Incidents of malware-enabled fraud and remote-access scams have surged alongside industrial-scale scam operations in Southeast Asia, with governments across the region issuing warnings in recent years. But connecting specific malware to the notorious compounds has been elusive – until now. In new joint research, Infoblox Threat Intel and Vietnamese non-profit Chong Lua Dao uncovered an Android banking trojan that is likely operated from multiple locations including the K99 Triumph City compound in Cambodia, a site previously flagged by the UN and others for large-scale scams and forced labour.
The team uncovered the operation after a spike in anomalous DNS traffic across Infoblox customer networks led to a previously undocumented “malware-as-a-service” platform. The service registers about 35 new domains every month to spoof banks, social-security agencies, tax authorities, utilities and law enforcement in at least 21 countries, with heaviest activity against users in Indonesia, Thailand, Spain and Türkiye.
Once victims install the fake “government” or “banking” app, operators gain full control of the device. The trojan can capture facial-recognition data during spoofed KYC checks, intercept SMS one-time passcodes and silently log in to mobile banking apps to move funds across borders – turning biometrics and OTPs from safeguards into attack surfaces for account-takeover fraud.
“These aren’t random one-off scams. They’re factory lines. For years we knew these scam compounds existed, and suspected malware distribution at the sites, but this is a firm confirmation,” said Dr. Renée Burton, VP of Infoblox Threat Intel. “We now know that beyond the social engineering associated with so-called pig butchering scams, the compounds are being used to run sophisticated operations that steal banking credentials and allow threat actors to spy on victims.”
The research shows that unless banks, fintechs and governments harden their Android and mobile channels beyond SMS and basic biometrics, they should expect more coordinated cross-border raids on customer accounts – and tougher questions from regulators about the resilience of their mobile-fraud defences.
You can find the full research here: https://www.infoblox.com/blog/threat-intelligence/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers/
