Goldfactory Hits Southeast Asia With Modified Banking Apps Driving...

Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services.

The activity, observed since October 2024, involves distributing modified banking applications that act as a conduit for Android malware, Group-IB said in a technical report published Wednesday.

Assessed to be active as far back as June 2023, GoldFactory first gained attention early last year, when the Singapore-headquartered cybersecurity company detailed the threat actor's use of custom malware families like GoldPickaxe, GoldDigger, and GoldDiggerPlus targeting both Android and iOS devices.

Evidence points to GoldFactory being a well-organized Chinese-speaking cybercrime group with close connections to Gigabud, another Android malware that was spotted in mid-2023. Despite major disparities in their codebases, both GoldDigger and Gigabud have been found to share similarities in their impersonation targets and landing pages.

The first cases in the latest attack wave were detected in Thailand, with the threat subsequently appearing in Vietnam by late 2024 and early 2025 and in Indonesia from mid-2025 onwards.

Group-IB said it has identified more than 300 unique samples of modified banking applications that have led to almost 2,200 infections in Indonesia. Further investigation has uncovered over 3,000 artifacts that it said led to no less than 11,000 infections. About 63% of the altered banking apps cater to the Indonesian market.

The infection chains, in a nutshell, involve the impersonation of government entities and trusted local brands and approaching prospective targets over the phone to trick them into installing malware by instructing them to click on a link sent on messaging apps like Zalo.

In at least one case documented by Group-IB, fraudsters posed as Vietnam's public power company EVN and urged victims to pay overdue electricity bills or risk facing immediate suspension of the service. During the call, the threat actors are said to have asked the victims to add them on Zalo so as to receive a link to download an app and link their accounts.

The links redirect the victims to fake landing pages that masquerade as Google Play Store app listings, resulting in the deployment of a remote access trojan like Gigabud, MMRat, or Remo, which surfaced earlier this year using the same tactics as GoldFactory. These droppers

Source: The Hacker News