The Taxman’s Shadow: How a $2M Fraud Syndicate Impersonated Indonesia’s Official Coretax Service

In Indonesia, a sophisticated fraudulent enterprise has been unmasked, masquerading as the official Coretax fiscal service. Adversaries orchestrated a clandestine infrastructure utilizing counterfeit mobile applications, facilitating offensives not only against taxpayers but also across dozens of disparate digital ecosystems. According to evaluations by Group-IB, the cumulative financial depredation within the nation is estimated to be between $1.5 million and $2 million.

While Coretax is a legitimate web-based utility provided by the Indonesian tax authorities, it notably lacks an official mobile counterpart. Nevertheless, since July 2025, malicious APK files bearing the “Coretax” moniker began proliferating online. By January 2026, synchronized with the zenith of the tax filing season, the campaign surged, strategically targeting approximately 67 million tax residents.

The assault was executed in meticulously calibrated phases. Initially, victims were contacted via WhatsApp by actors impersonating fiscal officials, who provided links to download the spurious application. Upon installation, the device would momentarily stagnate while the malware harvested metadata and retrieved supplementary modules. This was followed by a telephonic solicitation from a fraudster claiming to be a service representative, demanding the immediate liquidation of “tax arrears.” Throughout the dialogue, the Trojan performed screen recording, intercepted credentials and one-time passcodes, and ultimately exerted remote dominion over the smartphone to facilitate unauthorized transfers through a labyrinth of mule accounts.

Technical analysis attributes this campaign to the GoldFactory cluster. The malicious infrastructure utilized several families of Android Trojans, including Gigabud.RAT, MMRat, and a previously undocumented variant designated as Taotie. In total, 228 novel modifications were identified. These primary Trojans possess the capability to exploit accessibility services and circumvent multi-factor authentication, enabling fraudulent transactions directly from the compromised device.

The infrastructure was not confined to a singular brand; the same command servers and phishing templates were repurposed to forge over 16 prominent services, ranging from business licensing systems to national airlines. Researchers identified 996 domains crafted from a unified template, extending their reach to users in Thailand, Vietnam, the Philippines, and South Africa. Estimates suggest that in January 2026 alone, direct losses in Indonesia reached $340,000, with total ecosystem losses potentially ascending to $2 million.

Group-IB reported that among clientele protected by their security systems, the rate of successful theft was mitigated to a mere 0.027 percent of infected devices. This resilience is credited to sophisticated behavioral analysis and the early detection of phishing architectures. The Coretax campaign underscores how a unified malicious platform can rapidly scale offensives against entire national infrastructures, jeopardizing not only financial assets but also the fundamental public trust essential for continued digital transformation.