Kaspersky Warns GoPix, Banking Trojan Spread via Google Ads

Illustration of Google Ads (photo: Google)

JAKARTA - Security researchers from Kaspersky GReAT have uncovered a new, complex cyber campaign from GoPix, a Brazilian banking Trojan that has been active for the past three years.

This malware targets financial institutions and crypto users, spreading through malicious ads on Google Ads, as well as other popular services such as WhatsApp, Google Chrome, and the Brazilian postal service Correios.

Later, victims who click on the ad will be directed to a malicious site, where malware is only downloaded if the system judges the person to be a high-value target, not a bot or an analysis environment.

Head of the American & European unit of Kaspersky GReAT, Fabio Assolini, said GoPix has reached a new level of sophistication. As of March 2026, there were around 90,000 infection attempts, with a trend of increasing detection since 2023.

"This threat uses hidden infection methods and avoids detection by security software, using new techniques to remain operational," said Fabio.

This malware uses a "fileless" technique or only runs in memory, and uses Proxy AutoConfig (PAC) files to perform a man-in-the-middle attack.

With this ability, GoPix can monitor and manipulate financial transactions, including the Pix payment system, Boleto slips, to crypto transactions.

In addition, GoPix is able to evade detection by loading modules directly into memory, using short-lived control servers (C2), and switching between processes to execute certain functions.

In fact, this malware has the potential to disable security devices and delete traces to hinder forensic investigations.

To avoid the GoPix Trojan, experts from Kaspersky GReAT remind users to be more vigilant about online advertising, download apps only from official sources, and regularly update systems and use digital security solutions to protect financial transactions.