Infoblox Threat Intel and Chong Lua Dao linked a sophisticated Android banking trojan to operations run from the K99 Triumph City compound in Sihanoukville, Cambodia, using technical analysis, escapee testimony, and recovered evidence. The malware-as-a-service platform enables real-time surveillance, credential theft (including biometric capture), SMS interception, and large-scale domain-based lures targeting victims across at least 21 countries. #K99TriumphCity #AndroidBankingTrojan
Keypoints
- Researchers linked an Android banking trojan to the K99 Triumph City scam compound using technical indicators, screenshots, and testimony from rescued captives provided by Chong Lua Dao.
- The trojan is a MaaS platform offering real-time remote monitoring, SMS and call interception, camera/microphone access, credential harvesting, biometric capture, device fingerprinting, and the ability to install additional software.
- Attackers distribute the APK via hundreds of RDGA and lookalike lure domains impersonating government agencies, banks, airlines, and e-commerce sites; roughly 35 new domains are registered per month.
- Domain infrastructure is heavily registered through Hong Kong-based registrars (Dominet, Domain International Services/Namemart) and favors .com, .top, and .cc TLDs; most domains are fronted by Cloudflare.
- Evidence shows segmented, country-labeled C2/admin panels (e.g., “Indonesia Group,” “Brazil Group”), custom APK management, and toolsets for facial recognition, AI/voice deepfakes, and modified banking app development.
- Infrastructure and behavioral overlaps tie the operation to activity previously attributed to Vigorish Viper and Vault Viper, with assessment of an unknown Chinese-speaking MaaS administrator servicing multiple Mekong-region scam centers using forced labor.
- The operation remains active and resilient, with ongoing domain rotation, repurposing of lures, and campaigns targeting Southeast Asia, Africa, Europe, and Latin America.
MITRE Techniques
- [T1566 ] Phishing – Lure sites and social engineering are used to trick victims into downloading the malicious APK (‘These lure sites prompt the user to download a mobile app, which uses base64-encoded JavaScript to deliver a 23MB malicious APK trojan.’)
- [T1204 ] User Execution – Victims are instructed to install and run a malicious APK, often after following a link or QR code sent via messaging apps (‘When the APK is executed, the app displays a fake login screen…’).
- [T1056 ] Input Capture – The trojan accesses device sensors to capture audio and microphone input as part of real-time surveillance (‘real-time remote monitoring, SMS and phone call interception, camera and microphone access’).
- [T1113 ] Screen Capture – Attackers deploy overlays and capture visual/biometric data (facial recognition) while presenting fake KYC screens to victims (‘the operator simultaneously triggers biometric capture in the background’).
- [T1071 ] Application Layer Protocol – Malware communicates with attacker-controlled C2 infrastructure to receive commands and transmit harvested data (‘which is then aggregated and exfiltrated to the attacker’s C2.’)
- [T1041 ] Exfiltration Over C2 Channel – Collected contacts, notes, photos, SMS, call logs, and device fingerprints are exfiltrated to C2 servers for use in fraud and account takeover (‘exfiltrated to the attacker’s C2.’)
Indicators of Compromise
- [Domain ] targeted lure domains used to distribute the malicious APK – vsgo[.]cc, orgo[.]cc, and 398 other targeted lure domains observed (400 total analyzed in 2025)
- [Domain ] C2 and management domains used by the MaaS administrator – vnwd[.]top, alafrica[.]xyz, and 40 other active C2 domains (42 active C2 domains noted)
- [IP Address ] C2 servers tied to the operation – 103.214.169[.]197, 18.167.169[.]60, and 1 other C2 IP (38.47.52[.]4)
- [File Hash ] malicious APK samples – 4fff28eecc0ab6303e4948df77671009dda5b93ed3d1cead527b02d1317426bc, 39ea88f852b25d3c55d605464a3440bd250a577e3e21f52d1eaf94d15aad5b82, and 2 more sample hashes