EA5C5666E935DB716C (Main payload)

Certificates

  • Root CA 2024 → f110d0bd7f3bd1c7b276dc78154dd21eef953384
  • Root CA 2025 → 1b1f85b68e6c9fde709d975a186185c94c0faa51

Malicious Domains

  • correioez0ubcfht9i3.lovehomely[.]com
  • correiotwknx9gu315h.lovehomely[.]com
  • webmensagens4bb7[.]com
  • mydigitalrevival[.]com
  • multiple short-lived domains (e.g., b3d0[.]com, 4a3d[.]com)

Detection

Security solutions identify this threat under:

  • HEUR:Trojan-Banker.Win64.GoPix
  • Trojan.PowerShell.GoPix
  • HEUR:Trojan-Banker.OLE2.GoPix

GoPix represents a major shift in banking malware design, especially within the Brazilian threat landscape. It combines stealth, precision targeting, and advanced evasion techniques in a way rarely seen before.

Its use of:

  • Fileless execution
  • Memory-only payloads
  • Trusted certificate abuse
  • Real-time traffic manipulation

makes it extremely difficult to detect and analyze.

The attackers behind GoPix appear to be adopting strategies commonly seen in advanced persistent threat (APT) groups. Their focus on staying hidden, avoiding analysis environments, and carefully selecting victims shows a clear move toward more professional and targeted cybercrime operations.

CyberDefender