Indonesian Banking Sector Threat Landscape

Published On : 2026-07-08
Share :
Indonesian Banking Sector Threat Landscape

Executive Summary

This report assesses the cyber threat landscape affecting Indonesia’s Banking, Financial Services, and Insurance (BFSI) sector in 2026, focusing on cyber incidents, underground data breach activity, ransomware operations, and advanced persistent threat (APT) campaigns relevant to the country’s financial ecosystem. Analysis of underground forums and dark web marketplaces identified multiple alleged breach claims involving Indonesian banking institutions, with two incidents supported by sample data that partially substantiates the claims, while another remains unverified due to limited supporting evidence.

Beyond the banking sector, threat activity also targeted fintech platforms, insurance providers, payment service providers, cryptocurrency exchanges, and government-related financial entities, demonstrating sustained criminal interest in Indonesia’s broader financial ecosystem. Financially motivated threat actors continue to exploit compromised data through underground marketplaces for extortion, fraud, credential abuse, and data resale, while ransomware groups including ICARUS and The Gentleman have increasingly adopted data theft and extortion tactics against Indonesian financial organizations.

The assessment further highlights the growing threat posed by China-linked state-aligned actors, including SilverFox, Mustang Panda, Amaranth-Dragon (APT41 Nexus), Lotus Blossom (Spring Dragon/Billbug), and Shadow Campaigns (UNC6619/TGR-STA-1030). These groups continue to demonstrate sophisticated capabilities involving phishing, malware deployment, supply chain compromise, vulnerability exploitation, credential theft, and long-term cyber espionage, reflecting the increasing convergence of financially motivated cybercrime and strategic intelligence collection.

As Indonesia continues to expand its digital banking, fintech, and payment ecosystems, the sector’s attack surface continues to grow. Strengthening cyber resilience through proactive threat intelligence, continuous monitoring of underground activity, effective vulnerability management, enhanced phishing defenses, and mature detection and incident response capabilities remains essential to protecting Indonesia’s financial sector against increasingly sophisticated cyber threats.

Key Findings

  • Multiple threat actors advertised alleged datasets associated with Indonesian banking institutions, demonstrating sustained cybercriminal interest in the country’s BFSI sector.
  • Additional breach claims involving fintech companies, insurance providers, payment service providers, cryptocurrency platforms, and government-related financial entities indicate that adversaries are targeting Indonesia’s wider financial ecosystem rather than traditional banks alone.
  • Financially motivated threat actors continue to monetize stolen information through underground forums and dark web marketplaces using data sales, extortion, credential trading, and fraud-enablement activities.
  • Ransomware groups, including ICARUS and The Gentleman, continued targeting Indonesian financial organizations, relying primarily on data theft and extortion to maximize financial gain.
  • China-linked state-aligned groups including SilverFox, Mustang Panda, Lotus Blossom (Spring Dragon/Billbug), Amaranth-Dragon (APT41 Nexus), and Shadow Campaigns (UNC6619/TGR-STA-1030) demonstrated capabilities highly relevant to Indonesia’s BFSI sector, including phishing, supply chain compromise, malware deployment, vulnerability exploitation, credential theft, and long-term cyber espionage.
  • Phishing and social engineering remain the dominant initial access vectors, increasingly leveraging trusted business processes, software update mechanisms, regulatory themes, and locally relevant lures to compromise financial organizations.
  • Indonesia’s rapid digital transformation, expanding fintech ecosystem, and growing regional financial connectivity continue to increase exposure to both financially motivated cybercriminals and sophisticated state-sponsored espionage actors.

Indonesian Banking Sector Threat Landscape:

Incident 1

Attribution Confidence: Low to Medium

On 11 May 2026, a threat actor operating under the TripleX claimed responsibility for a significant data breach affecting a banking sector organization in Indonesia, which is among Indonesia’s largest state-owned financial institutions. The claim was published on an underground platform where the actor alleged unauthorized access to company systems and the theft of approximately 2 TB of data.

According to the advertisement, the exposed dataset allegedly contains customer information collected between 2024 and 2026, including contracts, passport details, national identification documents, and other customer-related records. The threat actor further provided sample files and a download link hosted on a Tor-based (.onion) platform to support the claim.

Source: Underground forum

Threat Actor Assessment – TripleX
TripleX is an emerging threat actor/Data broker observed across data-leak platforms. The group appears to focus primarily on large-scale data theft and public disclosure activities targeting financial institutions, government organizations, and large enterprises.

Unlike traditional ransomware groups that rely primarily on encryption-based extortion, TripleX appears to leverage stolen data as its primary means of monetization. The actor’s operational behavior suggests an emphasis on obtaining large datasets for extortion, reputation damage, or resale within underground marketplaces.

Despite the public breach claim, limited intelligence is currently available regarding the group’s infrastructure, malware capabilities, or operational history. Consequently, attribution remains preliminary and should be treated with moderate caution until additional intelligence becomes available.

Breach Claim Validation:
Analysis of the published evidence indicates that the threat actor possesses a structured repository of documents that appear consistent with banking-related customer records. The released screenshots reveal indexed PDF documents, customer names, document references, and administrative file naming conventions commonly associated with financial institutions.

However, the available evidence is insufficient to conclusively determine whether:

  • The data originated directly from Bank systems.
  • The advertised dataset size accurately reflects the exposed data.
  • The records remain current and unaltered.
  • The threat actor obtained the data through direct compromise, third-party access, or another source.

At the time of analysis, no official confirmation regarding the alleged breach has been issued by the victim. Therefore, the incident should currently be assessed as an alleged but partially substantiated breach claim pending further validation.

Source: Underground forum

Assessment of Exposed Data:
Review of the file listings suggests the dataset may contain a variety of customer and operational records.

Observed references include:

  • Customer names and personal identifiers.
  • Indonesian National Identity Card (KTP) documentation.
  • Taxpayer Identification Numbers (NPWP).
  • Customer contracts and onboarding forms.
  • Passport-related records.
  • Internal document references and administrative identifiers.

Based on the available evidence, the dataset may include the following categories of information:

Data Category Potential Exposure
Customer Identification Data Names, KTP details, passport information, NPWP records
Banking Documentation Contracts, onboarding records, account-related documents
Financial Information Banking records and supporting customer documentation
Internal Operational Data Administrative files, document references, branch-related records

If validated, the exposure would represent a significant compromise of personally identifiable information (PII) and sensitive banking documentation.

Underground Activity Assessment:
The breach was advertised on an underground platform commonly used for the dissemination and monetization of compromised data. In addition to the breach announcement, the actor released sample evidence and provided access to a partial dataset through a Tor-based download location.

Current observations suggest that the activity is focused on demonstrating proof-of-possession and generating visibility for the breach claim. At the time of reporting, no evidence indicates widespread redistribution of the dataset across multiple underground forums or marketplaces.

Timeline of Events

Date Event
11 May 2026 TripleX publishes alleged Victim breach claim.
11 May 2026 Sample screenshots and file listings released.
11 May 2026 Tor-based download location for partial dataset published.

The precise date of compromise, intrusion duration, and method of access remain unknown.

Potential Impact Assessment:
If the breach is confirmed, affected customers could face elevated risks, including:

Customer Impact

  • Identity theft.
  • Financial fraud.
  • Social engineering attacks.
  • Credential abuse and account takeover attempts.
  • Targeted phishing campaigns leveraging exposed personal information.

Organizational Impact
For the victim, a confirmed compromise could result in:

  • Reputational damage and erosion of customer trust.
  • Regulatory scrutiny from Indonesian financial authorities.
  • Legal and compliance obligations related to personal data protection.
  • Increased costs associated with incident response, forensic investigation, and remediation activities.
  • Potential operational disruptions affecting customer-facing services and internal business functions.

Sector Impact
The incident forms part of a broader trend of alleged cyber activity targeting Indonesian financial institutions during 2026. If validated, the breach may indicate heightened threat actor interest in Indonesia’s banking sector and reinforce concerns regarding the protection of large-scale financial and identity repositories.

A confirmed compromise of a major state-owned bank could also increase regulatory attention across the financial sector, drive additional security assessments, and contribute to reduced public confidence in digital banking services.

Incident 2

Attribution Confidence: Medium
On 13 May 2026, a data broker advertised an alleged compromise of an Indonesian banking organization on an underground forum. The post claimed the sale of approximately 890,000 Mobile Banking accounts and a database containing 4.9 million records allegedly associated with Victim customers and internal banking data.

The actor published screenshots purportedly demonstrating the existence of the dataset and included sample records containing personally identifiable information (PII). At the time of analysis, the victim had not publicly confirmed the authenticity of the claims or the extent of any compromise.

Source: Underground forum

Threat Actor Assessment:
Data brokers appear to be active on underground data-trading forums where compromised databases, access credentials, and leaked records are advertised. Available intelligence indicates a financially motivated actor whose primary objective appears to be monetization of stolen information through direct sales or forum-based distribution.

At present, there is insufficient evidence to determine whether:

  • The actor conducted the intrusion independently
  • The data was acquired from a third-party broker.
  • The dataset was obtained from another threat actor.
  • The actor possesses direct access to Victim infrastructure.

Source: Underground forum

Breach Claim Validation:
Analysis of the published screenshots indicates that the threat actor possesses a structured dataset containing Indonesian-language fields and records that appear consistent with customer and employee-related information.

Observed sample fields include:
Customer Information

  • Name (nama)
  • Recipient information (penerima)
  • Account number (nomor rekening)
  • Gender (jenis kelamin)
  • Place of birth (tempat lahir)
  • Date of birth (tgl lahir)
  • Blood group (kode golongan)
  • Account identifier (nomor akun)

Source: Underground forum

Administrative/Internal Information:

  • Archive code (kode arsip)
  • Employee identifier (induk pegawai)
  • Description fields (keterangan)
  • Location information (lokasi)

The sample records exhibit structured formatting and appear internally consistent. However, the screenshots alone are insufficient to conclusively determine whether:

  • The data originates directly from Victim systems.
  • The dataset is current and complete.
  • The records have likely been aggregated from multiple sources.
  • The advertised volume accurately reflects the available data.

Therefore, the breach claim should currently be classified as partially substantiated but unverified, pending independent validation.

Source: Underground forum

Assessment of Exposed Data:
Based on the available samples, the dataset may contain a combination of:

Data Category Potential Exposure
Customer Information Names, demographic data, account identifiers
Banking Information Account numbers and banking-related records
Employee Information Internal identifiers and administrative records
Operational Data Archive references and location-related information

The threat actor claims possession of:

  • Approximately 890,000 banking accounts
  • Approximately 4.9 million database records
  • These figures remain unverified.

Underground Activity Assessment:
The breach advertisement was identified on an underground forum commonly used for the sale and exchange of stolen databases and unauthorized access.

Key observations include:

  • Public advertisement of alleged Victim data.
  • Publication of sample records.
  • Claims regarding database scale and customer coverage.
  • Attempts to establish credibility through screenshots.

At the time of analysis, no evidence has been identified indicating widespread redistribution of the dataset across multiple forums.

Timeline of Events:

Date Event
13 May 2026 Threat actor publishes breach advertisement on underground forum
13 May 2026 Sample records and screenshots released

The exact date of compromise remains unknown.

Potential Impact Assessment:
If validated, the exposure could create significant risks for victim customers and the wider Indonesian financial sector.

Customer Impact

  • Identity theft
  • Targeted phishing campaigns
  • Social engineering attacks
  • Account takeover attempts
  • Financial fraud

Organizational Impact

  • Reputational damage
  • Regulatory scrutiny
  • Compliance investigations
  • Customer trust erosion
  • Increased fraud management costs

Sector Impact:
The incident aligns with a broader pattern of alleged attacks targeting Indonesian financial institutions during 2026. If confirmed, it may indicate increased threat actor interest in banking organizations across the region and highlight potential systemic weaknesses within the financial sector’s digital ecosystem.

Incident 3

Attribution Confidence: Low
On 03 June 2026, a user published a post on an underground forum advertising a dataset described as a “Database Account of an Indonesian Bank. The post included a downloadable text file named “no rekening go id.txt”, which allegedly contained Indonesian banking-related account information.

Unlike the previously reported incidents, the threat actor/data broker did not provide evidence demonstrating direct access to Victim systems, nor were screenshots of internal databases, credentials, or administrative interfaces disclosed. The advertisement consisted primarily of a text-based dataset accompanied by limited supporting evidence.

Source: Underground forum

Threat Actor Assessment:
The actor appears to be a relatively low-profile underground forum participant with limited publicly observable activity. Based on available information, there is insufficient evidence to attribute the dataset to a sophisticated intrusion actor or organized cybercriminal group.

The actor’s posting behavior is more consistent with individuals sharing, trading, or repackaging datasets obtained from third-party sources rather than demonstrating direct compromise capabilities.

Given the limited intelligence available regarding the actor’s operational history, attribution confidence remains low.

Source: Underground forum

Breach Claim Validation:
Analysis of the advertisement and accompanying evidence does not currently support a conclusion that Victim infrastructure was directly compromised.

The advertised dataset appears to consist of a text file containing banking-related information, including references to account numbers (“Nomor Rekening”), a common field used throughout Indonesian banking systems.

Several alternative explanations remain plausible, including:

  • Data aggregation from publicly available sources.
  • Web scraping activities targeting Indonesian financial websites.
  • Collection of customer transaction records from third-party systems.
  • Historical data previously exposed through unrelated breaches.
  • Repackaged datasets circulating within underground communities.

At the time of analysis, no evidence has been identified linking the dataset directly to Victim’s internal systems, databases, or infrastructure.

Source: Underground forum

Assessment of Exposed Data:
Based on the available evidence, the dataset appears to contain:

Data Category Potential Exposure
Banking Information Account numbers (Nomor Rekening)
Transaction References Potential banking transaction identifiers
Financial Records Limited banking-related information
Administrative Data Unknown

The file format suggests a simple text-based export rather than a complete database dump. No evidence was observed indicating the exposure of:

  • Customer credentials
  • Authentication data
  • Internal Victim documents
  • Administrative accounts
  • Core banking databases

Consequently, the scope and sensitivity of the dataset remain uncertain.

Underground Activity Assessment:
The dataset was advertised on an underground forum as a downloadable file. Unlike the other two incidents (Incidents 1 and 2), no large-scale database screenshots, record counts, or claims of direct network access were observed.

The posting characteristics suggest the actor may be attempting to distribute or monetize a banking-related dataset without providing sufficient evidence to validate a direct compromise.

At the time of reporting:

  • No corroborating posts were identified.
  • No secondary marketplace listings were observed.
  • No evidence of active sales campaigns was identified.
  • No additional threat actors were found discussing the dataset.

The activity appears isolated and lacks the indicators typically associated with high-confidence breaches affecting the financial sector.

Timeline of Events:

Date Event
03 June 2026 Dataset advertised on underground forum.
03 June 2026 Downloadable text file released.

No information is available regarding the original collection date of the data.

Customer Impact
If the dataset contains legitimate banking information, affected individuals may face:

  • Targeted phishing attempts.
  • Social engineering attacks.
  • Fraud leveraging exposed account information.
  • Increased exposure to financial scams.

However, current evidence does not suggest widespread exposure of highly sensitive personal information.

Organizational Impact:
For Indonesian banks, potential impacts remain limited unless evidence emerges confirming direct compromise of internal systems.

Potential concerns include:

  • Reputational implications resulting from public breach claims.
  • Increased scrutiny from stakeholders and regulators.
  • Additional investigative and monitoring requirements.

Sector Impact:
Although the incident lacks strong indicators of a direct compromise, it highlights the continued interest of cybercriminal actors in Indonesian financial-sector data.

The publication of banking-related datasets can contribute to:

  • Increased phishing activity.
  • Fraud campaigns targeting Indonesian banking customers.
  • Reuse of exposed information across future cybercriminal operations.

At present, the incident presents a lower strategic risk than the other two cases due to the limited evidence supporting a direct intrusion.

Additional Relevant Banking and Financial Sector Incidents

During the course of the investigation, CYFIRMA identified context regarding the broader cyber threat landscape targeting Indonesia’s financial sector. These incidents were not selected for detailed analysis and should be considered supplementary intelligence. While these incidents did not warrant the same level of investigation as the primary Indonesia Bank cases, they provide valuable context regarding the broader threat landscape targeting Indonesia’s financial sector.

