Threats Affecting Indonesia

TA4922 is a highly sophisticated Chinese-speaking threat actor demonstrating rapid operational tempo and continually evolving malware capabilities. Initially targeting East Asia, particularly Japan, the group has expanded globally to Europe and Africa. The actor deploys multiple malware families including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0), alongside legitimate remote management tools like AnyDesk and SyncFuture. Campaigns use localized lures themed around HR, payroll, tax, and invoicing, targeting hundreds to thousands of recipients per campaign. TA4922 conducts credential phishing, fraud operations including credit card theft, and attempts to shift communications to out-of-band channels like LINE, WhatsApp, and Microsoft Teams. The group leverages legitimate cloud hosting services and trusted software for delivery and persistence, combining advanced tradecraft with financially motivated objectives such as data theft, fraud, access resale, and persistent remote access.

MediumMalwareBritish Indian Ocean TerritoryGermanyIndia+7#romulusloader#atlas rat#ta4922

A malware-as-a-service campaign named Weedhack targets Minecraft users by distributing malicious Java JAR files via SEO poisoning and YouTube videos. The malware steals credentials, system information, and can remotely control infected systems. It is notable for its ease of access, free tier, and appeal to younger users, with infections primarily in the U. S. and several other countries. Additionally, a large CountLoader campaign spreads cryptocurrency clipper malware via cracked software, and a separate campaign distributes cryptocurrency miners through pirated content sites. These campaigns leverage sophisticated persistence and evasion techniques and have been active since early 2026.

MediumSecurity-newsUnited StatesGermanyIndia+9#cybersecurity#reddit

A sophisticated fraud campaign exploiting Indonesia's tax season targeted 67 million residents through fake Coretax applications distributed via phishing websites and WhatsApp social engineering. The GoldFactory threat cluster orchestrated operations using Gigabud.RAT and MMRat malware families with shared infrastructure abusing over 16 trusted brands across government and financial sectors. The attack chain combines vishing, screen recording, and remote access capabilities to achieve device compromise and unauthorized financial transfers. Estimated financial impact reaches USD 1.5-2 million nationwide, with global implications extending to USD 6 million annually across multiple countries. The industrialized malware-as-a-service infrastructure enables horizontal scaling across Thailand, Vietnam, Philippines, and South Africa, demonstrating a shift toward unified cross-border operations that systematically undermine trust in digital government services.

MediumMalwareIndonesiaPeruPhilippines+2#goldfactory#gigabud.rat#mmrat

The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.

MediumMalwareRussiaIndiaBritish Indian Ocean Territory+3#python backdoor#silver fox#winos 4.0

An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.

CriticalVulnerabilityChinaTaiwanHong Kong+7#cve#cve-2026-30643

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters, allowing attackers to submit negative values for sales transactions. This leads to incorrect financial calculations, corruption of sales reports, and potential financial loss.

HighVulnerabilityUnited StatesIndiaBrazil+7#cve#cve-2026-30573

Key Points Introduction At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. […] The post Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets appeared first on Check Point Research .

MediumExploitIndonesiaMalaysiaThailand+4

A sophisticated malware campaign targeting WhatsApp users has been observed since February 2026. The attack chain begins with malicious Visual Basic Script files sent via WhatsApp messages, which, when executed, initiate a multi-stage infection process. The malware uses renamed Windows utilities, retrieves payloads from trusted cloud services, and installs malicious MSI packages. The campaign employs social engineering, stealth techniques, and cloud-based payload hosting to establish persistence and escalate privileges on victim systems. The attackers utilize legitimate tools and trusted platforms to reduce visibility and increase the likelihood of successful execution. The final stage involves the delivery of unsigned MSI installers that enable remote access to compromised systems.

MediumCampaignUnited StatesIndiaBrazil+10#cloud-based#social-engineering#uac-bypass

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_stock.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.

CriticalVulnerabilityUnited StatesIndiaPhilippines+7#cve#cve-2026-30562

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_customers.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.

MediumVulnerabilityUnited StatesIndiaBrazil+7#cve#cve-2026-30566