Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia

Group-IB reports a coordinated fraud campaign (Jul 2025–Jan 2026) impersonating Indonesia’s Coretax service to distribute sideloaded malicious Android apps that enable screen recording, accessibility abuse, and remote access (Gigabud.RAT, MMRat, Taotie). The GoldFactory-linked operation leverages phishing URLs, WhatsApp/social engineering, and vishing to coerce victims into payments, includes hundreds of phishing domains and 228+ samples, caused estimated national impact up to USD 1.5–2M (Jan 2026 extrapolated) and provides IOCs and mitigation guidance for defenders.