A sophisticated fraud campaign exploiting Indonesia’s official Coretax tax platform has led to an estimated nationwide financial impact of $1.5m to $2m.
According to findings released by Group-IB, the operation began in July 2025 and intensified in January 2026 during the national tax filing period. It impersonated the Coretax web service to trick users into installing malicious mobile applications.
The security experts explained how Coretax, accessible only through its official website and not via a mobile app, became the lure for a coordinated attack chain combining phishing websites, WhatsApp impersonation of tax officers and voice phishing (vishing) calls.
Victims were directed to download fraudulent APK files, which enabled remote access to their devices and unauthorized banking transactions.
Investigators linked the campaign to the GoldFactory threat cluster, which deployed multiple malware families, including Gigabud.RAT and MMRat.
Group-IB identified 228 new malware samples during the investigation. The infrastructure behind the scheme was also used to impersonate more than 16 trusted brands spanning government services, airlines, pension funds and energy providers.
Read more on mobile banking trojans: New Android RAT Klopatra Targets Financial Data
According to the report, the fraudsters targeted a potential pool of 67 million Indonesian taxpayers. Among financial institutions protected by Group-IB, the fraud success rate was limited to 0.027% of malware-compromised devices due to predictive detection systems.
The broader financial impact was calculated using a device compromise rate of 0.025%, equivalent to roughly 2.5 in 1000 banking users. When applied across Indonesia’s population of 287 million exposed to the abused brands, losses and associated operational costs were estimated between $1.5m and $2m.
The researchers also uncovered 996 phishing URLs generated through a centralized framework, suggesting a malware-as-a-service (MaaS) model capable of expanding into other countries, including Thailand, Vietnam, the Philippines and South Africa.
Detection and Predictive Defence
The campaign relied on a multi-stage process:
-
Phishing links distributed via fake WhatsApp tax officials
-
Installation of malicious apps that freeze devices and harvest data
-
Voice calls pressuring victims to transfer alleged tax payments
-
Screen recording to capture banking credentials and OTP codes
-
Remote account takeover (ATO) and fund transfers through mule networks
Group-IB said layered detection combining signature analysis, behavioral monitoring and contextual intelligence reduced losses among its clients.
By mapping infrastructure patterns and forecasting brand impersonation trends, the firm reported preventing most fraudulent transactions before funds were withdrawn.
The findings highlight how coordinated malware operations can erode trust in digital public services, particularly when they exploit critical platforms such as national tax systems.
