GoldFactory Targets Vietnam and Thailand with Mobile Banking Fraud

The Phantom in the GoldFactory: Beware of the Face-Stealing Impostor!

Act I

Kevin, a dedicated local government employee, is at his desk handling official business. Suddenly, he receives an SMS claiming to be from another government department. The message demands he update his profile immediately or face severe penalties. Kevin feels a surge of anxiety.

Act II

Even with his government background, Kevin is deceived by the ultra-realistic Tycoon 2FA evasion tactics. He clicks the link and downloads what appears to be the official, legitimate app. Because the UI is absolutely flawless, Kevin drops his guard and proceeds with the requested steps.

Act III

The app prompts Kevin to "record a video to verify your identity for government services." Kevin cooperates, facing the camera. Meanwhile, deep inside the dark digital factory (GoldFactory), goblin hackers are weaponizing his stolen facial biometrics, forging a glowing "Kevin mask" to bypass his real bank's liveness detection.

Act IV

The Trojan silently completes the dynamic injection into Kevin's legitimate banking app and executes the transfer in the background. When Kevin later checks his real bank account, he discovers his life savings have been completely wiped out. He collapses in front of his empty vault, overwhelmed by shock and deep regret.

Poor Kevin.
While Kevin’s story is presented in a stylized comic, the threat he faced is terrifyingly real. For enterprises and financial institutions across Southeast Asia, GoldFactory is not a fictional villain—it is a sophisticated cybercriminal syndicate actively draining bank accounts. The moment a user like Kevin drops their guard, the business impact escalates rapidly from a personal loss to a corporate crisis.

Business Impact Summary

To our CXOs and Business Leaders: The Evolving Risk of Digital Identity Theft

Recently, mobile financial security in the APAC region (particularly in Thailand and Vietnam) has faced an unprecedented challenge. A core cybercriminal syndicate known as GoldFactory is redefining mobile banking fraud. For enterprise executives and financial leaders, this indicates that traditional security perimeters are failing. You must be aware of the following critical business risks:

The Fall of Biometric Assets: Traditional Two-Factor Authentication (2FA) and even facial recognition are being bypassed. By tricking users into recording videos (via the GoldPickaxe variant), attackers are directly hijacking facial biometrics. "Liveness detection" is no longer an absolute moat for financial security.

Ultimate Stealth and Brand Hijacking: The attackers are not just creating poorly made fake apps; they use dynamic injection into legitimate apps. They hijack the genuine banking app while retaining all its normal functions. When customers have their funds stolen while using "your" legitimate app, the damage to your brand's trust is catastrophic.

Hyper-Localized Social Engineering: The attackers are deeply localized, impersonating high-trust entities like Vietnam Electricity (EVN), the police, or Thai public services, weaponizing the public's trust in government institutions.

The Business Bottom Line: When attackers can bypass the closed iOS ecosystem and Android's underlying security to steal digital identities directly, endpoint defense alone is insufficient. We need continuous threat hunting at the "nervous system" of our network traffic.

Technical Teardown

For security analysts and threat hunting teams, GoldFactory demonstrates exceptionally high technical maturity (TTPs). The following is a technical teardown of the group's attack chain:

1. The Delivery Phase: Tycoon 2FA and Multi-Layer Evasion

GoldFactory exhibits strong anti-automation detection capabilities. When spoofing download sites, including those impersonating CSKH EVN (Vietnam Electricity customer care) and government agencies, they employ a 7-stage attack chain similar to Tycoon 2FA:

Figure 1. Spoofing download sites for CSKH EVN

Lure: Traffic is driven via phishing emails disguised as voicemails, invoices, or Microsoft security alerts, as well as localized SMS/Zalo messages.

Human Filtering: They utilize complex redirection and validation mechanisms (like Cloudflare Turnstile or invisible CAPTCHAs) to filter out security scanners, sandboxes, and web crawlers. The final fake Google Play phishing page or APK download link is ONLY exposed to genuine human targets matching specific geo-locations (e.g., Vietnam/Thailand IPs).

