Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
A sophisticated fraud campaign by the GoldFactory threat cluster targeted 67 million Indonesian residents during tax season using fake Coretax applications distributed via phishing websites and WhatsApp social engineering. The campaign employed Gigabud. RAT and MMRat malware families with shared infrastructure abusing over 16 trusted government and financial brands. The attack combined vishing, screen recording, and remote access to compromise devices and conduct unauthorized financial transfers. Financial losses in Indonesia are estimated at USD 1. 5-2 million, with global impacts potentially reaching USD 6 million annually across multiple countries. This malware-as-a-service infrastructure enables scalable, cross-border operations affecting Thailand, Vietnam, Philippines, and South Africa, undermining trust in digital government services.
AI Analysis
Technical Summary
The GoldFactory threat cluster executed a large-scale fraud campaign exploiting Indonesia's tax season by distributing fake Coretax applications through phishing websites and WhatsApp social engineering. The campaign leveraged Gigabud.RAT and MMRat malware families, sharing infrastructure that abused over 16 trusted brands in government and financial sectors. The attack chain involved vishing, screen recording, and remote access tools to compromise devices and facilitate unauthorized financial transactions. This industrialized malware-as-a-service (MaaS) infrastructure supports horizontal scaling and cross-border operations extending to Southeast Asia and South Africa, demonstrating a coordinated effort to exploit digital government service trust.
Potential Impact
The campaign targeted 67 million residents in Indonesia, causing estimated financial losses of USD 1.5-2 million nationally. Globally, the impact could reach USD 6 million annually across multiple countries including Thailand, Vietnam, Philippines, and South Africa. The use of remote access trojans and social engineering enabled unauthorized financial transfers and device compromise, undermining trust in government and financial digital services.
Mitigation Recommendations
No specific patch or remediation is available as this is a malware campaign leveraging social engineering and RATs. Organizations and users should remain vigilant against phishing and vishing attempts, especially during tax season. Awareness campaigns and user education on recognizing fake applications and suspicious communications are recommended. Monitoring for indicators of compromise related to Gigabud.RAT and MMRat malware families can aid detection. Since this is not a vulnerability with a patch, mitigation focuses on prevention and detection.
Indicators of Compromise
- domain: sso-tha.com
- hash: 004d80e0efe9ea4d572350e8ce4771dfa432f0a2
- hash: 00fcb2abd35049ad3cc9a8a3e1aaba156c0770cf
- hash: 02462bace6937e92f3d1ef35f08c4ad270082104
- hash: 036aa79692470ad8d6a3bedb5da310af111317af
- hash: 03a1bcd3ba59c02ce6c37699baa73a2c075a6644
- hash: 041dcd27e1c77548f7d5897b43a6e1817cb3e9d0
- hash: 045144bfd86e0cf8d884ec4668d074a8d6eb4ee1
- hash: 047190859b100d017c3b651f488eef8eba98ad28
- hash: 07701239a7003699a02aa97bfab46e7b92800949
- hash: 0852fbee4372c194f429b8ec217a5699f56448dc
- hash: 3f018345d993d0d8fd778c7f6f4667cc0e974dd4
- hash: 49acba8d46b57fdd324f32735e0052750f51b844
- hash: 6f474c2d89850f907f538921fd25bd52f0f99af0
- hash: 7b5c154e4aaa51b3652dc685c2f21b6eb70c1440
- hash: b125aea155d1d14be40644ba50f31418c3f40ebc
- hash: ea87642a88788469e7aafc4657588b39709f1509
- hash: 075d8eeb5552da8524eb14a6ed72416e6e956aa3
- hash: 2a954c7c1d764493abc285c34e47525c211fe768
- hash: 3106aa0c8b260e36ece48b8a681353de76d69ca9
- hash: 3bb475b9de75a5f1c6a941210b88b0c0f55f7005
- hash: 4911144aea43d00f6c7150766e4c0ab29c93d06e
- hash: 4bb5c9382fe37012017c88c6ac90afa2efeb2cbc
- hash: 9aab26a308f86ca137e6d6c171568a442e38abb6
- hash: c74dbe25d81bbe3c5e6177049ee393f6657fb799
- hash: cf9b8f3f1f795c3bdf0c14af66904ce8e2b95fff
- hash: f6627863f81cac5bf01664232473da47146f9d4c
