Back to Intelligence

Human-Driven Attacks: How Real-Time Trojans Are Hijacking Brazil’s Pix System

SA
Security Arsenal Team
March 15, 2026
5 min read

Digital transformation in the financial sector has been a double-edged sword. While instant payment systems like Brazil's Pix have revolutionized commerce, they have also created a lucrative playground for cybercriminals. At Security Arsenal, we are observing a disturbing evolution in threat tactics: the shift from fully automated scripts to "hybrid" attacks that blend the efficiency of malware with the adaptability of human intelligence.

The Hybrid Threat: Malware Meets the Human Element

Recent intelligence highlights a sophisticated banking Trojan campaign currently targeting users of Brazil's Pix instant payment platform. Unlike traditional malware, which relies on predefined scripts to siphon funds, this new approach employs a "human-in-the-loop" model.

Here is how the attack chain typically unfolds:

  1. Initial Infection: The victim is lured via a phishing email or malicious SMS (smishing) containing a payload, often disguised as a legitimate update or invoice.
  2. Establishment of Foothold: The malware installs itself, often exhibiting Remote Access Trojan (RAT) capabilities or web-inject functionality. It establishes a persistent connection to a command and control (C2) server.
  3. The Wait: Instead of acting immediately, the malware alerts a human operator that a victim is active.
  4. Real-Time Hijack: The operator waits for the victim to log into their banking portal. Once logged in, the operator utilizes the established connection to manipulate the session in real-time, pushing fraudulent Pix transactions while bypassing heuristic detection that might flag automated behavior.

TTPs and Technical Analysis

The danger of this campaign lies in its ability to bypass standard fraud detection. Automated systems often look for impossible transaction speeds or repetitive patterns. A human operator, however, can mimic user behavior—pausing, navigating menus, and executing transactions at a pace that appears legitimate to behavioral analysis engines.

Key Technical Indicators include:

  • Overlay Attacks: The malware may deploy fake interface overlays on top of legitimate banking apps to capture credentials without the user realizing.
  • Webinjects: Manipulation of the browser DOM (Document Object Model) to hide fraudulent transfers or modify account balances in real-time within the browser window.
  • Screen Sharing / Remote Control: Some variants leverage legitimate remote administration tools or custom protocols to allow the operator to view the screen and interact with the input devices directly.

Detection and Threat Hunting

Detecting these threats requires a shift from simple signature-based detection to behavioral anomaly hunting. Security teams must monitor for the concurrent use of remote administration tools alongside banking applications, as well as unusual process parent-child relationships.

Below are specific queries and scripts to help identify potential compromises.

KQL Query for Microsoft Sentinel / Defender

This query looks for instances where known banking processes are initiated around the same time as network connections associated with remote administration tools or common RATs.

Script / Code
let BankingProcesses = dynamic(["banco.exe", "itau.exe", "nubank.exe", "bradesco.exe", "cef.exe"]);
let RemoteTools = dynamic(["AnyDesk.exe", "TeamViewer.exe", "RustDesk.exe", "AteraAgent.exe", "Splashtop.exe"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ (BankingProcesses) or FileName in~ (RemoteTools)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | summarize RemoteIPCount = dcount(RemoteIP), RemoteIPList = make_set(RemoteIP) by DeviceId, Timestamp
) on DeviceId
| where Timestamp between (ago(1h) .. now())
| where FileName in~ (BankingProcesses)
| where (RemoteIPCount > 50) // High volume of connections often indicative of RAT/C2 traffic
| extend DetectionReason = "Banking process with high network volatility"

PowerShell Script for Persistence Hunting

This script checks common persistence mechanisms (Registry Run keys and Scheduled Tasks) for obscure or signed binaries that might be used as proxies for malware execution.

Script / Code
# Security Arsenal Persistence Hunter
# Checks for suspicious entries in Run Keys and Scheduled Tasks

Write-Host "[+] Scanning Registry Run Keys for suspicious persistence..." -ForegroundColor Cyan

$RunPaths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

$suspiciousLocations = @("Public", "Temp", "AppData", "Downloads")

foreach ($path in $RunPaths) {
    if (Test-Path $path) {
        Get-ItemProperty $path -ErrorAction SilentlyContinue | 
        Get-Member -MemberType NoteProperty | 
        Where-Object {$_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" -and $_.Name -ne "PSChildName"} | 
        ForEach-Object {
            $propName = $_.Name
            $propValue = (Get-ItemProperty $path).$propName
            
            if ($propValue -match [string]::Join("|", $suspiciousLocations)) {
                Write-Host "[!] Suspicious Persistence Found:" -ForegroundColor Red
                Write-Host "    Key: $path"
                Write-Host "    Name: $propName"
                Write-Host "    Value: $propValue"
            }
        }
    }
}

Write-Host "[+] Scanning Scheduled Tasks for actions running from temp folders..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.State -eq "Ready" -or $_.State -eq "Running"} | ForEach-Object {
    $task = $_
    $task.Actions.Execute | ForEach-Object {
        if ($_ -match "Temp" -or $_ -match "Public") {
            Write-Host "[!] Suspicious Task Found:" -ForegroundColor Red
            Write-Host "    TaskName: $($task.TaskName)"
            Write-Host "    Action: $_"
        }
    }
}

Mitigation Strategies

Protecting against human-operated banking Trojans requires a defense-in-depth approach:

  1. Application Hardening: Enforce AppLocker or WDAC policies to prevent unauthorized applications from executing in user directories. Malware often relies on running from the user's profile or AppData folders to avoid admin privileges.
  2. Network Segmentation: Critical banking workstations should not have unrestricted internet access. Strict egress filtering should be applied to block known C2 IP addresses and non-business remote desktop tools.
  3. User Education: Train users to recognize the subtle signs of session hijacking, such as mouse movements they did not initiate or screen flickering associated with overlay attacks.
  4. Zero Trust Architecture: Implement continuous authentication. Do not rely solely on a single login event; re-authenticate for high-value transactions.
  5. EDR/XDR Deployment: Ensure advanced Endpoint Detection and Response is active on all endpoints to detect the malicious injection techniques used by these Trojans.

The blend of human intuition with malware automation presents a formidable challenge. By hunting for the behavioral artifacts of these tools and locking down execution paths, Security Arsenal helps you stay ahead of the curve.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsbanking-trojanthreat-huntingpixhuman-operated-ransomwaresoc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action