Industrialized Theft: GoldFactory Malware Hijacks Tax Season via Fake ‘Coretax’ Apps

As tax season approaches, cybersecurity defenders are tracking a massive escalation in mobile banking fraud. According to a new threat intelligence report by Group-IB, cybercriminals have deployed a highly sophisticated, multi-layered campaign targeting Indonesia’s digital public infrastructure. By weaponizing the national tax season, these threat actors have turned mobile devices into direct pipelines for financial theft.

The campaign relies heavily on the impersonation of the official “Coretax” web platform, tricking citizens into sideloading malicious applications that grant attackers full remote control over their smartphones.

This is not a simple credential harvesting scheme. The report reveals a complex web of deception that relies on “industrialized” malware networks.

“The fraud campaign involving fake Coretax apps represents a sophisticated, industrialized threat targeting Indonesia’s digital public infrastructure,” the Group-IB analysis states.

The attack sequence is a masterclass in modern social engineering. It begins with phishing websites and deceptive WhatsApp messages, luring victims into downloading a malicious APK file. Once installed, the attackers escalate the intrusion by combining the malware execution with live voice phishing (vishing) to bypass security warnings and complete the device compromise.

The operational muscle behind this campaign belongs to a notorious threat cluster known as GoldFactory.

Rather than building a single piece of custom malware, GoldFactory leverages a shared infrastructure model to deploy multiple notorious malware families simultaneously, including Gigabud.RAT and MMRat. This “Malware-as-a-Service” (MaaS) approach allows the attackers to scale their operations horizontally with alarming speed.

“By abusing over 16 trusted brands across government and financial sectors, the threat actors have scaled their operations horizontally, resulting in an estimated nationwide financial impact of USD 1.5 million to USD 2 million in Indonesia alone,” the report details.

The damage extends far beyond the initial theft. Group-IB projects that the total economic impact could reach up to USD 6 million when accounting for direct theft, remediation, and the systemic costs of brand recovery.

Moving millions of dollars requires organized syndicates. The report highlights that “The complexity of the cash-out phase suggests that stolen funds are likely laundered through sophisticated networks that transcend national borders, necessitating coordinated intervention by international financial institutions and law enforcement agencies”.

The Coretax campaign serves as a grim case study for the future of mobile threats.

“It demonstrates that contemporary threat actors no longer operate in silos; instead, they utilize industrialized malware-as-a-service (MaaS) frameworks to target entire national ecosystems simultaneously,” Group-IB researchers conclude.

Defenders must recognize that “Mobile banking trojans are not only technical threats they represent a fusion of cybercrime, social engineering, brand impersonation, and financial fraud execution”. Organizations can no longer rely on isolated security controls; surviving this new era of industrialized fraud requires advanced behavioral detection and proactive, multi-layered defense.

Related Posts:

• MFA Bypass Alert: AitM Phishing Surges with Industrialized PhaaS Kits Targeting Microsoft 365 & Google Accounts!
• The 3-Million Email Siege: Inside Scripted Sparrow’s Global Industrialized BEC Machine
• Indonesia: If data leaks and fake news are found, Facebook will be blocked
• Kaspersky Lab’s Report Reveals Surge in Black Friday Shopping Threats
• Tax Season Cybersecurity Alert: Report Reveals Surge in Tax-Related Cyberattacks