- hash: fd09c9c916436e13da1c204f1f4c276c159f198a
- domain: coretax-pajak.online
- domain: coretax-pajakonline.com
- domain: coretax-peralihan.com
- domain: coretax-registrasi.com
- domain: coretax-sinkronisasi.com
- domain: coretaxlayanan.com
- domain: coretaxonline-pajak.com
- domain: coretaxpelayan.com
- domain: coretaxpelayananonline.com
- domain: coretaxperalihan.com
- domain: newsss.cc
- domain: newsss.net
- domain: ngovsss.com
- domain: onlinecoretaxpelayanan.com
- domain: pajakcoretax.com
- domain: pelayanan-coretax.com
- domain: pelayananonlinecoretax.com
- domain: pelayananonlinepajak.com
- domain: pembaharuan-coretax.com
- domain: peralihan-coretax.com
- domain: peralihancoretax.com
- domain: registrasi-coretax.com
- domain: sinkronisasicoretax.com
- domain: sss-cgov.com
- domain: sss-gov.com
- domain: sss-negov.com
- domain: sssnegov.com
- domain: verifikasi-coretax.com
- domain: verifikasicoretax.online
- domain: verifikasicoretaxonline.com
- domain: coretax.skjgo.com
- domain: coretax.svzgo.cc
- domain: coretax.vfbgo.com
- domain: djp.otuind.cc
- domain: pajak.abbgo.cc
- domain: pajak.abfigo.cc
- domain: pajak.crxind.com
- domain: pajak.dkhid.cc
- domain: pajak.jvcid.com
- domain: pajak.ksjvgo.cc
- domain: pajak.mghgo.cc
- domain: pajak.mvzgo.cc
- domain: pajak.mzfgo.cc
- domain: pajak.nbvgo.com
- domain: pajak.nsbid.com
- domain: pajak.oeixgo.cc
- domain: pajak.wpiego.cc
- domain: pajak.yhvgo.com
- domain: sss.aqego.cc
- domain: sss.sksgo.cc
- domain: sss.slhgo.cc
- domain: sss.sligo.cc
- ip: 137.220.194.7
- domain: sso-tha.net
- domain: djp.dvhid.cc
- domain: taspen.xufgo.com
- hash: 59be73a679ac8f661cf9a686e8095177
- hash: a70dfc48b59aaa5099577c3719b576ce
- hash: 5513348df877471f81188210d2e8f2ba1c11ae087692c4ff6f64639a928c6b3d
- hash: b0f45091e7290797be2a85032d797891064a5cd611b194534b78cb024003468d
Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
Description
A sophisticated fraud campaign by the GoldFactory threat cluster targeted 67 million Indonesian residents during tax season using fake Coretax applications distributed via phishing websites and WhatsApp social engineering. The campaign employed Gigabud. RAT and MMRat malware families with shared infrastructure abusing over 16 trusted government and financial brands. The attack combined vishing, screen recording, and remote access to compromise devices and conduct unauthorized financial transfers. Financial losses in Indonesia are estimated at USD 1. 5-2 million, with global impacts potentially reaching USD 6 million annually across multiple countries. This malware-as-a-service infrastructure enables scalable, cross-border operations affecting Thailand, Vietnam, Philippines, and South Africa, undermining trust in digital government services.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The GoldFactory threat cluster executed a large-scale fraud campaign exploiting Indonesia's tax season by distributing fake Coretax applications through phishing websites and WhatsApp social engineering. The campaign leveraged Gigabud.RAT and MMRat malware families, sharing infrastructure that abused over 16 trusted brands in government and financial sectors. The attack chain involved vishing, screen recording, and remote access tools to compromise devices and facilitate unauthorized financial transactions. This industrialized malware-as-a-service (MaaS) infrastructure supports horizontal scaling and cross-border operations extending to Southeast Asia and South Africa, demonstrating a coordinated effort to exploit digital government service trust.
Potential Impact
The campaign targeted 67 million residents in Indonesia, causing estimated financial losses of USD 1.5-2 million nationally. Globally, the impact could reach USD 6 million annually across multiple countries including Thailand, Vietnam, Philippines, and South Africa. The use of remote access trojans and social engineering enabled unauthorized financial transfers and device compromise, undermining trust in government and financial digital services.
