Researchers from the Axur Research Team (ART) have identified additional details about the operational workflow that the Plump Spider group uses to execute systemic fraud within Brazil's Instant Payment System (Pix). The findings detail how attackers seek direct access to environments where XML pacs.008 payment orders are generated and, most critically, where the financial institution's Digital Signature occurs. Read the full article to understand this risk.
What is Pix? Pix is Brazil's instant payment system launched by the Central Bank of Brazil (Banco Central do Brasil) in 2020. Unlike traditional payment methods, Pix enables real-time money transfers 24/7, settling within seconds. Think of it as combining the functionality of Zelle, Venmo, and ACH transfers, but with instant settlement guaranteed by the central bank. Pix has become the dominant payment method in Brazil, processing billions of transactions monthly. This critical infrastructure makes it an attractive target for sophisticated cybercriminals.
The accelerated modernization of Brazil's National Financial System, driven by Pix payment technology, has brought undeniable efficiency but simultaneously concentrated risks in the infrastructure of companies that integrate this technology.
High-profile attacks against payment service providers (PSTIs) have demonstrated that cybercriminals seek to exploit the weakest link in the chain: the vendor who has access to critical communication systems with the Central Bank. The Brazilian group Plump Spider, with its sophistication in social engineering and evasion, represents the threat model perfectly adjusted for this purpose.
Systemic fraud is a type of attack directed at an institution's core infrastructure, with the objective of compromising internal processes and trust mechanisms that support large-scale financial operations. Unlike individual fraud, it exploits vulnerabilities in critical systems such as payment networks, digital signature modules, transaction gateways, or authentication services to assume the operational identity of the organization itself.
By doing this, the malicious actor can produce or validate transactions as if they were the legitimate institution, impacting not only isolated customers but the integrity of the payment ecosystem and market trust. This type of fraud directly compromises security and compliance controls, potentially generating significant financial losses, regulatory risk, and reputational instability.
In the case of attacks on financial institutions, attackers need to gain access to the environment where payment orders, formatted in XML pacs.008, are generated and, more importantly, where the bank's Digital Signature is applied. The success of a group attack in this scenario is the ability to force the legitimate system to sign fraudulent commands, causing the Central Bank (the SPI - Instant Payment System) to accept them as valid orders, resulting in instant settlement of large sums to accounts controlled by the fraudsters.
Initially, the group focused only on banking institutions. In an October 2025 report, ART (Axur Research Team) researchers highlight that Plump Spider has initiated attacks on insurance companies, retail businesses, and point-of-sale system providers.
The attack chain can begin in two ways:
Social engineering (vishing): Attackers impersonate IT technicians to induce employees to install legitimate remote management software (RMM), such as AnyDesk, TeamViewer, Supremo, HoptoDesk, RustDesk, and SyncroRMM.
Employee recruitment: Seeking employees of these institutions willing to work with the group, offering monetary compensation, a percentage of the attack proceeds, lawyers, and delivery of already "laundered" money.
The most common targets include managers, who can create fake accounts for use in attacks; IT staff, due to their knowledge of infrastructure and network topology; and, crucially, those with corporate VPN access.
The group uses compromised government infrastructures to host their tools, increasing victim trust and making blocking by security solutions more difficult.
Once inside the network, the group works to move laterally and ensure persistence and evasion. They install SoftEther VPNs to create encrypted tunnels, making Command and Control (C2) traffic detection difficult. The critical reconnaissance phase uses tools like AdExplorer to map Active Directory (AD), identify privileged accounts, and map the target's internal architecture, being an essential step before reaching the Pix Gateway.
If the attack reaches the Pix Gateway, the final step is manipulating the application to generate the XML pacs.008 with fraud data and then abusing the interaction with the Hardware Security Module (HSM). The attacker doesn't need to steal the private key, but only force the legitimate application to use the key to sign the malicious payment order, completing the attack by compromising the institution's Signing Certificate.
To protect against this threat, the following detection opportunities should be observed:
Monitor real-time use of signing key in HSM, creating alerts for deviations in XML pacs.008 signature request patterns.
Monitor administrative operations on HSM, which should be rare, such as key creation, permission changes, or export attempts. Associate with manufacturer audit or system logs.
Observe deviations in Pix Gateway transaction patterns, such as sudden volume increases or transactions outside usual hours. Here, in addition to application telemetry, it's important to correlate with privileged logons (4672) and secret access (4663 – access to protected objects).
Detect unusual access to secret vaults or KMS, which may appear as 4663 events (access to sensitive file/object) on servers storing Pix Gateway configs.
Access Axur's Cyber Threat Intelligence solution insight to review TTPs, IoCs, and other recommendations here.
The advancement of groups like Plump Spider demonstrates that systemic fraud sophistication accompanies the very evolution of the payment ecosystem. When attackers can position themselves within the operational flow of financial institutions and payment providers, traditional defense mechanisms become insufficient.
For organizations, it's not just about detecting suspicious events, but understanding the adversary, their tactics, and their attack chain. The continuous research by the Axur Research Team (ART) keeps this knowledge current and applicable, offering the community references on how threats emerge and adapt.
Continue exploring other analyses and technical reports in our resource library.