A new family of Boleto malware is changing up its mechanisms to infect victims' machines and ultimately compromise transactions worth billions of dollars.

The “Onyx” family has strayed from the original “Eupuds” family primarily in the way it infects victims' browsers, according to an RSA report. While Eupuds injects malicious code into various web browsers' memory during runtime, Onyx alters its attack depending on the browser.

When a victim uses Chrome or Firefox for a Boleto payment, the malware is installed as an extension and executes its JavaScript code. In Internet Explorer, the malware changes Boleto information through the Component Object Model interface within the browser.

Onyx also does not modify the Boleto bank code and invalidates the barcode by downloading a full barcode image from a malicious server or trying to create a new one with black and white bars.