Mitigation Recommendations
No specific patch or remediation is available as this is a malware campaign leveraging social engineering and RATs. Organizations and users should remain vigilant against phishing and vishing attempts, especially during tax season. Awareness campaigns and user education on recognizing fake applications and suspicious communications are recommended. Monitoring for indicators of compromise related to Gigabud.RAT and MMRat malware families can aid detection. Since this is not a vulnerability with a patch, mitigation focuses on prevention and detection.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/"]
- Adversary
- GoldFactory
- Pulse Id
- 6a0daa32ac6609fbd06d30ae
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainsso-tha.com | — | |
domaincoretax-pajak.online | — | |
domaincoretax-pajakonline.com | — | |
domaincoretax-peralihan.com | — | |
domaincoretax-registrasi.com | — | |
domaincoretax-sinkronisasi.com | — | |
domaincoretaxlayanan.com | — | |
domaincoretaxonline-pajak.com | — | |
domaincoretaxpelayan.com | — | |
domaincoretaxpelayananonline.com | — | |
domaincoretaxperalihan.com | — | |
domainnewsss.cc | — | |
domainnewsss.net | — | |
domainngovsss.com | — | |
domainonlinecoretaxpelayanan.com | — | |
domainpajakcoretax.com | — | |
domainpelayanan-coretax.com | — | |
domainpelayananonlinecoretax.com | — | |
domainpelayananonlinepajak.com | — | |
domainpembaharuan-coretax.com | — | |
domainperalihan-coretax.com | — | |
domainperalihancoretax.com | — | |
domainregistrasi-coretax.com | — | |
domainsinkronisasicoretax.com | — | |
domainsss-cgov.com | — | |
domainsss-gov.com | — | |
domainsss-negov.com | — | |
domainsssnegov.com | — | |
domainverifikasi-coretax.com | — | |
domainverifikasicoretax.online | — | |
domainverifikasicoretaxonline.com | — | |
domaincoretax.skjgo.com | — | |
domaincoretax.svzgo.cc | — | |
domaincoretax.vfbgo.com | — | |
domaindjp.otuind.cc | — | |
domainpajak.abbgo.cc | — | |
domainpajak.abfigo.cc | — | |
domainpajak.crxind.com | — | |
domainpajak.dkhid.cc | — | |
domainpajak.jvcid.com | — | |
domainpajak.ksjvgo.cc | — | |
domainpajak.mghgo.cc | — | |
domainpajak.mvzgo.cc | — | |
domainpajak.mzfgo.cc | — | |
domainpajak.nbvgo.com | — | |
domainpajak.nsbid.com | — | |
domainpajak.oeixgo.cc | — | |
domainpajak.wpiego.cc | — | |
domainpajak.yhvgo.com | — | |
domainsss.aqego.cc | — | |
domainsss.sksgo.cc | — | |
domainsss.slhgo.cc | — | |
domainsss.sligo.cc | — | |
domainsso-tha.net | — | |
domaindjp.dvhid.cc | — | |
domaintaspen.xufgo.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash004d80e0efe9ea4d572350e8ce4771dfa432f0a2 | — | |
hash00fcb2abd35049ad3cc9a8a3e1aaba156c0770cf | — | |
hash02462bace6937e92f3d1ef35f08c4ad270082104 | — | |
hash036aa79692470ad8d6a3bedb5da310af111317af | — | |
hash03a1bcd3ba59c02ce6c37699baa73a2c075a6644 | — | |
hash041dcd27e1c77548f7d5897b43a6e1817cb3e9d0 | — | |
hash045144bfd86e0cf8d884ec4668d074a8d6eb4ee1 | — | |
hash047190859b100d017c3b651f488eef8eba98ad28 | — | |
hash07701239a7003699a02aa97bfab46e7b92800949 | — | |
hash0852fbee4372c194f429b8ec217a5699f56448dc | — | |
hash3f018345d993d0d8fd778c7f6f4667cc0e974dd4 | — | |
hash49acba8d46b57fdd324f32735e0052750f51b844 | — | |
hash6f474c2d89850f907f538921fd25bd52f0f99af0 | — | |
hash7b5c154e4aaa51b3652dc685c2f21b6eb70c1440 | — | |
hashb125aea155d1d14be40644ba50f31418c3f40ebc | — | |
hashea87642a88788469e7aafc4657588b39709f1509 | — | |
hash075d8eeb5552da8524eb14a6ed72416e6e956aa3 | — | |
hash2a954c7c1d764493abc285c34e47525c211fe768 | — | |
hash3106aa0c8b260e36ece48b8a681353de76d69ca9 | — | |
hash3bb475b9de75a5f1c6a941210b88b0c0f55f7005 | — | |
hash4911144aea43d00f6c7150766e4c0ab29c93d06e | — | |
hash4bb5c9382fe37012017c88c6ac90afa2efeb2cbc | — | |
hash9aab26a308f86ca137e6d6c171568a442e38abb6 | — | |
hashc74dbe25d81bbe3c5e6177049ee393f6657fb799 | — | |
hashcf9b8f3f1f795c3bdf0c14af66904ce8e2b95fff | — | |
hashf6627863f81cac5bf01664232473da47146f9d4c | — | |
hashfd09c9c916436e13da1c204f1f4c276c159f198a | — | |
hash59be73a679ac8f661cf9a686e8095177 | — | |
hasha70dfc48b59aaa5099577c3719b576ce | — | |
hash5513348df877471f81188210d2e8f2ba1c11ae087692c4ff6f64639a928c6b3d | — | |
hashb0f45091e7290797be2a85032d797891064a5cd611b194534b78cb024003468d | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip137.220.194.7 | — |
Threat ID: 6a0f32f9e1370fbb4819e58c
Added to database: 5/21/2026, 4:29:45 PM
Last enriched: 5/21/2026, 4:45:03 PM
Last updated: 5/21/2026, 5:31:58 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.