{ "Event": { "analysis": "1", "date": "2026-03-16", "extends_uuid": "", "info": "[Threat Intel] GoPix banking Trojan targeting Brazilian financial institutions", "protected": false, "publish_timestamp": "1774219620", "published": true, "threat_level_id": "2", "timestamp": "1774219619", "uuid": "3c95ebc5-bc70-4de5-bc23-c70cd9306eb3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#4985d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#1cf78c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Install Root Certificate - T1553.004\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773716427", "to_ids": false, "type": "link", "uuid": "65304cbe-225c-4370-8731-95151c2fa1b8", "value": "https://securelist.com/gopix-banking-trojan/119173/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773716427", "to_ids": false, "type": "text", "uuid": "ec66a664-ec02-44b5-aaae-de95f67f7eec", "value": "GoPix is an advanced persistent threat targeting Brazilian financial institutions and cryptocurrency users. It uses memory-only implants and obfuscated PowerShell scripts, evolving from previous RAT and ATS threats. The malware employs sophisticated techniques, including malvertising via Google Ads, man-in-the-middle attacks, and monitoring of Pix transactions and Boleto slips. GoPix bypasses security measures, maintains persistence, and uses robust cleanup mechanisms. It leverages multiple obfuscation layers and a stolen code signing certificate to evade detection. The threat actors carefully select victims, including financial bodies of state governments and large corporations, using legitimate anti-fraud services for targeted delivery." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773716427", "to_ids": false, "type": "text", "uuid": "472a3311-2c04-4069-8755-1da288b5e566", "value": "Name: GoPix banking Trojan targeting Brazilian financial institutions\nAuthor: AlienVault\nAdversary: GoPix\nTags: [\"memory-only implant\", \"obfuscation\", \"cryptocurrency\", \"malvertising\", \"banking trojan\", \"brazil\", \"gopix\", \"man-in-the-middle\", \"boleto\", \"powershell\", \"pix\"]\nTgtd countries: [\"Brazil\"]\nMlwr families: [\"GoPix\"]\nAttack_ids: [\"T1056.001\", \"T1547\", \"T1055\", \"T1185\", \"T1102\", \"T1059.001\", \"T1027\", \"T1553.004\", \"T1204.001\"]\nIndustries: [\"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773716427", "to_ids": false, "type": "threat-actor", "uuid": "4218d1bc-de41-474b-9f45-25f31f685d1a", "value": "GoPix" }, { "category": "Payload delivery", "comment": "Main payload No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194768", "to_ids": true, "type": "md5", "uuid": "39d89391-fb10-4a52-afb2-e3cfa78f2677", "value": "28c314acc587f1ea5c5666e935db716c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware dropper No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194768", "to_ids": true, "type": "md5", "uuid": "d65691ed-78a4-4729-8f77-b4551fd17ed4", "value": "d3a17cb4cdba724a0021f5076b33a103", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195311", "to_ids": true, "type": "url", "uuid": "01e1180f-d22c-4f6d-9b99-e2ac255c4924", "value": "http://4a3d.com/1/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195332", "to_ids": true, "type": "url", "uuid": "084b3962-ed72-4f8c-a46d-a8c94a409928", "value": "http://9de1.com/1/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195354", "to_ids": true, "type": "url", "uuid": "393b7218-11f2-4be2-ba99-375a3be24606", "value": "http://b3d0.com/1/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195375", "to_ids": true, "type": "url", "uuid": "4802c4b7-8d05-400e-a34e-6696fc7df458", "value": "http://ef0h.com/1/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195397", "to_ids": true, "type": "url", "uuid": "0807e13d-3509-4980-ab70-6dab962790bf", "value": "http://webmensagens4bb7.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195418", "to_ids": true, "type": "url", "uuid": "bf0e3d7d-6876-43bc-a19b-e8534478ec1b", "value": "http://yogarecap.com/1/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195440", "to_ids": true, "type": "url", "uuid": "da50f55a-bc2e-4c85-9740-969897ef9e4a", "value": "https://correioez0ubcfht9i3.lovehomely.