New Malware Attack Exploiting TASPEN’s Legacy to Target Indonesian Senior Citizens

A sophisticated malware campaign has emerged, targeting Indonesia’s most vulnerable digital citizens through a calculated exploitation of trust in the nation’s pension fund system.

The malicious operation impersonates PT Dana Tabungan dan Asuransi Pegawai Negeri (TASPEN), the state-owned pension fund managing over $15.9 billion in assets for millions of Indonesian civil servants and retirees.

This campaign represents a disturbing evolution in cybercrime tactics, weaponizing institutional trust to conduct large-scale financial fraud against senior citizens who are increasingly encouraged to adopt digital services for pension management.

The attack leverages a meticulously crafted phishing website hosted at taspen[.]ahngo[.]cc, which mimics an official mobile application download page complete with TASPEN’s branding and the Indonesian slogan “Aplikasi Andal, semudah bersama TASPEN” (A reliable app, easy with TASPEN).

The fraudulent site features weaponized Google Play and Apple App Store buttons, with the Android version initiating direct downloads of malicious APK files while the iOS button displays a deceptive maintenance message in Bahasa Indonesia to maintain credibility.

CloudSEK analysts identified this campaign through their threat intelligence monitoring, revealing that the malware employs advanced evasion techniques to bypass traditional security measures.

The malicious application is protected by DPT-Shell, an open-source Android packer that encrypts the executable code and deploys it only during runtime, effectively defeating static analysis tools used by security researchers.

Runtime Payload Deployment and Surveillance Capabilities

The malware’s most concerning aspect lies in its sophisticated deployment mechanism and comprehensive surveillance capabilities once installed on victim devices.

Upon execution, the DPT-Shell protection system first decrypts the hidden malicious payload in memory before writing it to the application’s private code_cache directory as a ZIP archive named i111111.zip.

This runtime unpacking ensures that the true malicious functionality remains completely hidden from security scanners until the application is actively running on a live device.

Once operational, the malware deploys multiple background services designed for comprehensive data theft.

The SmsService component provides persistent SMS interception capabilities, automatically reading and forwarding all incoming messages including critical two-factor authentication codes.

Simultaneously, the ScreenRecordService enables real-time visual monitoring of all user activities, while the CameraService facilitates facial video capture for biometric data harvesting.

These components work in concert with a ContactData class that systematically exfiltrates the victim’s complete address book, including names, phone numbers, email addresses, and call history.

The malware establishes encrypted communication with its command and control server at rpc.syids.top through both HTTP POST requests for credential theft and persistent WebSocket connections for real-time command execution.

When victims enter their banking credentials, the malware encrypts and transmits this data while deliberately displaying Indonesian error messages to mask the successful exfiltration, creating the illusion of a simple failed login attempt.

Attribution analysis reveals strong linguistic indicators pointing to Chinese-speaking threat actors, with error messages in Simplified Chinese found embedded within both the phishing infrastructure and C2 server responses.

The campaign’s success threatens to establish a dangerous precedent for similar attacks against other critical Indonesian public institutions, potentially affecting millions of citizens who rely on digital government services for essential financial and healthcare needs.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.