Researchers from Kaspersky have revealed a sophisticated malware campaign involving the Trojan GoPix, which spreads through malicious Google Ads. This Trojan primarily targets bank customers and cryptocurrency holders, aiming to steal sensitive financial data. Up to March 2026, there have been approximately 90,000 recorded infection attempts linked to this malware.
The attackers behind GoPix disguise harmful links within popular service names, such as WhatsApp and Google Chrome, as part of their ad campaigns. These ads appear prominently in search results, greatly increasing the likelihood that victims will click them. Once clicked, GoPix executes a filtering process based on the victim’s IP address to determine whether the system is a valuable target or merely a security scanner.
Advanced Infection Techniques to Evade Detection
GoPix employs a fileless attack method, which means it does not leave regular malware files on the device’s storage. Instead, it loads its components directly into the device memory. This technique significantly reduces the chances of detection by traditional antivirus software. Fabio Assolini, head of Kaspersky’s America and Europe unit, describes GoPix as one of the most complex Brazilian-origin cyber threats seen to date.
The Trojan also has capabilities to move between system processes and disable active security software. This dynamic behavior makes it resemble an Advanced Persistent Threat (APT) group, which typically employs continuous, stealthy operations. Furthermore, GoPix automatically cleans up after its operations, eliminating digital forensic traces and switching command-and-control servers frequently to hinder investigations.
Man-in-the-Middle Attacks Targeting Financial Transactions
One of the key features of GoPix is its use of Proxy AutoConfig (PAC) files to launch man-in-the-middle (MITM) attacks. This allows the malware operators to intercept and manipulate financial transaction data in real-time. For example, during cryptocurrency transactions, GoPix can alter wallet addresses, effectively redirecting funds to attackers’ wallets.
In Brazil, the malware also targets popular local payment systems like Pix by intercepting communications between users and banking services. This real-time data manipulation puts users at significant risk of losing money without immediate detection.
Global Spread and Growing Threat
Although most infections have been detected in Brazil, security experts warn that the Trojan GoPix threat could spread globally. The malware’s use of Google Ads as a vector means it can potentially reach users worldwide due to the platform’s international reach. Awareness and caution when interacting with online advertisements have become critical defensive measures.
Best Practices to Protect Against Trojan GoPix
To reduce the risk of infection, users should avoid clicking on suspicious ads or downloading applications from unofficial sources. It is strongly recommended to always obtain software exclusively from official stores such as the Google Play Store or Apple’s App Store. Regularly updating device operating systems and applications is imperative to patch vulnerabilities that malware might exploit.
In addition, installing robust cybersecurity solutions equipped with banking site verification can provide an extra layer of protection. Enabling two-factor authentication (2FA) on all financial and cryptocurrency accounts greatly enhances account security by requiring additional verification beyond usernames and passwords.
Summary of Protective Actions:
- Avoid clicking on ads or links from unknown or untrusted sources.
- Download applications only from official app stores.
- Keep device operating systems and applications up to date.
- Use cybersecurity software that verifies authenticity of banking websites.
- Enable two-factor authentication on all financial and crypto accounts.
Remaining vigilant and informed about evolving malware threats like Trojan GoPix is crucial for safeguarding sensitive financial assets from cybercriminal attacks through seemingly legitimate digital advertising channels.
-
-
-
-