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195461", "to_ids": true, "type": "url", "uuid": "19a14d73-dea9-48ad-99c8-1079a3f813fc", "value": "https://correiotwknx9gu315h.lovehomely.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195483", "to_ids": true, "type": "url", "uuid": "75e2e95e-dfdd-43fd-8c51-2dbbeacc1035", "value": "https://mydigitalrevival.com/get.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195505", "to_ids": true, "type": "domain", "uuid": "974d4c9c-c9b5-4e38-9bf6-805733cb7e80", "value": "4a3d.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195527", "to_ids": true, "type": "domain", "uuid": "2d9e456b-e604-4fb6-9330-25b42dda5943", "value": "9de1.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195548", "to_ids": true, "type": "domain", "uuid": "716e3231-3a76-4584-8168-bbe743edf725", "value": "b3d0.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195569", "to_ids": true, "type": "domain", "uuid": "15ed38cf-acc8-4238-a743-856a65bbb3b8", "value": "ef0h.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195590", "to_ids": true, "type": "domain", "uuid": "32722f38-aac3-4869-91dc-e8caa0d452b1", "value": "mydigitalrevival.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195612", "to_ids": true, "type": "domain", "uuid": "6aa11f4a-c49d-4365-b8cf-117a9cb95bf2", "value": "paletolife.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195633", "to_ids": true, "type": "domain", "uuid": "2c93b3a1-1e10-4005-87e9-4cc5362d42e6", "value": "webmensagens4bb7.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195654", "to_ids": true, "type": "domain", "uuid": "23c4284c-9633-4204-a851-9170df51cf5c", "value": "yogarecap.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195676", "to_ids": true, "type": "hostname", "uuid": "c7ded072-992c-47bc-ba19-2822e65c5eb6", "value": "correioez0ubcfht9i3.lovehomely.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195697", "to_ids": true, "type": "hostname", "uuid": "d1cd8306-a0c2-4edf-ac29-b2f564ba4764", "value": "correiotwknx9gu315h.lovehomely.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774195718", "uuid": "1a7ec0c7-07ad-4f6f-a07b-d5fd984c7b89", "Attribute": [ { "category": "Payload delivery", "comment": "NSIS installer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774195718", "to_ids": true, "type": "md5", "uuid": "7a01814c-1631-432e-8199-180558cfd13f", "value": "eb0b4e35a2ba442821e28d617dd2daa2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NSIS installer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774194766", "to_ids": true, "type": "sha1", "uuid": "8568a03c-7b38-4761-930b-b9c4e6464175", "value": "b7cfedf9346bc1a4f497396d35360c599663725d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NSIS installer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774194766", "to_ids": true, "type": "sha256", "uuid": "54c6423b-10e2-4c2d-a275-6970b81677f4", "value": "7ee681e494d942d7dcc399f5f81fa48cad01e41742d1882790ad4d8d115e25ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774193738", "to_ids": true, "type": "ssdeep", "uuid": "0a7f309e-0268-4f7c-af00-a37ea80b73ce", "value": "1536:S/T2X/jN2vxZz0DTHUpouM0b6GnfuQZPxRO:SbG7N2kDTHUpounbrfuQ9xRO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774193738", "to_ids": false, "type": "size-in-bytes", "uuid": "e1f10cb8-a946-443e-8290-81ea1a894598", "value": "54256" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774193738", "to_ids": true, "type": "vhash", "uuid": "4c2d957d-eac0-4226-b4f9-43e1860e7a99", "value": "054056655d1c0550d043z800417z57z62z4gz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774193738", "to_ids": true, "type": "filename", "uuid": "156b0e55-e330-4e71-aca8-3057c677219b", "value": "WhatsAppWeb.exe" }, { "category": "Other", "comment": "Checked: 22/03/2026\nLast-scan\t: 22/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774193738", "to_ids": false, "type": "text", "uuid": "d9a8438b-e9bd-4e48-8cfb-895dd06b25b5", "value": "NSIS installer\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Rastreio.RPZ!MTB\nVT Total Detection:46/72\nFirst Submission:2023-01-19T11:46:31.000000+00:00\nLast Submission:2023-10-25T15:08:22.000000+00:00" } ] } ] } }