Ghost in the Browser: Advanced ‘GoPix’ Trojan Unveils Unprecedented MitM Attacks

A sophisticated new threat has emerged from the Brazilian cybercrime underground, signaling a dangerous shift toward APT-level tactics. A detailed report from Kaspersky Labs has detailed the curtain on GoPix, an advanced banking Trojan that utilizes “memory-only implants and obfuscated PowerShell scripts” to stay virtually invisible to traditional security software.

Unlike previous regional threats, GoPix functions as a LOLBin (Living-off-the-Land Binary), meaning it abuses legitimate system tools to carry out its malicious objectives while leaving almost no footprint on the victim’s hard drive.

The infection journey begins with highly targeted malvertising campaigns on platforms like Google Ads. Attackers craft convincing baits for popular services such as WhatsApp, Google Chrome, and the Brazilian postal service, Correios.

However, not every click leads to an infection. In a move that showcases extreme operational discipline, the attackers “abuse legitimate anti-fraud and reputation services to perform targeted delivery of its payload”.

When a user lands on the malicious page, the site “abuses legitimate IP scoring systems to determine whether the user is a target of interest or a bot”. If the visitor is flagged as a researcher or a sandbox, they are redirected to a harmless dummy page; only “valuable targets” receive the actual malicious installer.

Once a target is qualified, GoPix employs a complex delivery chain designed to bypass even advanced browsers. Researchers found that the malware specifically checks if the Avast Safe Banking feature is active by scanning for port 27275.

The core of the Trojan is its reliance on in-memory execution:

• Stolen Certificates: The initial installer is often signed with a stolen code-signing certificate to appear legitimate.
• Encrypted Shellcode: The malware remains in an encrypted form on the disk, only decrypting its main modules directly into the system’s RAM.
• Signature Erasure: To frustrate forensic tools, GoPix “erases the MZ signature” of its DLLs once they are loaded into memory, preventing scanners from identifying them as executable files.

While GoPix continues to monitor and manipulate cryptocurrency wallet addresses in the clipboard, it has expanded its reach to target the heart of Brazilian commerce: Pix and Boleto bancário.

The Trojan’s most alarming feature is an “unprecedented man-in-the-middle attack”. By injecting a trusted root certificate directly into the browser’s memory, GoPix can intercept and manipulate supposedly secure HTTPS traffic. This allows the malware to “manipulate the traffic while the user navigates the legitimate financial website,” all without the malicious certificate ever appearing in the operating system’s standard toolsets.

Kaspersky analysts conclude that GoPix is “by far the most advanced banking Trojan of Brazilian origin” seen to date. Its use of short-lived Command and Control (C2) servers—often staying online for only a few hours—makes it incredibly difficult for incident responders to track or block.