Recently, a report by Infoblox Threat Intel (USA) in collaboration with Vietnamese NGO Chong Lua Dao revealed a dangerous threat: a sophisticated Android banking Trojan is being operated from rogue complexes in Cambodia, including K99 Triumph City in Sihanoukville.
This is not a common scam. This is Malware – as – a-Service (MaaS) – a publicly available malware platform that allows various crime groups to use it to perform surveillance, steal data, and transfer money directly from a victim’s bank account.

How dangerous is this Trojan?

When a victim is tricked into downloading and installing a fake application, the Trojan will:

  • Get full control of mobile device
  • Real – time monitoring (camera, microphone, message, call)
  • Theft of login information, password, and biometric data (faces)
  • Blocking bank OTPs and making wire transfers without the victim’s knowledge
  • Using overlay (superimposed screen) fake KYC verification to trick victims into scanning faces

This campaign targeted victims at At least 21 countries. On four continents, including Vietnam, Thailand, Indonesia, the Philippines and many others.

Attackers use hundreds of fake lookalike domains to lure their victims into downloading harmful apps. They often impersonate government agencies, banks, tax departments, airlines, etc. Here are some of the names that have been credited:

Domain Counterfeit targets
vsgo.cc Philippine Social Security System
nmxgo.cc South African Police
orgo.cc Indonesian State Pension Fund
idphil.net Ministry of Information and Communications of Philippines
immigration-kr.net South Korea’s Immigration Department
openbank-es.com Openbank Spain
pajakgoid.com General Department of Taxation of Indonesia
cedula-registraduria-gov.org Colombian Civil Registry
egov.nbsvgo.cc Philippine government (changed targets several times)
sss.oiago.cc Philippine Social Security System

Recognition Characteristics:

  • Domain names are usually short form + “go”, “gov” or country code (ph, th, vn, ind…).
  • Common tail: .cc, .top, .xyz, .vip.
  • About 35 new domains appear each month.
  • Many domains are hidden behind Cloudflare.

Important Note: The above list is just an example. The domain name is constantly changing. Never click any unrecognized link to request an app download, especially if sent via Twitter, Facebook Messenger, SMS, or an email that says something like “tax information update,” “account verification,” or “visa check,” as well as “government support.”

What is particularly alarming is that the Trojan is operated from K99 Triumph City, Cambodia’s infamous rogue complex that employs forced labor. Trafficked victims who came here were forced to do inhuman and unethical work.

  • Send deceptive messages
  • Guide victims to install malware applications
  • Perform the steps to transfer money from the hacked account

The Chong Lua Dao organisation helped rescue some of the victims and collected screenshots and closed group messages as direct evidence that the domains were being used in the K99 area. The complex is linked to several politically connected individuals and corporations in Cambodia, although the government is taking crackdowns.

Tips

  1. Don’t download apps from unknown links – Only download bank or government apps from the official Google Play or App Store.
  2. Double – check your URL before clicking it. Avoid domains with unknown endings (.cc,.top,.xyz…).
  3. Do not authorize cameras, microphones, messages for unknown applications.
  4. Do not scan your face when an unfamiliar screen overlay appears.
  5. Enable dual layer authentication (2FA) and biometric locking for all bank accounts.
  6. If you suspect you have an infection: Disconnect from the internet immediately, contact your bank to temporarily close your account, and report it to the authorities.

Fraud centers in Cambodia are combining high technology (complexed malware, AI, deepfake) with forced labor to create industrial scale fraud campaigns. This is a real threat to Vietnamese users.

Students in the Department of Cybersecurity need to raise awareness to protect themselves and their families and can contribute to fighting this type of cybercrime in the future.

References: Report “Scams, Slaves and (Malware-as-a) Service: Tracking a Trojan to Cambodia’s Scam Centers” by Infoblox Threat Intel & Chong Lua Dao (April 10, 2026).

Support Information:

  • Chong Lua Dao: https://chongluadao.vn (Organization to Support Victims of Human Trafficking and Fraud)
  • If you need to report an incident: Contact the National Cyber Security Center (NCSC) or the Bureau of Cyber Security and Hi-Tech Crime Prevention Lifeline at 1-800-273-TALK.

 

NPM

POST AND TELECOMMUNICATIONS TECHNOLOGY SECURITY SCHOOL (PTIT)
📍 Address: 10th Floor, Building A2, Posts and Telecommunications Technology Academy,
Km10, Nguyen Trai Road, Q. Ha Dong, Hanoi
🌐 Website: https://infosec.ptit.edu.vn
📧 Email: attt@ptit.edu.vn
📘 Fanpage: facebook.com/KhoaATTT.PTIT