A sophisticated malware campaign has emerged, targeting Indonesia\u2019s most vulnerable digital citizens through a calculated exploitation of trust in the nation\u2019s pension fund system.<\/p>\n
The malicious operation impersonates PT Dana Tabungan dan Asuransi Pegawai Negeri (TASPEN), the state-owned pension fund managing over $15.9 billion in assets for millions of Indonesian civil servants and retirees.<\/p>\n
This campaign represents a disturbing evolution in cybercrime tactics, weaponizing institutional trust to conduct large-scale financial fraud against senior citizens who are increasingly encouraged to adopt digital services for pension management.<\/p>\n
The attack leverages a meticulously crafted phishing website<\/a> hosted at taspen[.]ahngo[.]cc, which mimics an official mobile application download page complete with TASPEN\u2019s branding and the Indonesian slogan \u201cAplikasi Andal, semudah bersama TASPEN\u201d (A reliable app, easy with TASPEN).<\/p>\n The fraudulent site features weaponized Google Play and Apple App Store buttons, with the Android version initiating direct downloads of malicious APK files while the iOS button displays a deceptive maintenance message in Bahasa Indonesia to maintain credibility.<\/p>\n CloudSEK analysts identified<\/a> this campaign through their threat intelligence monitoring, revealing that the malware employs advanced evasion techniques to bypass traditional security measures.<\/p>\n The malicious application is protected by DPT-Shell, an open-source Android packer that encrypts the executable code and deploys it only during runtime, effectively defeating static analysis tools used by security researchers.<\/p>\n The malware\u2019s most concerning aspect lies in its sophisticated deployment mechanism and comprehensive surveillance capabilities once installed on victim devices.<\/p>\n Upon execution, the DPT-Shell protection system first decrypts the hidden malicious payload in memory before writing it to the application\u2019s private code_cache directory as a ZIP archive named i111111.zip.<\/p>\n This runtime unpacking ensures that the true malicious functionality remains completely hidden from security scanners<\/a> until the application is actively running on a live device.<\/p>\n Once operational, the malware deploys multiple background services designed for comprehensive data theft.<\/p>\n The SmsService component provides persistent SMS interception capabilities, automatically reading and forwarding all incoming messages including critical two-factor authentication codes.<\/p>\n Simultaneously, the ScreenRecordService enables real-time visual monitoring of all user activities, while the CameraService facilitates facial video capture for biometric data harvesting.<\/p>\n These components work in concert with a ContactData class that systematically exfiltrates the victim\u2019s complete address book, including names, phone numbers, email addresses, and call history.<\/p>\n The malware establishes encrypted communication with its command and control server at rpc.syids.top through both HTTP POST requests for credential theft and persistent WebSocket connections for real-time command execution.<\/p>\n When victims enter their banking credentials, the malware<\/a> encrypts and transmits this data while deliberately displaying Indonesian error messages to mask the successful exfiltration, creating the illusion of a simple failed login attempt.<\/p>\n Attribution analysis reveals strong linguistic indicators pointing to Chinese-speaking threat actors, with error messages in Simplified Chinese found embedded within both the phishing infrastructure and C2 server responses.<\/p>\n The campaign\u2019s success threatens to establish a dangerous precedent for similar attacks against other critical Indonesian public institutions, potentially affecting millions of citizens who rely on digital government services for essential financial and healthcare needs.<\/p>\n The post New Malware Attack Exploiting TASPEN\u2019s Legacy to Target Indonesian Senior Citizens<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhwOh3QFzLjx_sy1dOTKQnZXAPCjB5pQ1fNBQD5ZF9eE0DuQaaSu6pBJCsq5MXmsOK6aykwNYEX1vx46Z_R9v-gPXIlpI1cD9vtQcI3MMawWQ9RJmC2QqMUuJCyKjfEcf1XPiA0iwghCkVMlJFhdEpDirJOFBaO-K6Z44_MdeVT4nHdNh37x0miVshHB70\/s16000\/Attack%2520Lifecycle%2520%28Source%2520-%2520Cloudsek%29.webp?ssl=1\")
Runtime Payload Deployment and Surveillance Capabilities<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhrUgLFdN2rkqw3Xwv1cgFF68BiYXi60WFgCLOZyeiX8a_sCMLb4e1L8WbcHP0s-C4NYDg2sviPl05zl7EGBoLImT_tv6wZR6TDjqWYwAaiOinCiZ86peEV_HlJR-sgik6cRmLZvYcZqXqMqJ6aGv0yzFa1hrgudMdYRkL1NomsFLeM5wBoJ8KCvEFJxFY\/s16000\/Encrypted%2520Credential%2520Exfiltration%2520%28Source%2520-%2520Cloudsek%29.webp?ssl=1\")
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n