Menu
Browse

Cyber Threat Actor: GoatRAT

Actor Type Location Known Incidents
 Icon
Criminal
China
3 incidents
Profile

GoatRAT is an Android banking trojan that has been publicly identified by the alias GoatRAT and is associated with a known location in China according to available reporting. The malware functions as a remote administration tool that has been repurposed to conduct financial fraud by exploiting Brazil’s Pix instant payment system. Its observed activity focuses on compromising Android devices to steal Pix keys and initiate unauthorized money transfers from victims’ accounts without requiring additional authentication codes or SMS interception. The strategic objective demonstrated by its operations is the direct theft of funds through automated transfer mechanisms, indicating a financially motivated threat actor.

The trojan’s typical tactics involve abusing the Android Accessibility Service to detect when a targeted banking application is in the foreground, after which it creates a transparent overlay window that mimics the legitimate app interface. Through this overlay it silently inputs transaction details, including the stolen Pix key and transfer amount, and then simulates clicks on the Confirm and Pay buttons to complete the fraudulent payment. GoatRAT does not incorporate capabilities for credential harvesting, SMS interception, or two‑factor authentication bypass, instead relying solely on an automated transfer system (ATS) framework to move money directly from compromised accounts. This approach aligns with a broader trend noted by researchers of Android banking malware that emphasizes streamlined, permission‑light fraud techniques over traditional multi‑stage theft methods.

Publicly reported incidents illustrate GoatRAT’s focus on Brazilian financial institutions, with notable campaigns targeting NUBank, PagBank, and Banco Inter in March 2023. In each case the malware used its overlay and automated clicking routine to execute instant Pix transfers from compromised customer accounts, affecting multiple banks across the region. The activity was documented by cybersecurity researchers who linked the observed behavior to the GoatRAT family and highlighted its role in the growing prevalence of ATS‑based Android trojans in Latin America. No public attribution to a specific state sponsor or criminal consortium has been made beyond the geographic association with China, and the reporting does not describe any additional infrastructure, tooling, or victimology beyond the outlined banking fraud operations.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
1 source