Brazilian regional / PIX + boleto payment fraud — Portuguese-language email + Brazilian-banking brand (Banco do Brasil / Caixa / Itaú / Bradesco / Nubank / Santander Brasil / Inter / PicPay / Mercado Pago / Stone / PagSeguro / C6 Bank, etc.) + scam narrative + one of: fake PIX "Copia e Cola" EMV QR code, fake boleto 47-digit "linha digitável" barcode, or "PIX errado / enviei por engano / favor devolver" refund narrative. Delivers payment-rail fraud — victim pastes the code into their bank app, funds transfer directly to the attacker; no malware component. Evidence: Kaspersky BR, Exame, Estado de Minas Jan 2026, Banco Pan, IronVest Brazil-Banking-Fraud 2026, BankInfoSec "$130M grabbed via Brazil's Real-Time Payment System." Distinct from Casbaneiro (court-summons + password-PDF + banking-trojan narrative)

Brazilian-regional payment-rail phishing exploiting PIX + boleto — the two dominant Brazilian payment instruments. PIX is a central-bank-run real-time instant-payment system launched by Banco Central do Brasil in 2020 that now processes billions of transactions monthly; boleto is a Brazilian bank payment slip with a distinctive 47-digit "linha digitável" barcode. This signal fires on three fraud variants, all in Portuguese-language email tied to a Brazilian banking/utility brand. Variant 1: fake PIX "Copia e Cola" EMV-compliant QR-code payload ("00020126...BR.GOV.BCB.PIX..." — a copy-paste code the victim pastes into their bank app, which then sends the money directly to the attacker). Variant 2: fake boleto 47-digit "linha digitável" barcode paired with "boleto em anexo", "segue o boleto", "pague o boleto", "boleto vencendo hoje" phrasing — the victim pays the boleto in their bank app, funds go to the attacker. Variant 3: "PIX errado / enviei por engano" refund-request narrative — a social-engineering ploy where the scammer claims they sent a PIX transfer in error and requests the victim "return" it via a phishing link. Evidence: Kaspersky BR 2026 boleto-fraud report, Exame + Estado de Minas Jan 2026 coverage, Banco Pan and IronVest 2026 Brazil-banking-fraud reports, BankInfoSecurity 2025 "Hackers Grab $130M Using Brazil's Real-Time Payment System," Febraban Cert.br advisories. This signal is distinct from Casbaneiro (iter 1059 — court-summons + password-protected-PDF narrative that drops banking trojans) because PIX-boleto attacks the payment rails directly via copy-paste codes with no malware component. The fraud artifact is the Brazilian-specific copy-paste code or narrative + Portuguese-language framing + Brazilian brand mention (Banco do Brasil, Caixa, Itaú, Bradesco, Nubank, Santander Brasil, Inter, PicPay, Mercado Pago, Stone, PagSeguro, Getnet, Sicredi, Sicoob, C6 Bank, Will Bank, Neon, utility brands Enel/CPFL/Sabesp/Comgás/Correios) + cold thread (no In-Reply-To). A legitimate boleto or PIX notification from a bank lives inside an existing customer email thread, has the bank's own DKIM signature, and does not instruct the customer to paste a code or return funds to an unverified counterparty.