By posing as official agencies, cybercriminals connected to the financially driven group GoldFactory have been seen launching a new round of attacks against mobile users in Vietnam, Thailand, and Indonesia.
In a technical study released recently, it came to light that the behavior, which has been seen since October 2024, entails the distribution of altered banking applications that serve as a conduit for Android malware.
GoldFactory, which is thought to have been active since June 2023, first came to attention early last year when the cybersecurity firm with its headquarters in Singapore described how the threat actor used custom malware families like GoldPickaxe, GoldDigger, and GoldDiggerPlus to target both Android and iOS devices.
Evidence suggests that Gigabud, another Android malware discovered in the middle of 2023, is closely associated with GoldFactory, a well-organized cybercrime outfit. It has been discovered that GoldDigger and Gigabud have similar impersonation targets and landing pages despite significant differences in their codebases.
The threat initially surfaced in Vietnam by late 2024 and early 2025, and then in Indonesia starting in mid-2025, following the discovery of the first cases in the most recent attack wave in Thailand.
According to Group-IB, about 2,200 infections in Indonesia have resulted from more than 300 distinct samples of altered banking applications. More research has revealed more than 3,000 artifacts that, according to the report, caused at least 11,000 infections. The Indonesian market is served by about 63% of the modified banking apps.
In summary, the infection chains entail posing as reputable local firms and government agencies, contacting potential victims over the phone, and tricking them into installing malware by telling them to click on a link sent via messaging apps like Zalo.
In at least one instance that Group-IB has documented, scammers pretended to be EVN, the official power provider of Vietnam, and demanded that victims pay past-due electricity bills or face having their service immediately suspended.
The threat actors allegedly requested the victims to add them on Zalo during the conversation so they could get a link to download an app and connect their accounts.
“While earlier campaigns focused on exploiting KYC processes, recent activity shows direct patching of legitimate banking applications to commit fraud,”
the researchers said.
“The use of legitimate frameworks such as Frida, Dobby, and Pine to modify trusted banking applications demonstrates a sophisticated yet low-cost approach that allows cybercriminals to bypass traditional detection and rapidly scale their operation.”