2. The Execution Phase: iOS/Android Dual-Platform Compromise

Android (Abusing Accessibility Services): Once the Trojan is installed, it abuses Android's Accessibility Services to gain full control of the screen. This allows the malware to read screen content in real-time, intercept SMS verification codes, and even auto-click authorization pop-ups.

iOS (TestFlight & MDM Abuse): Shattering the myth that "non-jailbroken iPhones are safe." Attackers abuse Apple's TestFlight (developer testing platform) to distribute unreviewed malicious apps. If TestFlight is blocked, they use social engineering to trick victims into installing a malicious MDM (Mobile Device Management) profile, completely taking over the device to silently push malicious apps.

3. Persistence & Theft: Dynamic Injection and Hooking

This is the most lethal link. The Trojan does not replace the entire banking app; instead, it utilizes "Legitimate App Dynamic Injection":

Custom/Modified Hooking Frameworks: The Trojan runs in the background, monitoring the state of foreground applications. When it detects the target banking app launching, it uses Hooking techniques to hijack critical API calls (such as login interfaces and transfer APIs).

Normal Function + Background Theft: The front-end UI and normal functions of the app are entirely provided by the original program, leaving the user completely unaware. However, in the background, the Hooking framework has altered the data flow, sending passwords, tokens, or facial verification data bypass to the C2 server.

Figure 2. Infection Process

Recommended Actions

• Security Awareness: Conduct comprehensive training for employees and customers on high-frequency local scams (e.g., EVN billing, tax refunds).
• Explicitly inform customers: Official apps will NEVER ask you to "record a video of your face" outside of standard business scenarios, and never install personal apps via TestFlight.
• Business Logic: Financial institutions must introduce Behavioral Biometrics. Beyond recognizing the "face," systems should analyze device gyroscope data, screen pressure, and typing habits to determine if a real human is operating the device (preventing pre-recorded video injection).
• Visibility & Hunting: Deploy and rely on advanced Network Detection and Response platforms. Even if the endpoint behavior is hidden by Hooking, the network traffic (sending biometric data to the C2 server, receiving remote commands) will expose its tracks. Block anomalous outbound requests using AI and behavioral baselining.
• Get a Free "Security Health Check" with the Sangfor Security Evaluator: Prevention is better than cure!

IOCs

Files

4eb7a289af4ea7c65c4926e4b5e2c9ec3fb4d0b9cc425f704b7d1634c23a03a9
d3752e85216f46b76aaf3bc3f219b6bf7745fe0195076e991cf29dcc65f09723
d47246c9bd4961f692cef6e3d8cdc5aa5f64e16946104cc9c194eb47077fd897
0de69fad50b9e0800ba0120fe2b2f7ebb414e1ae335149a77dae3544b0a46139
4b6211de6a9b8b780537f4d0dcac7f5ba29af597b4b416d7ad40dbd5e6d3e360
d75ca4b69e3ad9a6f2f4168f5713a049c310fee62ee0bba037ba4c24174d25c4
68fb18d67bb2314ff70a0fb42e05c40463cceb9657c62682179e62809429ad99
9ada0f54f0eaa0349c63759172848fcb1dd123d892ece8d74002f96d6f095a43

Network

47.236.246.131
47.237.9.119
13.214.19.168
18.140.4.4
ykkadm.icu
ynsftkg.top
dgpyynxzb.com
b-ty.com
www.vvpolo.top
baknx.xyz
nxbcak.xyz
zoyee.cn
evnspccskh.com

Sangfor Farsight Labs is dedicated to tracking and analyzing global advanced threat landscapes. By leveraging its robust automated attribution and external monitoring systems, the lab delivers rapid, precise analysis and cross-correlation of APT attack samples. Having archived comprehensive profiles on dozens of APT and cybercrime entities, Farsight Labs has a proven track record of helping clients successfully mitigate high-stakes APT and cybercriminal incidents through expert incident response. In an era of escalating security conflicts and evolving TTPs, Sangfor’s Advanced Threat Team is committed to continuous vigilance and the rigorous research of new global security threats to ensure proactive defense.