GOPIX is an advanced persistent threat described by Securelist as a memory-only banking Trojan targeting Brazilian financial institutions’ customers and cryptocurrency users. The campaign, dated 16 March 2026, relies on malvertising and Google Ads to drive victims to malicious pages, where a bot/sandbox check decides whether to deliver the payload.
If Avast Safe Banking is detected via port 27275, the infection runs through a second URL delivering a ZIP with an LNK that loads an obfuscated PowerShell downloader; otherwise, victims may receive an NSIS installer, digitally signed with a stolen certificate issued to PLK Management Limited.
Once the PowerShell chain executes, GoPix loads its memory-resident implant and a main payload, which supports man-in-the-middle techniques using a PAC file and a dynamic CRC32-based browser check to hide its proxy redirection. The malware targets Pix transactions, Boleto slips, and cryptowallet addresses, and can replace Bitcoin or Ethereum wallet addresses copied to the clipboard; GoPix also injects a trusted root certificate into browsers to intercept HTTPS traffic.