How Did the 2025 Banking Trojan Campaign Spread Across Asia?

Table of Contents

• Introduction
• Background on the GoldFactory Campaign
• Initial Vectors: Phishing and Social Engineering
• The Role of Modified Banking Apps
• Geographical Spread Across Southeast Asia
• Technical Breakdown of the Malware
• Impacts and Real-World Effects
• Key Vulnerabilities Exposed
• Prevention Strategies for Users and Institutions
• Conclusion
• Frequently Asked Questions

Introduction

The year 2025 marked a turning point for digital threats in Asia. With smartphone penetration reaching 70 percent in Southeast Asia and mobile banking transactions surging 40 percent, the stage was set for sophisticated attacks. GoldFactory, a Chinese-speaking cybercrime group, emerged as a major player. Linked to earlier malware like Gigabud, this campaign targeted everyday users with ruthless efficiency. By mid-December, reports confirmed over 11,000 infections, primarily in Indonesia, Vietnam, and Thailand. Unlike random hacks, GoldFactory blended old-school tricks with cutting-edge tech, turning trusted apps into thieves. This blog explores the campaign's journey, from its roots to its ripple effects. We will use clear examples and avoid jargon, defining words like "phishing" as fake messages designed to trick you into sharing info. Understanding this spread helps not just Asia, but anyone relying on digital finance. As banks digitize, so do the dangers. Let's map the trail.

Background on the GoldFactory Campaign

GoldFactory did not appear overnight. Traces lead back to October 2024, when security firms first spotted unusual activity in Thailand. The group, believed to operate from China, specializes in mobile fraud. They build on tools like Gigabud, a remote access trojan or RAT, which lets hackers control devices remotely. By early 2025, the campaign evolved, shifting focus to Southeast Asia's booming economies.

What sets GoldFactory apart? They impersonate trusted entities, from banks to government agencies. This social engineering, or manipulating people psychologically, exploits cultural trust in authority. In a region where 80 percent of adults use mobile money, the stakes are high. Early victims in Thailand reported drained accounts after "updating" apps. As word spread, so did the attacks, adapting to local languages and apps like Zalo in Vietnam.

Experts link GoldFactory to broader APAC threats, with over 300 unique malicious apps detected by December 2025. The campaign's success lies in its hybrid approach: human deception plus automated malware. For beginners, imagine a con artist handing you a poisoned gift. That's GoldFactory in action. This background shows why 2025 became their playground.

Initial Vectors: Phishing and Social Engineering

The campaign's engine is phishing, but not the email kind you ignore. GoldFactory starts with phone calls. Scammers dial victims, posing as bank reps or officials. "Your account is at risk," they say, urgency in their voice. They instruct downloading a "fix" via a link shared on WhatsApp or Zalo.

In Vietnam, they mimicked EVN, the state power company. Victims got calls warning of unpaid bills, leading to fake apps for "payment linking." This tactic, called vishing or voice phishing, preys on fear of disconnection. Once engaged, victims add the scammer on messaging apps for the link, creating a personal touch that builds false trust.

Social engineering amplifies this. Scammers use local dialects, reference real events like tax deadlines, and even spoof caller IDs. By mid-2025, this vector alone drove thousands of downloads. It's simple yet effective: people trust voices more than texts. Understanding these entry points is crucial, as they bypass tech defenses with human ones.

The Role of Modified Banking Apps

Once hooked, the real trap springs: trojanized apps. Hackers take legitimate banking software, like those from BCA in Indonesia, decompile it, or break it into code, and inject malware. The app looks and works normal at first, lulling users. But hidden code steals data in the background.

Group-IB identified over 300 such variants, with 63 percent aimed at Indonesia. Distribution happens via fake Google Play pages or direct APKs. Victims sideload these, bypassing stores. The malware uses hooking frameworks: FriHook with Frida, SkyHook with Dobby, or PineHook. These "hook" into the app, intercepting login details and transactions.

Why modify legit apps? They evade antivirus by mimicking originals. Signatures match, but backdoors open for RATs. This stealth turned casual downloads into data heists, fueling the campaign's spread.

Geographical Spread Across Southeast Asia

GoldFactory's expansion was methodical. It began in Thailand in late 2024, targeting urban users with bank scams. By January 2025, it hit Vietnam, leveraging EVN impersonations during billing seasons. Infections there topped 1,000 by March.

