1. Executive Summary

A sophisticated and highly targeted mobile malware campaign is actively leveraging the trusted brand of Indonesia’s state pension fund, PT Dana Tabungan dan Asuransi Pegawai Negeri (Persero), also known as TASPEN, to execute a full-spectrum data theft and financial fraud operation against the nation's pensioners and civil servants. This operation utilizes a malicious Android application embedded with banking trojan/spyware, meticulously disguised as an official TASPEN portal, to steal a wide range of sensitive information, including banking credentials, one-time passwords (OTPs) from SMS messages, and even biometric data through facial video capture.

‍

The attack chain begins with a carefully crafted phishing website that perfectly impersonates an official app download page, using TASPEN’s branding and slogans in Bahasa Indonesia to build a false sense of security. Once a victim is lured into installing the malicious application package (APK), the malware employs advanced evasion techniques to remain undetected. 

‍

Once active on a device, the malware establishes persistent, encrypted communication with a remote command-and-control (C2) server infrastructure. This allows attackers to exfiltrate stolen data in real time, monitor user activity through screen recording, and remotely issue commands to execute fraudulent transactions. Technical artifacts found within the malware’s distribution network and communication channels, including error messages and developer comments written in Simplified Chinese, strongly suggest the involvement of a well-organized, Chinese-speaking threat actor group.

‍

The success of this model creates a dangerous precedent, providing a ready-made blueprint for similar attacks against other critical Indonesian financial and public institutions.

‍

This report provides a detailed dissection of the attackers’ tactics, techniques, and procedures (TTPs). It analyzes the malware's technical capabilities, assesses the far-reaching business and societal impacts, and concludes with a set of strategic recommendations for a coordinated, multi-stakeholder defense to protect Indonesia’s citizens and its digital future.

‍

2. The Indonesian Threat Context and Attack Vector

2.1. The Strategic Importance of TASPEN and Indonesia's Digital Transformation

‍

‍

PT Dana Tabungan dan Asuransi Pegawai Negeri (Persero) (TASPEN) is a cornerstone of Indonesia’s social security apparatus. Established in 1963, it has grown into a massive financial institution, managing assets valued at over $15.9 billion USD. It is responsible for the pension funds of millions of civil servants and employees of state-owned enterprises, making it a foundational element of the nation's financial stability and public welfare system.

‍

Its user base consists largely of retirees, a demographic that is increasingly encouraged to adopt digital services for pension management, authentication, and communication. As the Indonesian government aggressively pursues its digital transformation agenda, platforms like TASPEN become critical infrastructure for citizen services. This digital shift, while beneficial, simultaneously creates a high-value, concentrated target for cybercriminals. The immense financial scale of TASPEN, combined with the inherent trust that citizens—particularly seniors—place in this long-standing government brand, makes it a uniquely attractive target for impersonation attacks. An attack on TASPEN is not just an attack on individuals; it is an attack on the perceived security and reliability of Indonesia's entire digital public service ecosystem.

‍

2.2. The Attack Lifecycle: A High-Level Overview

The campaign follows a clear, multi-stage lifecycle designed for maximum impact and minimal detection.

‍

• Adversaries set up phishing infrastructure, impersonating TASPEN due to its wide-spread usage in Indonesia and the target victims are senior citizens. 
• Senior citizens unknowingly feel victim to the campaign, by downloading the malicious mobile application from the fake domain, which was boosted by SEO.
• Upon execution, the malicious app harvests the victim data and also tries to install Banking Trojan Malware at their mobile phones, which captures other sensitive data present in the phone’s applications.
• Harvested data will be exfiltrated to the adversaries C2 Server, which will be either sold at darknet marketplaces or be used for other malicious purposes by the adversaries.

‍

2.3. Anatomy of the Attack – Stage 1: Deceptive Distribution

The threat actors initiated the campaign using a highly convincing social engineering strategy.

‍

‍

• The Phishing Domain: The primary distribution vector is the website https://taspen[.]ahngo[.]cc/. The domain itself is designed to appear plausible to a casual user. The website is a minimalist but effective clone of a legitimate mobile app landing page.
• Localized Social Engineering: The page prominently features TASPEN's official branding and uses the Indonesian slogan "Aplikasi Andal, semakin mudah bersama TASPEN" ("A reliable app, easier with TASPEN") to reinforce its authenticity and build trust with the target demographic.
• Weaponized and Deceptive Buttons: The site displays familiar Google Play and Apple App Store buttons. The Google Play button is weaponized to initiate a direct download of the malicious APK, while the App Store button acts as a clever decoy, displaying an alert in Bahasa Indonesia: “Sistem sedang ditingkatkan” (“System is being upgraded”). This prevents iOS users from reporting a broken link and reinforces legitimacy for Android users.
• Technical Obfuscation: The website’s malicious logic is intentionally hidden. It uses JavaScript to fetch a Base64-encoded payload from a secondary URL (/x/page). This payload, once decoded, contains the true download functionality. This multi-step process is a deliberate tactic to thwart simple, automated web scanners.

‍

3. Technical Deep Dive: Malware Analysis

3.1. Unpacking the Threat: Bypassing Static Defenses with DPT-Shell

Initial attempts to analyze the malicious APK with standard security tools failed, as the application appeared corrupted. This is the result of an intentional evasion technique known as packing.

‍

• DEX Packing: The malware is protected by DPT-Shell, an open-source Android shell packer. This tool encrypts or conceals the application's primary executable code (the .dex files), wrapping it in a loader "shell".

‍

• Runtime Payload Extraction: When the user launches the app, the DPT-Shell code executes first. It decrypts the hidden payload in memory and writes it to the application's private code_cache directory. The payload is dropped as a ZIP archive (named i111111.zip), which contains the real, malicious .dex files. This ensures the malware's true functionality is only exposed on a live device, defeating static analysis engines.

‍

3.2. Full-Spectrum Surveillance Capabilities

Once unpacked, the malware reveals itself to be a modular spyware tool with a wide array of intrusive capabilities managed through background services.

‍

4. Command, Control, and Data Exfiltration

The malware's communication infrastructure is robust, encrypted, and designed for stealthy, real-time control and data exfiltration.

4.1. The Communication Backbone

• Encrypted Credential Exfiltration: When a user enters credentials, the malware sends an HTTP POST request to rpc.syids.top/x/login. The payload is fully encrypted. The server deliberately returns an HTTP 400 "Bad Request" error with an Indonesian message ("Your information is incorrect...") to make the exfiltration appear as a simple failed login attempt.

• The Real-Time WebSocket Channel: For persistent and immediate C2, the malware uses a WebSocket connection. A configuration file (LyBW_sp.xml) reveals the endpoint: wss://rpc.syids.top/x/command. This allows attackers to push commands to the device instantly, a much more effective method than traditional polling.             

‍

4.2. Attribution Clues: Following the Linguistic Trail

The evidence strongly points to a Chinese-speaking adversary. This assessment is based on multiple, independent linguistic indicators:

1. ​​Phishing Website: The JavaScript contains the error message 获取数据失败 ("Failed to fetch data").
2. WebSocket C2 Server: Manual connection attempts to the C2 endpoint returned the error 缺少参数关闭 ("Missing parameter, connection closed").

These are not isolated artifacts but are found at different layers of the attack, suggesting a consistent operator.

5. A Resilient Adversary: Evasion and Anti-Analysis Techniques

The malware's sophistication is further highlighted by its active defenses against security analysis.

5.1. Detecting and Evading Frida

The operators anticipated that security researchers would attempt to analyze the app's runtime behavior.

• Frida Detection: When standard hooks from the Frida instrumentation toolkit were injected, the application immediately detected them and terminated, throwing a segmentation fault. This anti-analysis feature is a hallmark of advanced malware, designed to make reverse engineering significantly more difficult.

‍

5.2. Bypassing Defenses to Reveal the Truth

To overcome these defenses, a custom, stealthier JavaScript hook was developed. This allowed for the interception of data flows before encryption was applied.

• Intercepting Plaintext Data: The successful hook revealed the exact plaintext JSON payload being sent to the C2 server, confirming the theft of username, password, card number, and device metadata.

• Decrypting the Server's Response: Hooking the decryption routine also revealed the server's generic failure message in Indonesian, confirming the deceptive nature of the entire process.

‍

6. Business Impact and Systemic Risk in Indonesia

The consequences of this campaign extend far beyond individual financial losses, posing a strategic threat to the nation's digital infrastructure.

6.1. Erosion of Public Trust

The primary societal impact is the degradation of trust between Indonesian citizens and their government. When a trusted, long-standing brand like TASPEN is successfully impersonated, it can lead to widespread reluctance to adopt any digital government service, hindering national progress in digital transformation and financial inclusion.

6.2. Targeting the Vulnerable

The campaign is predatory, specifically targeting pensioners who may have lower levels of digital literacy and are more susceptible to social engineering. This can cause not only devastating financial loss but also significant psychological distress and a feeling of betrayal by the institutions meant to protect them.

6.3. Collateral Damage to the Financial Sector

The operational and financial burden of this attack falls heavily on Indonesia's banks. The consequences include:

• Increased Customer Support Costs: A surge in calls to fraud departments.
• High Investigation Overheads: The time and resources required to investigate each case.
• Potential Financial Liability: The pressure to reimburse customers for stolen funds.
• Reputational Damage: Customers may blame their bank for the security failure, even if the bank was not the initial point of compromise.

6.4. The Precedent for Systemic Risk

The tactics, techniques, and procedures (TTPs) used in this campaign are highly effective and replicable. The success of the TASPEN impersonation provides a proven blueprint for attackers to target other major Indonesian public and private institutions. This elevates the threat from a single campaign to a potential wave of copycat attacks, posing a systemic risk to the entire Indonesian financial sector. Potential future targets could include:

•     BPJS Kesehatan (Healthcare)
•     Bank Rakyat Indonesia (BRI) and other major state-owned banks
•     Major e-commerce and utility platforms

7. A Regional Threat Landscape: Pension Fund Attacks Across Southeast Asia

The attack on TASPEN is not an isolated event but a reflection of a broader, alarming trend across Southeast Asia. Pension funds have become high-priority targets for both state-sponsored and financially motivated threat actors due to their unique concentration of sensitive data and vast financial assets.

7.1. The Adversaries Targeting SEA Pension Funds

Two primary categories of threat actors are active in this space:

1. Nation-State Advanced Persistent Threats (APTs): Cyber-espionage groups, particularly those linked to China such as Earth Kurma, are highly active in targeting government sectors across Southeast Asia. Their main objective is the large-scale theft of citizen data for intelligence purposes. The TASPEN attack, with its Chinese linguistic markers and data harvesting capabilities (including biometrics), aligns closely with the TTPs of these state-sponsored actors.
2. Financially Motivated Cybercrime Syndicates: These organized groups, like the prolific Lockbit ransomware gang, are focused on direct monetization. The credential theft and OTP interception capabilities of the TASPEN malware are hallmarks of their operations, designed for efficient, large-scale financial fraud. This indicates the TASPEN malware may be a tool used by, or sold to, such syndicates.

This regional threat is further evidenced by actions in neighboring countries. For example, Singapore's Central Provident Fund (CPF) has been compelled to implement stronger security controls to combat malware-related fraud, demonstrating that pension systems are a recognized and active battleground for cybersecurity across the region.

7.2. Assessing the Potential Monetary Impact of the TASPEN Campaign

While the exact financial losses from this specific campaign are not yet publicly quantified, an impact assessment based on the malware's capabilities and comparable incidents reveals a multi-million dollar threat potential. The costs extend far beyond the initial theft.

