GoPix is a sophisticated Advanced Persistent Threat (APT) targeting Brazilian financial services and cryptocurrency users through advanced memory-only implants and obfuscated PowerShell scripts. Evolving from traditional Remote Access Trojans (RATs), this malware employs Living-off-the-Land Binaries (LOLBins) and leverages malvertising via platforms like Google Ads to compromise targets. It is particularly noted for its ability to bypass security measures of major financial institutions while maintaining a stealthy, low-disk-footprint profile.
The malware exhibits advanced capabilities such as man-in-the-middle (MITM) attacks through Proxy AutoConfig (PAC) manipulation and the injection of trusted root certificates into web browsers to intercept HTTPS traffic. GoPix monitors sensitive transactions, including Brazil's Pix system and Boleto slips, and can dynamically replace cryptocurrency wallet addresses in the clipboard. Its complex multi-stage infection chain uses stolen code-signing certificates and anti-fraud service checks to evade detection and analysis environments.
Top comments (0)