- Malanta.ai uncovered a 14-year-old cybercrime infrastructure in Indonesia resembling state-sponsored operations.
- The network spans more than 320,000 domains, hacked government subdomains, and thousands of malware-laden Android apps.
- Campaign stole over 50,000 game IDs, used AWS and Firebase for C2, raising nation-state suspicion
Security researchers have discovered a massive cybercrime infrastructure in Indonesia that has been operating around the clock for more than 14 years.
The duration of the operation, the domains included, the malware circulating and the data sold on the black market were so extensive that the researchers – Malanta.ai – said the campaign looked more like a nation-state campaign than that of “mere” cybercriminals.
“What started as simple gambling sites has transformed into a global, well-funded and sophisticated state-sponsored attack infrastructure operating across the web, cloud and mobile devices,” Malanta said in a recently published blog.
Is the government involved?
According to the report, the operation had been active since at least 2011. The operators controlled more than 320,000 domains, with more than 90,000 hacked and hijacked. They also controlled over 1,400 compromised and 236,000 purchased subdomains, all used to redirect users to illegal gaming platforms.
To make matters worse, some of the compromised subdomains were on government and corporate servers. In some cases, threat actors have deployed NGINX-based reverse proxies to drop TLS connections on legitimate government domain names, thereby masking their C2 traffic as legitimate government communications.
Then there’s the malware ecosystem: researchers discovered “thousands” of malicious Android apps, distributed via public infrastructure (Amazon Web Services S3 buckets).
These apps served as droppers, masquerading as legitimate gaming platforms while deploying malware that granted full access to compromised devices in the background. The backdoors received their commands directly from another piece of public infrastructure: Google’s Firebase Cloud Messaging service.
This resulted in the theft of over 50,000 login credentials across gaming platforms, countless infected Android devices, and hijacked subdomains circulating on the dark web.
“What if this ecosystem isn’t just cybercrime? the researchers speculate.
Normally, the scope, scale, and financial support behind this infrastructure correspond much more closely to the capabilities typically associated with state-sponsored threat actors.
Via Cybersecuritynews
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
