Android Trojan tied to forced-labour scam centers impersonates banks and governments in at least 21 countries, bypassing biometrics and SMS security.
DUBAI, UAE, April, 2026: Incidents of malware-enabled fraud and remote-access scams have surged alongside industrial-scale scam operations in Southeast Asia, with governments across the region issuing warnings in recent years. But connecting specific malware to the notorious compounds has been elusive – until now. In new joint research, Infoblox Threat Intel and Vietnamese non-profit Chong Lua Dao uncovered an Android banking trojan that is likely operated from multiple locations including the K99 Triumph City compound in Cambodia, a site previously flagged by the UN and others for large-scale scams and forced labour.
The team uncovered the operation after a spike in anomalous DNS traffic across Infoblox customer networks led to a previously undocumented “malware-as-a-service” platform. The service registers about 35 new domains every month to spoof banks, social-security agencies, tax authorities, utilities and law enforcement in at least 21 countries, with heaviest activity against users in Indonesia, Thailand, Spain and Türkiye.
Once victims install the fake “government” or “banking” app, operators gain full control of the device. The trojan can capture facial-recognition data during spoofed KYC checks, intercept SMS one-time passcodes and silently log in to mobile banking apps to move funds across borders – turning biometrics and OTPs from safeguards into attack surfaces for account-takeover fraud.
“These aren’t random one-off scams. They’re factory lines. For years we knew these scam compounds existed, and suspected malware distribution at the sites, but this is a firm confirmation,” said Dr. Renée Burton, VP of Infoblox Threat Intel. “We now know that beyond the social engineering associated with so-called pig butchering scams, the compounds are being used to run sophisticated operations that steal banking credentials and allow threat actors to spy on victims.”
The research shows that unless banks, fintechs and governments harden their Android and mobile channels beyond SMS and basic biometrics, they should expect more coordinated cross-border raids on customer accounts – and tougher questions from regulators about the resilience of their mobile-fraud defences.
About Infoblox Threat Intel:
Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet’s inner workings allows us to track down threat actors that others can’t see. We’re proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.
About Infoblox:
Infoblox unites networking, security and cloud with a protective DDI platform that delivers enterprise resilience and agility. Trusted by over 6,000 customers, including the majority of Fortune 100 companies as well as emerging innovators, we seamlessly integrate, secure and automate critical network services so businesses can move fast without compromise.
