A sophisticated fraud campaign exploiting Indonesia’s official Coretax tax platform has caused an estimated nationwide financial impact of $1.5m to $2m. Beginning in July 2025 and surging during the January 2026 tax filing period, the operation impersonated Coretax to distribute malicious APKs via phishing sites, WhatsApp and vishing, and was linked to the GoldFactory cluster deploying Gigabud.RAT and MMRat. #Coretax #GoldFactory
Keypoints
- The campaign impersonated Indonesia’s Coretax portal to trick users into installing fraudulent mobile apps.
- Activity began in July 2025 and intensified in January 2026 during the national tax filing period.
- Attackers used phishing websites, WhatsApp impersonation, vishing calls, malicious APKs, screen recording, and mule networks to steal funds.
- Group-IB linked the operation to the GoldFactory cluster and identified malware families including Gigabud.RAT and MMRat, plus 228 new samples and 996 phishing URLs.
- Layered detection and predictive defenses limited client losses and flagged the infrastructure as a potential MaaS capable of expansion to other countries.
Read More: https://www.infosecurity-magazine.com/news/fake-coretax-apps-fraud-indonesia/