HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Memory‑Only GoPix Banking Trojan Conducts Man‑in‑the‑Middle Attacks on Brazilian Financial Customers

GoPix, a sophisticated banking Trojan targeting Brazil, delivers memory‑only implants via malvertising and obfuscated PowerShell scripts. It intercepts HTTPS traffic, steals clipboard data, and manipulates Pix, Boleto and cryptocurrency transactions, posing a high‑risk threat to financial‑service third parties.

🛡️ LiveThreat™ Intelligence · 📅 March 16, 2026· 📰 securelist.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securelist.com

GoPix Memory‑Only Banking Trojan Targets Brazilian Financial Customers via Malvertising and HTTPS Interception

What Happened — A sophisticated banking Trojan named GoPix has been observed delivering memory‑only implants to customers of Brazilian banks and cryptocurrency users. The malware is distributed through malvertising on platforms such as Google Ads and executes a chain of heavily‑obfuscated PowerShell scripts that load the payload directly into RAM, leaving minimal on‑disk artifacts. Once resident, GoPix performs man‑in‑the‑middle attacks, intercepts HTTPS traffic, steals clipboard data, and manipulates Pix, Boleto and crypto transactions.

Why It Matters for TPRM

  • The use of LOLBin techniques and in‑memory loading defeats many traditional endpoint controls, raising the risk profile of any third‑party financial service provider.
  • GoPix’s ability to hijack transaction flows (Pix, Boleto, crypto) can lead to direct monetary loss for end‑users and reputational damage for the institutions they serve.
  • The campaign leverages legitimate anti‑fraud and reputation services to bypass sandbox detection, highlighting the need for rigorous vendor vetting of any third‑party advertising or content delivery networks.

Who Is Affected — Financial Services (Brazilian banks, payment processors, fintechs) and cryptocurrency platforms.

Recommended Actions

  • Review contracts with advertising networks and ensure they meet strict security standards.
  • Deploy advanced memory‑analysis tools and enable PowerShell script logging/monitoring.
  • Enforce strict TLS inspection and certificate pinning for banking applications.
  • Conduct threat‑hunts for GoPix IOCs and validate that third‑party vendors cannot introduce similar LOLBin payloads.

Technical Notes

  • Attack vector: Malvertising → PowerShell → LOLBin memory‑only implant.
  • Key capabilities: HTTPS interception, clipboard stealing, transaction manipulation (Pix, Boleto, crypto), rapid‑turnover C2 servers, use of stolen code‑signing certificate.
  • Persistence: In‑memory only, with robust cleanup to evade DFIR.
  • Indicators: Obfuscated PowerShell strings, specific shellcode signatures, short‑lived C2 domains, known GoPix hashes.

Source: SecureList – GoPix Banking Trojan

📰 Original Source
https://securelist.com/gopix-banking-trojan/119173/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →