{
	"id": "1714d778-52c9-4023-b465-aa9926ff7121",
	"created_at": "2026-04-06T00:19:54.325223Z",
	"updated_at": "2026-04-10T03:21:50.309567Z",
	"deleted_at": null,
	"sha1_hash": "9e727dff3f25e0edfb4423f0f8eaa34b2abca752",
	"title": "BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2599800,
	"plain_text": "BrasDex: A new Brazilian ATS Android Banker with ties to Desktop\r\nmalware\r\nPublished: 2024-10-01 · Archived: 2026-04-05 12:45:50 UTC\r\nA varied and wild landscape\r\nThe mobile malware landscape of the LATAM region, more specifically Brazil, has recently risen to prominence in the\r\nnews due to families like Brata and Amextroll, extending their reach all the way to Europe. ThreatFabric has already\r\nreported in length about these families. However, not all malware developed in South America targets the European\r\nmarket.\r\nIn fact, ThreatFabric analysts discovered an ongoing multi-platform malware campaign, targeting both mobile and\r\ndesktop Brazilian users, with thousands of infections and with an estimated loss of hundreds of thousands of Brazilian\r\nReals (R$), which corresponds to tens of thousands of USD.\r\nThis campaign involves a highly flexible novel Android malware dubbed BrasDex by ThreatFabric, featuring a complex\r\nkeylogging system designed to abuse Accessibility Services to extract credentials specifically from a set of Brazilian\r\ntargeted apps, as well as a highly capable Automated Transfer System (ATS) engine.\r\nWhen analyzing BrasDex, our team found the evidence of some desktop malware controlled through the same backend.\r\nOur analysts were able to identify the malware samples related to the same campaign targeting Brazilian users as well: it\r\ninvolves Casbaneiro, a well-known malware family known to be active in Latin America.\r\nBrasDex: a trend switch away from overlay attacks\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 1 of 15\n\nThe malware has been active for more than a year, initially posing as Android settings applications and targeting Brazilian\r\nbanking applications. In its latest campaign, it started posing as one specific Banking application (Banco Santander BR),\r\nbut continuing to target the same subset of applications as its previous versions.\r\nBrasDex abuses accessibility services to keylog the information that is input in the target application, veering away from\r\nthe traditional overlay attack mechanism that we have observed for years now, towards what seems to be the next\r\nstandard in Android banking malware.\r\nThis follows a trend that we have started to see in the past year, where different malware families have started abandoning\r\nthe use of overlays, which require continuous update and additional downloaded data, in favour of more lean and flexible\r\nsolutions. For example, in the case of Vultur this solution was to perform screen-recording and subsequently accessibility\r\nlogging, in the case of Cabassous it was to load the real target login page in a browser controlled by the malware, with\r\nJavaScript enabled.\r\nHowever, in most cases, malware families are starting to rely heavily on accessibility logging to exfiltrate logging\r\ncredentials and other PII from infected victims. This is also the case for BrasDex. This malware family is able to log not\r\nonly credentials, but also other important information, like account balance, and then use it to perform a DTO (Device\r\nTakeOver), which allows criminals to perform fraudulent transactions using the infected device.\r\nWhat sets BrasDex apart from many other malware families is its ATS (Automated Transfer System) capabilities. ATS\r\nallows malware to programmatically use the information stolen from the victim to initiate fraudulent transactions in an\r\nautomated way, making the whole infection and fraud chain more flexible and scalable.\r\nThreatFabric has mentioned ATS before in our blogs, as one of the most dangerous features present in modern day\r\nmalware, specifically when speaking about Bankers such as Gustuff, the first Banker to implement this technique in\r\n2018, and more recently SharkBot.\r\nTargets\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 2 of 15\n\nBrasDex is a malware family strictly focused on the Brazilian market. The malware contains checks to make sure it only\r\noperates on devices from Brazil. To do so, it programmatically checks that the SIM used by the device is operating in\r\nBrazil, and only then it properly completes its operations and configurations. If the device has a SIM card from anywhere\r\nelse, the malware shuts down and never contacts its C2 server.\r\nThis hard complete dedication to a single market might be motivated by the fact that BrasDex uses its features to abuse\r\none specific subset of transactions within the Brazilian banking ecosystem. BrasDex specifically abuses the Pix payment\r\nsystem. Pix is a fast payment system from the Central Bank of Brazil that went live in 2020, and allows users to perform\r\npayments to other users just by knowing their identifier (which can be an email, CPF, phone number, or random ID).\r\nNOTE: ThreatFabric wants to point out that the Pix system is not vulnerable. Actors are not exploiting any\r\nvulnerabilities in the Pix System, but rather abusing the fast payments system and Android known issues to make\r\nfraudulent transfers\r\nBloomberg referred to the Pix app as “ubiquitous” in Brazil in October 2021, a year after Pix’s release. As of November\r\n2022, Pix has been reported to perform an average of more than 2 million monthly transactions, with a user base of more\r\nthan 120 million people. Only in November 2022, Pix was used to perform transactions corresponding to a volume\r\nof more than one billion Brazilian Reals (R$), which equals to more than 180 million USD ($).\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 3 of 15\n\nFor each targeted bank, the step in the ATS script which is responsible for the actual fraudulent transfer performs it\r\nthrough the Pix technology, not the traditional bank transfer that many other malware families use.\r\nThe script will find the UI element corresponding to Pix payments within the banking application, use it to start the\r\ntransfer procedure, and then navigate through the different screens, selecting the beneficiary and the amount,\r\nauthenticating with the stolen credentials. This kind of instant payment does not require Multi Factor Authentication, as it\r\ncan be authorized directly through the banking application itself, making it the perfect target for an Android Banking\r\nMalware. We will later cover in detail an example of a transfer procedure with such technology.\r\nCapabilities\r\nKeylogging\r\nThe keylogging technique used by BrasDex abuses the accessibility services privileges, and is able to detect and log a\r\nlarge quantity of information from the Operating System. With this technique, BrasDex is able to log and send to its C2\r\nall the information that is shown on the device’s UI, including both credentials typed by the user, as well as other\r\ninformation that is displayed by the application itself, like account balance.\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 4 of 15\n\nIf the application on the foreground is one of the banking applications included in the target list, BrasDex also notifies its\r\nC2 of events such as opening the application, inserting passwords, or if the malware is incapable of extracting the\r\nrequired information. The malware notifies the C2 whenever one of the following events is detected, with the indicated\r\ncodes:\r\nEvent Code Description\r\n  (No code) The malware successfully performed a transaction\r\nSTART The banking application was started\r\nPW Password typed (followed by the password as event value)\r\nSTUCK The malware encountered an error and is frozen\r\nABORT The malware aborted its operation for lack of permissions or outdated APIs\r\nThe logged message is formed in the following way (in case of no parameters, the message ends with the event code):\r\nFORMAT: \u003c BANK_CODE \u003e - \u003c EVENT_TYPE \u003e - \u003c EVENT_VALUE \u003e -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -\r\nThe information that is collected by the keylogging module is stored locally and sent to the C2, and is automatically fed\r\nas parameters into the ATS scripts downloaded with the malware configuration when the malware is first launched.\r\nATS\r\nWhat really sets apart this newly discovered malware family from its competition, is its advanced and flexible ATS\r\nframework. First abused by Gustuff, enhanced and diffused with SharkBot, Automated System Transfer allows the\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 5 of 15\n\nmalware to programmatically use the stolen credentials, detect the amount of funds that are available in the account, and\r\nthen initiate and approve a transaction, all from the infected device itself.\r\nIn the case of BrasDex, the infected device receives multiple scripts, one per targeted application, and each containing all\r\nthe necessary steps to login and perform fraud. Each script is made of multiple actions, which contain the following\r\nfields:\r\n{\r\n \"stageId\": n,\r\n \"conditions\": [\"\u003cCondition\u003e-\u003cParameters\u003e\", ...],\r\n \"run\": [\"\u003cCommand\u003e-\u003cParameters\u003e\"...]\r\n}\r\nstageId is an integer number which corresponds to the current step of the script. Actions are executed in\r\nconsecutive stageId numbers and scripts feature multiple actions with the same stageId, in order to support\r\nmultiple alternative execution patterns (e.g. different login procedures based on the kind of PII exfiltrated).\r\nconditions is a list of “Condition-Parameters” combinations. These make up the conditions required to initiate the\r\nactions.\r\nrun is a list of “Command-Parameters” combinations. These are the actual actions executed by the malware.\r\nHere is an example of a real action implemented by one of the scripts:\r\nBrasDex is able to check for values and type of data contained in all the different fields of the UI (for example if an\r\naccount contains any funds). It is also able to understand and check if UI elements can be clicked, and if they contain\r\nspecific strings used to identify useful information (like finding the “Continue” or “Cancel” button).\r\nIf the conditions for an action are satisfied, it also able to navigate within the UI to highlight and focus the wanted\r\nelements, wait a set amount of time, assign specific values to password fields or beneficiary fields, click buttons within\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 6 of 15\n\nthe app.\r\nIn the Appendix of this blog, you can find the full list of accepted conditions and commands supported by the bot.\r\nPix Transfer example\r\nAs previously mentioned, BrasDex targets the Pix payment system to perform its fraud.\r\nIn the image below you can see a few of the different screens that the malware needs to navigate and interact with to\r\nsuccessfully perform a successful transaction using Pix.\r\nWe report here a subset of the actions described in the ATS script, which interact with the UI elements highlighted in red\r\nin the above image:\r\n{\r\n \"stageId\": 2,\r\n \"conditions\": [\"textC-Pix. Item\"],\r\n \"run\": [\"clickCurrentNode\"]\r\n}, {\r\n \"stageId\": 3,\r\n \"conditions\": [\"textCL-cpf\", \"acc-CPF\"],\r\n \"run\": [\"clickCurrentNode\"]\r\n}, {\r\n \"stageId\": 4,\r\n \"conditions\": [\"textC-+100\", \"className-Button\"],\r\n \"run\": [\"next\", \"BRASetVal\"]\r\n}\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 7 of 15\n\nAs you can see from the above JSON objects, BrasDex in this case transfers funds to an account identified by a CPF code\r\n(“Cadastro de Pessoas Físicas”, a unique individual taxpayer identifier in Brazil).\r\nThis is another peculiarity of Pix: it allows to perform transactions to accounts which can be identified by CPF, but\r\nalso phone numbers, emails, or simple unique identifiers. The ATS scripts uses the following codes to identify which\r\nkind of mule it will be using for the transaction (which is communicated by the C2 during its initial config):\r\nDestination Code Description\r\nCEL Phone number\r\nEMAIL Email address\r\nCPF Cadastro de Pessoas Físicas\r\nAll kinds of accounts identifiers have been observed being used by BrasDex mules.\r\nOnce the malware finally inputs the necessary passwords to finalize the transaction, funds are transferred to the\r\ndestination mule account.\r\nPanel\r\nWhile investigating this malware family, ThreatFabric also managed to get certain visibility of the Panel hosted on the C2\r\nserver. Based on the information displayed on the panel, the malware seems to be quite successful, more than a thousand\r\nof reported infections. The panel contains multiple pages, e.g. the list of infected devices with extensive information,\r\nwhich includes the service providers, the device model, and the Android version. In another page, actors can access logs\r\nobtained from the infected devices, with the exfiltrated information, as well as reports of successful transactions.\r\nHowever, what really caught our attention was the main landing page. Here, we found a dashboard reporting extensive\r\ninformation about a different malware campaign, only this time targeting Desktop devices.\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 8 of 15\n\nThis discovery lead to another investigation, which allowed us to connect this malware family to another malware\r\nfamily: Casbaneiro.\r\nCasbaneiro: old but gold\r\nThe analysis of the drop points used to distribute BrasDex lead us to a campaign of desktop samples distributed through\r\nsimilar links in Q1 2022. We analyzed those samples and identified Casbaneiro, infamous Windows banking Trojan\r\ndiscovered in 2018, as the partner of BrasDex.\r\nSince the campaign is quite old, it could be just a coincidence, but our analysis showed clear similarity between BrasDex\r\nand Casbaneiro in regards to the communication with their C2 (namely the common use of a specific header).\r\nHowever, to put an end to the debate, while writing our blog we discovered an ongoing campaign of BrasDex and\r\nCasbaneiro distributed through the same drop point, thus allowing us to conclude that Casbaneiro is the a desktop\r\nmalware operated by same actors behind BrasDex.\r\nThe latest desktop campaign is the same in MO as previous ones, and we will briefly highlight the most notable parts of\r\nthe desktop campaign.\r\nIt was delivered through phishing e-mails about a failed delivery, pretending to be from the Brazilian postal service and\r\ncontaining a link to a form to be filled in.\r\nWhen the victim clicked the link, a ZIP archive was downloaded. This archive contained a Microsoft Software Installer\r\npackage (MSI). When analyzing the file, we discovered that it contains an obfuscated script that will download the next\r\nstage of the malware.\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 9 of 15\n\nThe downloaded file is an archive containing AutoIt interpreter and obfuscated AutoIt script. When launched it will\r\ndownload another archive containing another AutoIt script. The new script is bigger as in contains binary data encoded in\r\nhex strings. This is the final payload that is decoded and executed by the script. Thus, this multi-staged process results in\r\nthe a Delphi payload running on the Windows machine:\r\nWhen analyzing the final payload, our analysts identified it as Casbaneiro, based on the same communication protocol,\r\nstrings and obfuscation mechanisms used. The sample analyzed uses the same decryption algorithms for string and\r\npayload decryption as in previously described campaigns. The latest sample analyzed has a compilation date of December\r\n5th, 2022.\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 10 of 15\n\nCasbaneiro is a Windows banking Trojan written in Delphi that targets users of online banking as well as users of desktop\r\nbanking applications. It is able to collect the data about the infected device, take screenshots and perform keylogging,\r\nhijack clipboard data, etc.\r\nThe following Bitcoin wallet is hardcoded in Casbaneiro to be used to replace a cryptocurrency wallet copied by victim in\r\nclipboard:\r\nbc1q23dsv7wnngxj3prwjdegk9e2j6c4rs39qg86xk\r\nWhen running, Casbaneiro monitors the launched processes and opened URLs to find those related to banking\r\napplications. It also downloads bank-specific pictures from Google Drive, and uses them to steal 2FA codes from victim.\r\nThis last step is done to authenticate to banking application on the actors’ device. For one of the banks such pictures\r\ncontain QR-codes generated by the actors; the victim is tricked into scanning them with the mobile banking application\r\nand as a result, a new desktop device (controlled by cyber-criminals) will be authenticated and will have access to\r\nvictim’s banking account.\r\nConclusion\r\nBeing independent and full-fledged malware families, BrasDex and Casbaneiro form a very dangerous pair, allowing the\r\nactor behind them to target both Android and Windows users on a large scale.\r\nMoreover, the appearance of convenient payment systems not only makes payments comfortable for customers but also\r\nopens an opportunity for cyber-criminals to use it for fraudulent operations. The BrasDex case shows the necessity of\r\nfraud detection and prevention mechanisms in place on customers devices: fraudulent payments made automatically with\r\nthe help of ATS engines appear legitimate to bank backends and fraud scoring engines, as they are made through the same\r\ndevice that is usually used by customer. Thus, a proper solution is needed on the very first border to identify suspicious\r\nbehavior during the transaction combined with visibility of threats present on customer’s devices.\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 11 of 15\n\nFraud Risk Suite\r\nThreatFabric’s Fraud Risk Suite enables safe \u0026 frictionless online customer journeys by integrating industry-leading\r\nmobile threat intel, behavioral analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This\r\nwill give you and your customers peace of mind in an age of ever-changing fraud.\r\nAppendix\r\nBrasDex Samples\r\nApp Name Package name SHA256\r\nGoogleDocs\r\nXML APK\r\ncom.mydocs.documents 7747a9912e2605b64430a27e3c5af3556c26b4cb04c7242ca4e2cad5b6b33363\r\nGoogleDocs\r\nXML APK\r\ncom.mydocs.documents 26ea3906cd0c724b0e0adb5b6c00144e59aa89aac18cd608c6e5a22c28c8d644\r\nSantander\r\nAtualização\r\ncom.mydocs.documents b549733ed3b77d97c7b2f9f651f22abc4df50899c01612a28ec6809d1a2c0040\r\nBrasDex C2\r\nUrl\r\nbrasdex[.]com\r\nBrasDex Targets\r\nPackage name Application name\r\ncom.picpay PicPay: Pagamentos, Transferências, Pix e Cashback\r\ncom.itau Banco Itaú: Gerencie sua conta pelo celular\r\ncom.nu.production Nubank\r\ncom.bradesco Bradesco\r\nbr.com.gabba.Caixa CAIXA\r\ncom.santander.app Santander Brasil\r\nbr.com.original.bank Banco Original\r\nbr.com.intermedium Inter: conta digital completa\r\nbr.com.bb.android Banco do Brasil\r\ncom.binance.dev Binance (not fully developed ATS Script)\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 12 of 15\n\nBrasDex Conditions\r\nConditions Description\r\nenabled Is enabled\r\ntextEqL Text is equal (lowercase)\r\nprevNodeDescC Previous Node Description contains string s\r\ndescCL Node Description contains\r\ndescEq Node Description equals\r\nprevNodeTextC Previous Node Description contains\r\ngetBlc Get balance value\r\nprevNodeTextEqL Previous node text equals (lowercase)\r\ntextCL Text contains (lowercase)\r\ntextEq Text equals\r\ngetChildsChildDesc Get description of child of child node\r\ngetChildsChildText Get text of child of child node\r\nisClickable Node is clickable\r\nclickNodeVerify Click node passed as parameter\r\ngetChildDesc Get child node description\r\ngetChildText Get child node text\r\nclassName Get className\r\nacc Check type of account (EMAIL,CPF,CEL)\r\nblc Check balance\r\nclickNodeParentVerify Click parent node\r\nisParentClickable is parent node clickable\r\ndescC Description contains\r\nhintC Hint contains\r\nisNum Is number\r\nnoBlc Check if no balance\r\ntextC Text contains\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 13 of 15\n\nConditions Description\r\ndisabled Is disabled\r\nresName Get view id resource name\r\nprevNodeDescCL Previous node description contains lowercase\r\nprevNodeDescEq Previous node description equals\r\nprevNodeTextCL Previous node text contains lowercase\r\nprevNodeTextEq Previous node text equals\r\ngetCounter Get saved value of specified string\r\nclickCurrentNodeVerify Click current node\r\nisStuck Check if engine is stuck on some action (100 secs)\r\ngetNodeListSize Get node list size\r\nBrasDex Actions\r\nActions Description\r\nBRASetVal Set value for com.bradesco\r\nclickNode Click node\r\naddCounter Create/add new counter\r\nORISetVal Set value for br.com.original.bank\r\ntemplate Set colors for template to overlay\r\nfinish Finish execution and send data to c2\r\naddNode Add node to node list\r\nclickNodesParent Click nodes parent\r\nclickCurrentNode Click current node\r\nreturn Stops recursive search in nodes\r\nsetAcc Set account\r\nsetBlc Set balance value (from either text or description)\r\nNUSetVal Set value for com.nu.production\r\nINTSetVal Set value for br.com.intermedium\r\nclickCurrentsChildNode Click current node child\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 14 of 15\n\nActions Description\r\nCXSetVal Set value for br.com.gabba.Caixa\r\nSetPwCharAt Set password char by char\r\nact Give accessibility focus to the node\r\nback Press back\r\nhome Press home\r\nnext Press next\r\nwait Wait set time\r\nsetPw Set password value\r\nincreaseCounter Increase specified counter by one\r\nlogTemplate Present window to log specific data\r\nSANSetVal Set value for com.santander.app\r\nfocusCurrentNode Get action focus to the current node\r\nrecents Press recents\r\nsetBlcBB Set balance value for banco do brasil bank\r\nITASetVal Set value for com.itau\r\nfocusNode Get action focus to the specified node\r\nsleepTolerance Set sleep tolerance before aborting\r\nsetBlc2 Set balance value (from either text or description)2\r\nsetText Set Text\r\nCasbaneiro samples\r\nSHA 256\r\n5a3b2128c550829ab357abd7c830506df73893e204a8e2578fc1e61a72de3df5\r\n519d76eb6fea8b1a699c3a543b5f5eafab883ed92f6d207b8fa0189482b72ba1\r\nSource: https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nhttps://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html"
	],
	"report_names": [
		"brasdex-a-new-brazilian-ats-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434794,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e727dff3f25e0edfb4423f0f8eaa34b2abca752.pdf",
		"text": "https://archive.orkl.eu/9e727dff3f25e0edfb4423f0f8eaa34b2abca752.txt",
		"img": "https://archive.orkl.eu/9e727dff3f25e0edfb4423f0f8eaa34b2abca752.jpg"
	}
}