Unmasking the Malware-as-a-Service Operations Powering Account-Takeover Fraud Across 21 Countries
A joint investigation by Infoblox Threat Intel and the Vietnamese non-profit Chong Lua Dao has uncovered a sophisticated Android banking trojan being operated directly from industrial-scale scam centers, including the K99 Triumph City compound in Cambodia. This site, previously flagged by the UN for forced labor and large-scale scams, is now confirmed to be a hub for advanced Malware-as-a-Service (MaaS) operations.
The research marks a pivot point in threat intelligence: we are no longer dealing with isolated social engineering, but with factory-line distribution of high-level malware designed to dismantle the very security layers banks have relied on for years.
The operation, which registers roughly 35 new malicious domains every month, targets government agencies, tax authorities, and banks in at least 21 countries, with heavy activity concentrated in Indonesia, Thailand, Spain, and Türkiye.
The trojan’s capabilities represent a nightmare scenario for mobile banking security:
- Biometric Theft: During spoofed KYC checks, the malware captures facial-recognition data.
- OTP Interception: It silently intercepts SMS one-time passcodes, effectively neutralizing two-factor authentication.
- Remote Access: Once the government app is installed, operators gain full control of the device, allowing them to bypass biometrics and SMS safeguards to move funds across borders.
The research highlights a shift from manual scams to automated, industrial-scale raids. By analyzing anomalous DNS traffic patterns, Infoblox traced the malware-as-a-service platform back to the physical compounds.
“These aren’t random one-off scams. They’re factory lines,” says Dr. Renée Burton, VP of Infoblox Threat Intel. “We now know that beyond social engineering, these compounds are being used to run sophisticated operations that steal banking credentials and allow threat actors to spy on victims.”
For banks and fintechs, the message is clear: the era of relying on SMS and basic biometrics as a Digital Lifeline is over. As these scam centers continue to scale, the resilience of mobile-fraud defenses will face increasing scrutiny from regulators.
Hardening Android and mobile channels is no longer a technical recommendation; it is a survival requirement for any institution handling cross-border financial flows in 2026.
