ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Prêmios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.