Threat Research

The Price of Trust: Analyzing the Malware Campaign Exploiting TASPEN’s Legacy to Target Indonesian Senior Citizens

CloudSek
The Price of Trust: Analyzing the Malware Campaign Exploiting TASPEN’s Legacy to Target Indonesian Senior Citizens

A targeted Android malware campaign impersonated Indonesia’s state pension fund TASPEN to distribute a banking trojan/spyware APK that steals credentials, SMS OTPs, contacts, and biometric facial video, exfiltrating data to a remote C2 infrastructure. Evidence in error messages and developer artifacts points to a Chinese-speaking operator using domains like taspen[.]ahngo[.]cc and rpc.syids.top. #TASPEN #rpc.syids.top

Keypoints

  • Adversaries created a phishing website (https://taspen[.]ahngo[.]cc/) mimicking TASPEN to trick primarily senior citizens into sideloading a malicious APK.
  • The malicious APK is packed with DPT-Shell; it unpacks a payload (i111111.zip) at runtime to evade static analysis and deliver malicious .dex files.
  • Malware modules include SmsService (intercept/send SMS), ScreenRecordService (screen recording), CameraService (facial video capture), and ContactData collection for profiling and further phishing.
  • Stolen credentials and other data are exfiltrated via encrypted HTTP POSTs to rpc.syids.top/x/login and a persistent WebSocket channel wss://rpc.syids.top/x/command for real-time C2.
  • Technical artifacts (Chinese error messages and developer comments) and server responses indicate a Chinese-speaking threat actor; Frida detection and anti-analysis measures show advanced evasion.
  • IOCs include phishing and C2 domains, a C2 IP, APK and dropped payload names, hardcoded encryption key, and multiple SHA-256 file hashes for detection.
  • Recommendations include national takedown frameworks, mandatory security standards for public apps, device attestation, behavior-based fraud detection, and public digital literacy campaigns focused on seniors.

MITRE Techniques

  • [T1204] User Execution – Victims were tricked into sideloading a malicious APK from a convincing phishing landing page: “the Google Play button is weaponized to initiate a direct download of the malicious APK.”
  • [T1608] Stage Capabilities – Use of packing (DPT-Shell) to hide payloads and execute only at runtime: “DEX Packing: The malware is protected by DPT-Shell… decrypts the hidden payload in memory and writes it to the application’s private code_cache directory.”
  • [T1056] Input Capture – Interception of SMS messages and OTPs via SmsService to steal authentication tokens: “A persistent background service dedicated to intercepting all incoming SMS messages… Enables the theft of One-Time Passwords (OTPs).”
  • [T1113] Screen Capture – ScreenRecordService records user screens to capture credentials and on-screen activity: “A background service that can initiate screen recording sessions at any time, allowing attackers to visually monitor all user activity in real time.”
  • [T1406] Capture Video – CameraService captures facial video for biometric theft: “Provides extensive functionality for facial video operations. It can start facial recording, compress the captured video, and manage its upload to the C2 server.”
  • [T1041] Exfiltration Over C2 Channel – Encrypted HTTP POSTs to rpc.syids.top/x/login and WebSocket channel wss://rpc.syids.top/x/command for real-time exfiltration and command execution: “When a user enters credentials, the malware sends an HTTP POST request to rpc.syids.top/x/login… configuration file (LyBW_sp.xml) reveals the endpoint: wss://rpc.syids.top/x/command.”
  • [T1497] Execution Guardrails / Anti-Analysis – Detection and termination when Frida hooks are present to prevent instrumentation and analysis: “When standard hooks from the Frida instrumentation toolkit were injected, the application immediately detected them and terminated, throwing a segmentation fault.”
  • [T1609] Container and Resource Discovery – Writing decrypted payload to application’s private code_cache and dropping a ZIP archive (i111111.zip) to activate hidden functionality at runtime: “The payload is dropped as a ZIP archive (named i111111.zip), which contains the real, malicious .dex files.”

Indicators of Compromise

  • [Phishing Domain] distribution site – taspen[.]ahngo[.]cc
  • [C2 Domain] credential exfiltration and command channel – rpc.syids.top
  • [C2 IP Address] backup/ beaconing over TLS – 38.47.53.168
  • [Malware Package Name] Android app identifier – org.ptgnj.trbyd.bujuj
  • [Malware File Name] dropped payload archive – i111111.zip
  • [Hardcoded Key] encryption key in config – NEi81XaCiN91C5rfwHxxZamtTk246iWF
  • [File Hashes (SHA-256)] APK and classes dex hashes – APK: 3ddefbacd77de58c226a388ad92125e1333a7211fc0b1d636dea778923190c4f, classes.dex: 1963b78a98c24e106ba93168f69ad12914e339a155b797a4d6fb6e8ff88819ea, and 2 more hashes

Read more: https://www.cloudsek.com/blog/taspen-malware-campaign-targeting-indonesian-senior-citizens