• Direct Losses to Members: With the ability to bypass OTP verification, attackers can drain member accounts. As a benchmark, a less sophisticated attack on Australian pension funds saw over A$500,000 stolen from just a handful of accounts, illustrating the potential for rapid, significant losses.
• Collateral Costs for the Banking Sector: The financial industry bears a heavy secondary burden. According to a 2024 IBM report, the average cost of a data breach in the ASEAN financial sector is approximately $7.5 million SGD. This figure includes the costs of fraud reimbursement, customer support, investigations, and regulatory fines.
• Institutional Costs for TASPEN: As the impersonated entity, TASPEN would incur immense costs related to crisis management, public relations campaigns to rebuild shattered trust, forensic investigations, and the implementation of urgent security upgrades.

Considering these factors, a successful, widespread TASPEN malware campaign could easily result in tens of millions of dollars in total economic damage.

‍

8. Strategic Recommendations for a Coordinated National Defense

This threat requires a unified, proactive response from all stakeholders across Indonesian society.

8.1. For Government & Regulators (KOMINFO, OJK, BSSN):

Two primary categories of threat actors are active in this space:

1. Establish a National Takedown Framework: Create a rapid-response public-private partnership to quickly identify and execute the takedown of malicious domains, C2 infrastructure, and fake applications targeting Indonesian entities.
2. Mandate Security Standards for Public Apps: Enforce a baseline of security requirements for all official government applications, including mandatory third-party security audits, code obfuscation, and anti-tampering controls.
3. Launch a National Digital Literacy Campaign: Fund a sustained, nationwide public awareness campaign, specifically targeting seniors, to educate them on identifying phishing, verifying apps, and understanding mobile permissions. Utilize public service announcements on television, radio, and social media.

8.2. For Financial Institutions & PT TASPEN:

1. Deploy Advanced, Behavior-Based Fraud Detection: Move beyond simple rule-based systems. Implement solutions that analyze user and device behavior to detect anomalies, such as logins from a device with newly installed, sideloaded apps or unusual transaction patterns.
2. Leverage Device Attestation: Utilize services like Google's Play Integrity API to verify that a mobile banking session is originating from a genuine, untampered device and a legitimate app build, blocking sessions from compromised devices.
3. Proactive Customer Communication: Do not wait for customers to become victims. Proactively send clear, concise security advisories via official channels (SMS, email, in-app notifications) warning about specific, active threats like the TASPEN impersonation campaign.

‍

8.3. For the Indonesian Public:

1. Only Use Official App Stores: Never download or install applications from websites, text messages, or WhatsApp links. Only use the official Google Play Store or Apple App Store.
2. Scrutinize App Permissions: Be highly suspicious of any application that asks for broad or unnecessary permissions, especially access to SMS, Accessibility Services, or the camera.
3. Install Reputable Mobile Security Software: Use a trusted mobile antivirus application from a well-known security vendor that can help detect and block known malware and phishing sites.

‍

9. Conclusion

The TASPEN mobile malware campaign is a sobering illustration of the evolving threat landscape facing Indonesia. As the nation continues its rapid and commendable journey toward a digital-first society, adversaries will inevitably target the most trusted and vulnerable points of this new ecosystem. This is not a simple case of financial fraud; it is a strategic threat aimed at the heart of public trust and critical digital infrastructure. Its advanced evasion techniques and full-spectrum surveillance capabilities represent a formidable challenge that cannot be met by any single entity acting alone. A successful defense requires a proactive, collaborative, and sustained effort from government, industry, and the public to build a more resilient and secure digital Indonesia for all its citizens.

‍

References

• https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability 
• https://en.wikipedia.org/wiki/Traffic_Light_Protocol
• https://www.swfinstitute.org/profile/5ddccda91ec083394cfaad35 
• https://www.taspen.co.id/ 

‍

Appendix: Indicators of Compromise (IoCs)

The following technical indicators are associated with this campaign and can be used for detection and blocking.

‍

‍