Indonesia became the hotspot mid-year. With 200 million potential users, scammers localized apps for banks like Mandiri. By September, nearly 2,200 infections were tracked. The spread used cross-border networks: Chinese operators hired locals for calls, adapting scripts culturally.

Other spots like the Philippines saw probes, but core damage stayed in the trio. Factors? High mobile reliance, lax app vetting, and economic growth drawing fraud. This map shows adaptation key to regional dominance.

Technical Breakdown of the Malware

At heart, GoldFactory deploys RATs like Gigabud, MMRat, Remo, and the new Gigaflower. These abuse Android's accessibility services, meant for disabled users, to read screens and simulate taps.

Gigaflower, a 2025 upgrade, handles 48 commands. It streams screens via WebRTC, logs keys, reads UI, performs gestures, overlays fake PIN prompts, and uses OCR to scan IDs, even Vietnamese cards with QR. It hides itself: spoofs signatures, blocks screencasts, custom tokens for integrity.

For non-techies, it's like a spy in your phone, watching and acting unseen. This sophistication let it persist, extracting balances and authorizing transfers undetected.

Impacts and Real-World Effects

The toll was immense. Over 11,000 infections meant countless stolen credentials, leading to fraudulent loans and transfers. While exact losses are hard to pin, similar campaigns cost Asia $1.5 billion yearly; GoldFactory likely added tens of millions.

Victims like Maria faced wiped savings, credit ruin. Banks scrambled with alerts, but trust eroded. To illustrate, here is a table of key impacts by country.

This table highlights the uneven but devastating spread. Beyond money, emotional scars linger, with victims reporting anxiety over digital tools.

Key Vulnerabilities Exposed

The campaign spotlighted flaws. First, Android's sideloading allows unvetted apps. Second, accessibility services, useful but abusable. Third, user trust in calls and officials.

Banks' slow updates left apps patchable. Regional differences: Vietnam's Zalo dependency aided spread. Overall, it showed mobile security lags behind adoption.

Prevention Strategies for Users and Institutions

Fight back starts with awareness. Users: verify calls independently, stick to official stores, enable Google Play Protect.

• Use strong PINs, avoid sharing OTPs.
• Monitor accounts daily.
• Update apps promptly.

Banks: multi-factor auth, anomaly detection. Governments: awareness drives, app vetting. Together, these close doors.

Conclusion

The 2025 GoldFactory campaign spread via clever phishing, modified apps, and regional adaptation, infecting 11,000+ across Thailand, Vietnam, and Indonesia. It exposed trusts and tech gaps, costing millions and confidence. Yet, lessons abound: verify, update, educate. As Asia digitizes, proactive defenses can turn vulnerability to strength. Stay alert; the next call might save your savings.

Frequently Asked Questions

What is the GoldFactory campaign?

A 2025 cyber fraud operation targeting Southeast Asia with trojanized banking apps to steal financial data.

How did it start spreading?

Via vishing calls impersonating authorities, directing victims to malicious app links.

What are modified banking apps?

Legitimate apps altered with malware to look safe while stealing info.

Which countries were hit hardest?

Indonesia, Vietnam, and Thailand, with over 11,000 infections total.

What malware does it use?

RATs like Gigaflower, which controls devices remotely.

Why target Southeast Asia?

High mobile banking use and trust in official communications.

How many infections occurred?

More than 11,000 devices compromised by December 2025.

Are iOS devices affected?

Less so; attackers shifted to Android due to iOS security.

What is social engineering here?

Tricking people with urgent, authoritative calls to install malware.

Can antivirus stop it?

Often yes, if updated; but modified apps evade basic scans.

What losses did victims face?

Drained accounts, fraudulent loans, estimated millions regionally.

How do RATs work?

They grant remote control, reading screens and simulating actions.

Is Zalo involved?

Yes, used in Vietnam to share phishing links.

What is OCR in the malware?

Optical character recognition to scan and extract data from images like IDs.

How to verify a suspicious call?

Hang up and call the official number directly.

Do banks reimburse victims?

Some do, but it varies; report immediately.

What hooking frameworks are used?

FriHook, SkyHook, PineHook to inject code into apps.

Can users prevent sideloading risks?

Disable unknown sources in settings and use official stores.

Who is behind GoldFactory?

A Chinese-speaking group linked to prior malware like Gigabud.

What should governments do?

Launch awareness campaigns and enforce app security standards.