{"id":8513,"date":"2026-04-09T06:55:19","date_gmt":"2026-04-09T11:55:19","guid":{"rendered":"https:\/\/www.infoblox.com\/blog\/?p=13258"},"modified":"2026-04-09T06:55:19","modified_gmt":"2026-04-09T11:55:19","slug":"scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/04\/09\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers\/","title":{"rendered":"Scams, Slaves and (Malware-as-a) Service: Tracking a Trojan to Cambodia\u2019s Scam Centers"},"content":{"rendered":"

Authors: Infoblox Threat Intel and Chong Lua Dao<\/strong><\/p>\n

Incidents of malware-enabled fraud and remote access scams have been on the rise against the backdrop of proliferating industrial-scale scam operations in Southeast Asia, with many countries in the region issuing official warnings<\/a> over the past three years. But connecting specific malware to the notorious compounds has been elusive \u2026 until now. In collaboration with the Vietnamese non-profit Chong Lua Dao<\/a>, we uncovered an Android banking trojan that is likely operated from multiple locations including the K99 Triumph City compound in Cambodia. This conclusion relies on technical analysis, testimony from an escapee, and evidence taken from the facility by the human trafficking victim. The compound has been widely reported by the United Nations and other organizations as a scam center with connections to high-ranking political elites and the use of forced labor to run extensive malicious text, voice, and email campaigns.<\/p>\n

<\/p>\n

A surprising spike in DNS queries from our cloud customer environments led us to the malware, where we ultimately identified a sophisticated malware-as-a-service (MaaS) platform capable of facilitating real-time surveillance, credential theft, data exfiltration\u2014including biometrics\u2014and financial fraud. We discovered hundreds of domains used to target victims, many of which are crafted to look like government institutions. We first saw the DNS anomalies a year ago, but we can date the trojan back to at least 2023.<\/p>\n

We see approximately 35 new domains registered each month. Within the Infoblox Threat Defense Cloud customer base, those most affected are from Southeast Asian, European, and Latin American countries, with the highest volume of queries associated with customers based in Indonesia, Thailand, Spain, and T\u00fcrkiye, highlighting the actor\u2019s global reach and potential impact.<\/p>\n

Further investigation surfaced infrastructure and behavioral overlaps between this MaaS and activity previously attributed to threat actors tracked as Vigorish Viper<\/a> and Vault Viper<\/a>. Those links reveal an expansive, multilingual scam targeting victims in at least 21 countries across four continents, as shown in Figure 1. Based on linguistic artifacts, infrastructure patterns, and operational characteristics, we assess that the malware is likely attributed to an unknown Chinese-speaking MaaS administrator servicing multiple scam centers in the Mekong region, where forced labor has been reported, and which are used to distribute malware and operate scams.<\/p>\n

<\/p>\n

Figure 1.<\/strong> Countries in which campaigns impersonating government services and other organizations were observed; the full scope of targeting is possibly much larger.<\/p>\n

Chong Lua Dao helped liberate some of the prisoners who were forced to run scams from within the K99 Triumph City compound and helped draw the connection with this specific trojan. Key details about the inner workings of the scams provided by those escapees, along with malware analysis from Chong Lua Dao, have paved the way for us to peek further behind the curtain and gain real-time visibility into the operation. We were able to observe just how intrusive this trojan is, handing attackers full control over infected devices and allowing them to monitor victims and steal data directly. We also found evidence of segmented C2 panels labeled by target country (e.g., \u201cIndonesia Group,\u201d \u201cBrazil Group,\u201d \u201cEgypt Group\u201d) and in some cases by what appears to be distinct customer names\u2014showing structured operational divisions and coordinated management.<\/p>\n

This report includes details of the operation, obtained directly from people who were held captive in the K99 compound and forced to participate in cybercrime. In addition to their testimonials, the escapees provided screenshots that provide direct evidence supporting a link between the domains we are tracking to activity associated with the compound.<\/p>\n

Our findings are based on a combination of technical analysis, infrastructure patterns, and corroborating evidence from source testimony and recovered data. While the technical indicators support identification of the malware platform and its broader use, the association with specific locations, including K99 Triumph City, is based on this combined evidence and reflects our analytical assessment.<\/em><\/p>\n

DNS Origins and Patterns<\/h3>\n

In March 2025, we observed a sudden surge in customer queries (Figure 2) alongside a sharp increase in domain registrations. Our data shows that most of the affected customers were from Southeast Asian, European, and Latin American countries, with the highest volume of queries coming from customers based in Indonesia, Thailand, Spain, and T\u00fcrkiye. These anomalies led us to investigate and ultimately uncover an Android banking trojan.<\/p>\n

<\/p>\n

Figure 2. Volume of malware-related DNS queries in Infoblox Threat Defense Cloud customer networks, Jan-Dec 2025<\/p>\n

The operation remains active, registering around 35 new domains per month\u2014both registered domain generation algorithm (RDGA) domains and lookalike domains\u2014that impersonate legitimate organizations and government services to distribute the malware. The domains are designed to spoof banks, pension funds, social security organizations, utility providers, and various revenue, immigration, telecom, and law enforcement agencies. See Table 1 for several examples.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Domain<\/strong><\/th>\nTarget (Country or Organization)<\/strong><\/th>\n<\/tr>\n<\/thead>\n
vsgo[.]cc<\/td>\nPhilippines Social Security System<\/td>\n<\/tr>\n
nmxgo[.]cc<\/td>\nSouth African Police Service<\/td>\n<\/tr>\n
orgo[.]cc<\/td>\nIndonesian State-Owned Pension Fund<\/td>\n<\/tr>\n
idphil[.]net<\/td>\nPhilippines Department of Information and Communications Technology<\/td>\n<\/tr>\n
immigration-kr[.]net<\/td>\nSouth Korean Immigration Bureau<\/td>\n<\/tr>\n
openbank-es[.]com<\/td>\nOpenbank Spain<\/td>\n<\/tr>\n
googleplay[.]djppajakgoid[.]com<\/td>\nIndonesian Directorate General of Taxes<\/td>\n<\/tr>\n
cedula-registraduria-gov[.]org<\/td>\nColombian National Civil Registry<\/td>\n<\/tr>\n
Table 1. Sample RDGA and lookalike domain patterns<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Figure 3 below shows several examples of the lures used.<\/strong> More recently, the scope of the scam has expanded, both geographically and contextually, to include lures targeting airlines and e-commerce platforms, as well as countries in Africa and Latin America.<\/p>\n

<\/p>\n

Figure 3.<\/strong> Screenshots of samples of targeted lure pages distributing the malware, impersonating entities including the Brazilian Federal Revenue Service, Ryanair, Openbank and South African Police Service<\/p>\n

We analyzed 400 targeted lure domains that were registered in 2025 and used to deceive and infect victims. This report presents evidence indicating that these domains are part of a coordinated, centrally managed operation designed for scale and resilience.<\/p>\n

Domain registration for the lures is primarily with Hong Kong-based registrars Dominet (64%), Domain International Services (10%), and Namemart\u2014formerly Domain International Services\u2014(7%), representing 81% of identified infrastructure (Figure 4). The actor heavily favors .com, .top, and .cc top-level domains (TLDs), which account for approximately 86% of all domains. Most domains are hidden behind Cloudflare.<\/p>\n

<\/p>\n

Figure 4. Targeted lure domain registrar distribution.<\/p>\n

There appears to be a strategy to the creation of the domain names: a 2-5 character prefix followed by a carefully chosen suffix (usually \u2018go\u2019 or \u2018gov\u2019). This is likely done to resemble the .go and .gov TLDs, supporting the actor\u2019s social engineering and government impersonation efforts. In some cases, domain names include specific geographic targeting, evidenced by short suffixes such as \u2018ph,\u2019 \u2018th,\u2019 and \u2018vn,\u2019 as well as longer ones including \u2018ind,\u2019 \u2018mxco,\u2019 \u2018peru,\u2019 and \u2018africa.\u2019<\/p>\n

Domains used for C2 and other management panels are named slightly differently, and use the .top, .xyz, .vip, and .pro TLDs, although there is a clear preference for .top (39 of 42 active C2 domains). All C2 domains use Domain International Services and Namemart registrars and DomainNameDNS name servers.<\/p>\n

