Ddos 
CloudSEK researchers have identified a highly targeted and dangerous mobile malware campaign in Indonesia, designed to steal financial and personal data from civil servants and pensioners. The attackers are impersonating PT Dana Tabungan dan Asuransi Pegawai Negeri (Persero)—commonly known as TASPEN, Indonesia’s state pension fund—to execute large-scale fraud and surveillance.
The campaign is notable for its precision and its exploitation of trust. According to the report, “A sophisticated and highly targeted mobile malware campaign is actively leveraging the trusted brand of Indonesia’s state pension fund… to execute a full-spectrum data theft and financial fraud operation against the nation’s pensioners and civil servants.”
The attackers distribute a malicious Android application disguised as an official TASPEN portal. Once installed, the app can steal banking credentials, intercept one-time passwords (OTPs) from SMS, and even capture biometric data using facial video recording.
The attack lifecycle follows a multi-stage process designed to maximize reach and minimize detection:
- Phishing Website – A fake portal at taspen[.]ahngo[.]cc mimics TASPEN’s branding and slogan: “A reliable app, easier with TASPEN.”
- Fake App Download – Victims, mostly retirees, are tricked into downloading the malware-laced APK.
- Data Harvesting – Once executed, the malware steals credentials and installs a banking trojan to capture additional data.
- Exfiltration – Stolen information is sent to attacker-controlled command-and-control (C2) servers for fraud or resale.
The fake portal even uses weaponized Google Play buttons to initiate direct malware downloads, while Apple App Store links display a “System is being upgraded” message—preventing iOS users from reporting the scam.
Once installed, the malware demonstrates highly advanced surveillance features. CloudSEK’s analysis revealed:
- SmsService – Intercepts and reads SMS messages to steal OTPs, enabling fraud.
- ScreenRecordService – Records user activity in real time, capturing banking logins and personal messages.
- CameraService – Activates facial video recording, allowing biometric theft that could support deepfake-based identity fraud.
- ContactData harvesting – Extracts entire address books, enabling secondary phishing campaigns.
- Communication with the C2 servers is encrypted and disguised. For example, when credentials are exfiltrated, the malware sends an HTTP POST request to rpc.syids.top/x/login and returns a fake HTTP 400 error message to make the theft appear like a failed login attempt.
Notably, linguistic artifacts such as Chinese error strings (获取数据失败 – “Failed to fetch data”) strongly suggest a Chinese-speaking threat actor is behind the operation.
The CloudSEK report emphasizes that this is more than financial fraud—it is a strategic attack on trust in Indonesia’s digital transformation.
The campaign specifically targets retirees, one of the most digitally vulnerable demographics, creating financial and emotional harm. Banks also face increased fraud costs, customer support overhead, and reputational damage.
Worryingly, the report warns this model could be replicated against other critical Indonesian institutions, including BPJS Kesehatan, Bank Rakyat Indonesia, and major e-commerce or utility providers.
Related Posts:
- Australian Pension Funds Hacked
- Indonesia: If data leaks and fake news are found, Facebook will be blocked
- Serbian Spyware Scandal: Civil Society Under Siege
- TikTok Faces Civil Lawsuit for COPPA Violations, Millions of Children Affected
- Fuji Electric Indonesia Suffers Ransomware Attack: Business Partner Data Potentially Leaked
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
