Cybersecurity researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have spotlighted a highly evolved banking Trojan named GoPix in a detailed disclosure released on March 16, 2026. Active for more than three years and monitored closely since 2023, this Brazilian-origin threat has already triggered around 90,000 infection attempts, with annual detection numbers climbing steadily.
The malware specifically singles out users of Brazilian banks and cryptocurrency platforms, leveraging innovative methods that far exceed the capabilities of earlier regional threats.
GoPix spreads primarily through carefully orchestrated malvertising campaigns on Google Ads.
Attackers impersonate popular services such as WhatsApp, the Chrome browser, and Brazil’s national postal service Correios to lure victims to fake landing pages.
These pages incorporate legitimate anti-fraud scoring tools to assess visitors in real time.
By analyzing browser data and environmental signals, the system determines whether the user is a genuine high-value target or merely a security researcher operating in a sandbox.
Non-qualifying visitors are redirected to harmless content, ensuring the payload deploys only against promising victims.
The infection sequence is multilayered and heavily obfuscated.
Depending on detected security software—such as Avast Safe Banking—the Trojan adjusts its delivery.
In some cases it serves a signed NSIS installer; in others, a ZIP archive containing shortcut files that trigger remote PowerShell execution.
All subsequent stages load exclusively into memory via custom shellcode and dropper components, erasing traditional disk traces that security tools typically scan.
This memory-resident design, combined with API hashing and string encryption, renders YARA-based hunting largely ineffective.
Once established, GoPix demonstrates its core innovation: dynamic Proxy Auto-Config (PAC) files that enable precise man-in-the-middle interception.
The malware generates these files on the fly, using CRC32 checksums to mask targeted domains and reroute only traffic from legitimate browsers.
It further injects trusted root certificates directly into browser memory—bypassing the operating system’s certificate store—allowing full decryption and manipulation of HTTPS sessions.
Attackers can therefore monitor Pix instant payments, intercept Boleto payment slips by capturing their unique “typeable line” formats, and silently swap cryptocurrency wallet addresses for Bitcoin or Ethereum transfers copied to the clipboard.
Additional stealth features include process-hopping between Explorer.exe and browser instances, short-lived command-and-control servers that stay online for mere hours, and thorough cleanup routines designed to erase forensic evidence.
These tactics mirror advanced persistent threat behaviors rarely seen in Latin American crimeware, enabling the group to target state financial bodies and large corporations while evading detection.
Fabio Assolini, who leads Kaspersky GReAT’s Americas and Europe operations, emphasized the malware’s significance: the threat has achieved a degree of refinement previously unseen in Brazilian banking malware.
Despite ongoing monitoring since 2023, it continues to adapt, with infection volumes rising each year.
Security professionals urge immediate precautions.
Users should avoid clicking sponsored search results, obtain applications solely from official stores, keep operating systems and browsers fully patched, and deploy advanced protection that validates banking and payment portals in real time.
Organizations handling sensitive financial data are encouraged to adopt memory-scanning tools and conduct regular incident-response drills focused on fileless threats.
GoPix serves as a stark reminder that regional cybercriminals are closing the sophistication gap with global actors.
The update from Kaspersky concluded that Brazilian users and financial entities must treat every online advertisement and software download with heightened skepticism to avoid falling victim to this evolving danger.