The Attack Chain<\/h3>\n

The attack consists of several stages and utilizes a customizable kit that can be configured to produce multiple variants of the malware (Figure 5). Through a variety of mechanisms, the user is led to a website that imitates legitimate services that are typically banking or government-related.<\/p>\n

<\/p>\n

Figure 5. Simplified attack chain of the APK banking trojan<\/p>\n

These lure sites prompt the user to download a mobile app, which uses base64-encoded JavaScript to deliver a 23MB malicious APK trojan. When users click the download button, the script retrieves the file in chunked segments while displaying a fake progress bar, ultimately resulting in the installation of the malware.<\/p>\n

When the APK is executed, the app displays a fake login screen, like the ones shown in Figure 6.<\/strong> The actual login will vary depending on the attack.<\/p>\n

<\/p>\n

Figure 6.<\/strong> Screenshots of sample login screens following installation, and impersonating the Thai Provincial Electrical Authority, Brazilian Receita Federal, and LATAM Airlines<\/p>\n

Once installed, the malware assumes the structure of a versatile banking trojan featuring a range of invasive surveillance capabilities. As shown in Figure 7, the malware\u2019s core functionality includes real-time remote monitoring, SMS and phone call interception, camera and microphone access, credential harvesting, and the ability to install additional software.<\/strong> It also contains a comprehensive device fingerprinting module that systematically harvests detailed hardware and system information, which is then aggregated and exfiltrated to the attacker\u2019s C2.<\/p>\n

<\/p>\n

Figure 7. Malware core functionality. Source: Chong Lua Dao<\/p>\n

Intel Inside<\/h3>\n

As displayed in Figures 8 and 9, by taking a look at the code, we see that some early samples include hardcoded IP, port, login API, encryption key, and other data; while later samples use an internal decryption function to dynamically retrieve the IP address at runtime, removing any static artifacts from the codebase. This change, coupled with updated BuildConfig timestamps, shows the malware is still being actively developed.<\/p>\n

<\/p>\n

Figure 8. Build configuration displaying hardcoded C2 IP and other data. Source: Chong Lua Dao<\/p>\n

<\/p>\n

Figure 9. Alternate sample no longer displaying hardcoded C2 IP. Source: Chong Lua Dao<\/p>\n

Given the weaker operational security (OPSEC) seen in older samples, it seemed fair to assume that other mistakes would have been made, and it didn\u2019t take long for Chong Lua Dao to find an exposed C2 server that lacked proper access controls. This enabled us to monitor the activity of multiple operators and directly observe infections and attacker behavior in real time.<\/p>\n

We observed operators, via access to exposed infrastructure, deploying customizable permissions dialogs and overlay screens to deceive victims while exfiltrating data including contacts, notes, photos, and SMS and call logs, which can immediately be used to support further attacks. We also observed operators using a web-based admin panel to manage multiple infected devices concurrently while employing distinct workflows that varied from victim to victim.<\/p>\n

As displayed below in Figure 10,<\/strong> during operation, the victim is shown a spoofed digital verification or know-your-customer (KYC) overlay while the attacker simultaneously triggers biometric capture in the background. Facial recognition data is then used to authenticate into the victim\u2019s online banking application without their knowledge. By intercepting the bank\u2019s SMS OTP code, the operator has full access to the victim\u2019s bank accounts and can transfer funds wherever they wish.<\/p>\n

<\/p>\n

Figure 10. Screenshots of 1) an operator directing a Philippine victim to install a malicious APK at sss.oiago[.]cc using Facebook Messenger, 2) the operator subsequently deploying a KYC verification overlay, 3) and 4) the operator withdrawing victim funds from BBVA Mexico. Source: Chong Lua Dao<\/p>\n

The MaaS administrator uses unique subdomain names, including \u2018kef,\u2019 \u2018ador,\u2019 and \u2018rpc,\u2019 as well as \u2018<\/strong>adm,\u2019 and \u2018apim\u2019 for C2 and various Android application management panels. These and other subdomain names enable the use of that signature alongside DNS data to identify additional C2s suspected of being set up to support multiple customers (criminal operators) concurrently. This includes a range of segmented C2 panels labeled by target country (e.g., \u201cIndonesia Group,\u201d \u201cBrazil Group,\u201d \u201cEgypt Group\u201d) and in some cases by what appears to be distinct customer names\u2014indicating structured operational divisions and coordinated management. Analysis further revealed panels that appear dedicated to modified bank app development and reverse engineering, facial recognition and malware evasion testing, and AI chatbot and deepfake voice integrations. These are displayed below in Figures 11 and 12.<\/strong><\/p>\n

<\/p>\n

Figure 11. Screenshots of sample admin panels for dedicated Thailand- and Africa-facing operations as well as modified online banking application development. Source: Chong Lua Dao<\/p>\n

<\/p>\n

Figure 12. Screenshots of facial recognition testing and AI tool management panels identified by Infoblox Threat Intel and Chong Lua Dao<\/p>\n

We were able to peek under the hood of the MaaS administrator\u2019s custom APK management platform shown above, ironically sitting on safeapk[.]xyz, revealing a range of custom apps impersonating organizations in Thailand. As shown in Figure 13, this includes what appear to be apps impersonating Thai Airways, Kasikorn Bank, LX International, the Office of Insurance Commission, and the Tourism Authority of Thailand, consistent with earlier campaigns visible in historic DNS records.<\/p>\n

<\/p>\n

Figure 13. Screenshot of an APK management panel. Source: Chong Lua Dao<\/p>\n

Analysis of associated infrastructure and domains indicates that the same infrastructure has been used in other activities including phishing and cryptocurrency investment or pig butchering<\/a> scams. They used domains like lx-yindu[.]top and orbiixtrade[.]com to impersonate the Supreme Court of India and Thailand\u2019s Orbix crypto trading platform, shown in Figure 14, with the former notably reported in an official notice<\/a> issued by the Indian Government.<\/p>\n

<\/p>\n

Figure 14. Screenshots of sample phishing and pig butchering pages<\/p>\n

OPSEC Is Hard (especially when using forced labor): A Case Study<\/h3>\n

In late 2025, captives contacted Chong Lua Dao seeking rescue from the compound in Sihanoukville, Cambodia, a cybercrime hub connected to Vigorish Viper<\/strong><\/a>. The insiders claimed to have been beaten and electrocuted for missing performance targets\u2014allegations that are consistent with reporting from the United Nations and other organizations that have documented<\/a> similar incidents from this location in recent years.<\/p>\n

The individuals were successfully rescued from the K99 compound, and the evidence that they were able to share (closed-group chat logs, screenshots, and other data) further validated our findings and confirmed that there was a service-based malware distribution and scam operation running on associated infrastructure. Their evidence also showed that several domains (Figure 15) from our initial cluster were used in the scam, providing strong support for our assessment that our findings are linked to the K99 site (Figure 16).<\/p>\n

<\/p>\n

Figure 15. Screenshots of domains used to impersonate the Ministry of Public Security and the Ministry of Finance, General Department of Taxation, distributed to operators in private group chats used by a fraud network based in K99 Triumph City, Sihanoukville, Cambodia. Source: Chong Lua Dao<\/p>\n

<\/p>\n

Figure 16. Message from a captive worker to Chong Lua Dao requesting rescue from a location identified as K99 Triumph City in Sihanoukville, Cambodias.<\/p>\n

As shown below in Figure 17, examination of one insider\u2019s workstation showed detailed personal and corporate data used to inform victim targeting as well as tailored scripts and fraudulent government documents used in social engineering. It also features a fraudulent government notice letter issued to targeted business owners or employees concerning the implementation of a new digital identification and value-added tax (VAT) reduction program for registered Vietnamese enterprises. Adjacent campaigns also impersonate dozens of other government services ranging from utility providers to law enforcement.<\/p>\n

<\/p>\n

Figure 17. Screen capture of an insider\u2019s workstation at K99 Triumph City. Source: Chong Lua Dao<\/p>\n

According to the escapee, people working in the compound initially contact their targets by phone using eyeBeam, a Voice-over-IP (VoIP) software to impersonate government officials. They later migrate communications to the popular messaging app, Zalo, and send a link or QR code directing the victim to a targeted lure page (described earlier). They then instruct the victims to install the malicious APK and grant extended permissions on their device, disregarding any system warnings.<\/p>\n

In what follows, the operator closely monitors the infected device before ultimately deploying harvested credentials to gain access to the victim\u2019s banking app. They proceed to intercept a one-time passcode through SMS to validate their identity before finally manipulating their victim to perform a biometric verification process (facial recognition) via a convincing overlay screen. By this point the victim is fully convinced that these actions are necessary to comply with the \u201cnew government program.\u201d<\/p>\n

The unfortunate reality is that the victim has just completed the final step granting the scammer complete access to their online banking. This sequence of events is shown below in Figure 18 using images captured during a real attack.<\/p>\n

<\/p>\n

Figure 18. Screenshot of scam operator deploying KYC verification overlay screen, using the victim\u2019s face scan to gain access to the targeted online banking account in the background. Source: Chong Lua Dao and Infoblox Threat Intel<\/p>\n

K99 Group and Links to Vigorish Viper and Vault Viper<\/h3>\n

According to official corporate registry filings we have obtained, K99 Triumph City is owned by Cambodia\u2019s K99 Group, a conglomerate consisting of a range of casino and online gambling, property development, and investment companies. The group is chaired by tycoon Rithy Raksmei (aka Xie Liguang), an extended family member of one of Cambodia\u2019s wealthiest men, Senator Kok An, who has been identified in reporting as wanted<\/a> by Thai authorities in connection with cyber-enabled fraud and money laundering.<\/p>\n

Both men were recently named in United States Congressional House of Representatives resolution (H.R. 5490)<\/a> as foreign persons allegedly involved in transnational criminal syndicates perpetuating mass online scam operations and have been described in reporting as facilitating local access through formal business partnerships with criminal networks operating in Southeast Asia. This includes syndicates led by convicted triad boss, Alvin Chau of Suncity Group, and U.K.- and U.S.-sanctioned<\/a> Dong Lecheng, among others<\/a> involved in one of the most notorious clusters of scam centers in Sihanoukville, Cambodia, commonly known as \u2018Chinatown,\u2019 displayed in Figure 19.<\/p>\n

<\/p>\n

Figure 19. Key scam center locations associated with the extended K99 Network, Sihanoukville, Cambodia. Source: Cyber Scam Monitor, March 2025<\/p>\n

As highlighted in our past reporting<\/a>, Chinatown is an enclave consisting of several heavily fortified casinos and scam compounds. It quickly emerged as one of the largest cyber-enabled fraud hubs in the world since initial development began around 2017, with these projects extensively linked to Chinese-speaking criminal networks associated with Kok An and Rithy Raksmei.<\/p>\n

The concentration of actors tied to this area points to a highly centralized ecosystem, where a relatively small circle of politically connected insiders serve as key facilitators enabling access, protection, and operational continuity for transnational criminal groups. Individuals connected to these compounds have been documented in reporting as linked to regional crime syndicates through high-visibility partnership signings, overlapping corporate structures, and shared infrastructure.<\/p>\n

Recent reports from rights groups and other sources suggest that K99 Triumph City remains active despite the Cambodian government\u2019s ongoing crackdown on cybercrime and scams\u2014consistent with patterns observed in large-scale scam center networks.<\/p>\n

Alongside K99\u2019s reported links to Senator Kok An, the network has long been described as having close connections to Cambodian political and military elites, shown in Figures 20, 21, and 22. Most notably, this includes K99\u2019s co-location with the Royal Union Investment company and casino, and its former Director, Yim Leak, son of Deputy Prime Minister, Yim Chhay Ly, who is named under the U.S. Congress\u2019 proposed Dismantle Foreign Scam Syndicates Act.<\/em><\/a> We also found it interesting that historic records of Leak\u2019s involvement in the company have been scrubbed from Cambodia\u2019s official business registry in recent months. Lucky for us, we\u2019ve kept copies.<\/p>\n

<\/p>\n

Figure 20. Tycoon, Rithy Raksmei, attends K99 Triumph City groundbreaking ceremony with Cambodian Senator, Kok An, in January 2019. Source: The Cambodia-China Times<\/p>\n

<\/p>\n

Figure 21. Screenshot of Royal Union Casino sign photographed at the K99 Triumph City compound in Sihanoukville, Cambodia, December, 2023 (left). Screenshot of Rithy Raksmei photographed with Yim Leak at his wedding in Bangkok, November 2018 (right), and Cambodian Business Registry record indicating Yim Leak\u2019s listed role in Royal Union Investment (bottom). Source: Simon Menet, Facebook, and Ministry of Commerce of Cambodia, Business Registry, March 2026<\/p>\n

<\/p>\n

Figure 22. Screenshot of K99 Group donation to the Cambodian military, August 2020 (left) and of one of several documented meetings between Rithy Raksmei and current Prime Minister of Cambodia, Hun Manet, December 2021 (right). Source: Facebook<\/p>\n

In February 2026, the Anti-Money Laundering Office (AMLO) and Civil Court of Thailand issued a temporary seizure of assets worth 13.07 billion THB (US$407 million) linked by authorities to Yim Leak, Kok An, and others in connection with investigations into transnational cyber-enabled fraud operations.<\/p>\n

Still Kickin\u2019<\/h3>\n

The malicious infrastructure remains active and highly resilient, with hundreds of domains supporting multiple concurrent campaigns across three continents at the time of writing. The activity associated with this infrastructure continues to adapt and expand, sustaining large-scale campaigns targeting countries such as Thailand, Indonesia, the Philippines, and Vietnam, while increasingly diversifying into Africa and Latin America.<\/p>\n

Ongoing monitoring shows persistent domain rotation activity using RDGAs and new lookalike domain registrations, indicating sustained demand from criminal networks in the region. We have also observed continued integration of new lures along with the repurposing of older domains to support new campaigns. Recent examples in Figure 23 illustrate changes from a Philippine government impersonation lure to one targeting customers of a Moroccan bank, as well as a domain used for Thai-facing investment scams repurposed to impersonate the Philippine government to distribute the malicious APK.<\/p>\n

<\/p>\n

Figure 23. Top example showing screenshots of changes from a Philippine government impersonation lure on egov.nbsvgo[.]cc to one targeting customers of a Moroccan bank; bottom example showing that vsgo[.]cc was once used for Thai-facing investment scams impersonating the Certified Financial Institute (CFI) and has now been repurposed to impersonate the Philippines government to distribute the malicious APK<\/p>\n

Our research demonstrates the resourcefulness and flexibility of scam center-based criminal groups that are rapidly operationalizing the tools being made available to them. With access to large multilingual labor pools, growing technical capability, and sky-high profits, they are not only adopting but adapting and commoditizing malware, infrastructure, and social engineering techniques into versatile and scalable attack models. What emerges is an ecosystem that is agile, experimental, and commercially driven\u2014one where tools are continuously repurposed, refined, and redeployed to maximize reach and profit. In this environment, innovation is not a barrier but a baseline, enabling these networks to sustain and expand complex, multi-market fraud operations at pace.<\/p>\n

IOCs<\/h3>\n\n\n\n\n\n\n\n\n
Indicator<\/strong><\/th>\nDescription<\/strong><\/th>\n<\/tr>\n<\/thead>\n
orgo[.]cc
dkhth[.]com
ngovbr[.]cc
avianca.sxjgo[.]cc
rycnair[.]com<\/td>\n		Targeted lure domains impersonating legitimate organizations and government services used to download the malicious APK<\/td>\n<\/tr>\n
vnwd[.]top
alafrica[.]xyz
alperu[.]top<\/td>\n		C2 domains used by the MaaS administrator<\/td>\n<\/tr>\n
103.214.169[.]197
18.167.169[.]60
38.47.52[.]4<\/td>\n		C2 servers used by the MaaS administrator<\/td>\n<\/tr>\n
4fff28eecc0ab6303e4948df77671009dda5b93ed3d1cead527b02d1317426bc<\/p>\n

39ea88f852b25d3c55d605464a3440bd250a577e3e21f52d1eaf94d15aad5b82<\/p>\n

4338ab77d05aeacd7eac5acbe9eed5568778c8e3e9499562816805b54b4d1a6a<\/p>\n<\/td>\n

Samples of the malicious APK<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n