Government Department and Indonesia Bank Employee Database Leak (19 February 2026)

  • A threat actor advertised the alleged leak of a database associated with Indonesia’s government department and Indonesian Bank employees.
  • The actor described the dataset as a “massive database” and made it available free of charge on a dark web forum, potentially increasing its distribution among cybercriminals.
  • Potential Impact: The exposed information could facilitate targeted phishing, credential theft, social engineering, and impersonation attacks against affected personnel.

Source: Underground forum

Crypto trading platform Alleged Source Code Leak (09 April 2026)

  • A threat actor claimed to have compromised an Indonesian crypto trading platform and leaked the cryptocurrency exchange’s source code.
  • Sample file directory listings were shared to support the claim.
  • Potential Impact: Increased risk of exploit development, unauthorized access, and reputational damage.

Source: Underground forum

Banking sector organization in Indonesia alleged Database Leak (10 April 2026)

  • Threat actor advertised an alleged database containing approximately 24,000 employees and organizational records.
  • Exposed data reportedly includes names, email addresses, phone numbers, employee IDs, and departmental information.
  • Potential Impact: Social engineering, credential theft, and business email compromise (BEC).

Source: Underground forum

Indonesian Finance Services Alleged Database Leak (11 April 2026)

  • A threat actor advertised the alleged leak of 241 MB of data containing more than 400,000 records associated with GPSFinance.co.id.
  • The dataset reportedly includes customer KYC documents, loan applications, investment records, bank account information, and identity documents.
  • Potential Impact: Identity theft, financial fraud, account takeover, and targeted phishing campaigns.

Source: Underground forum

Indonesia Taxpayer Data Leak (17 April 2026)

  • A data broker advertised the sale of an alleged dataset containing approximately 10.6 million Indonesian taxpayer records for USD 5,000.
  • The dataset reportedly includes NIK numbers, NPWP numbers, addresses, contact details, and taxpayer information.
  • Potential Impact: Identity theft, tax-related fraud, and targeted phishing attacks.

Source: Underground forum

APT and Malware Threats Targeting Indonesia’s BFSI Sector in 2026

The Indonesian Banking, Financial Services, and Insurance (BFSI) sector continues to face increasing cyber risks from advanced persistent threat (APT) groups seeking to obtain sensitive financial information, strategic intelligence, and long-term access to critical networks. As digital banking adoption and fintech innovation accelerate across Indonesia, threat actors are leveraging sophisticated malware, phishing campaigns, and social engineering techniques to target financial institutions. The following section highlights notable APT groups and associated malware observed during 2026 that present relevant risks to Indonesia’s BFSI landscape.

Silver Fox

Silver Fox continued to expand its cyber espionage operations during the reporting period, conducting large-scale tax-themed phishing campaigns targeting organizations across India, Russia, Indonesia, South Africa, and Japan. The group leveraged phishing emails impersonating national tax authorities to deliver a customized RustSL loader, which deployed the ValleyRAT (Winos 4.0) backdoor and a newly identified Python-based malware named ABCDoor. The customized RustSL loader incorporated enhanced geofencing, payload encryption, anti-analysis capabilities, and the recently documented Phantom Persistence technique to establish long-term access while evading detection. ABCDoor introduced advanced remote administration capabilities, including screen streaming, clipboard collection, file management, process control, and automated persistence through the Windows Registry and Scheduled Tasks.

The campaign demonstrated Silver Fox’s continued evolution through the adoption of multi-stage infection chains, segmented command-and-control infrastructure, and increasingly sophisticated malware designed to support long-term intelligence collection against government, industrial, consulting, transportation, and financial organizations across the Asia-Pacific region.

Implications for Indonesia’s BFSI Sector

Silver Fox’s continued targeting of Indonesia and its demonstrated use of tax-themed phishing campaigns present a significant threat to the country’s BFSI sector. Financial institutions are particularly susceptible to socially engineered lures impersonating trusted government or regulatory entities, which can facilitate the deployment of ValleyRAT and ABCDoor for long-term compromise. The group’s advanced malware capabilities, including credential theft, remote administration, screen monitoring, persistence, and intelligence collection, could enable attackers to gain unauthorized access to banking systems, customer information, financial transactions, and other sensitive data.

As Indonesia continues to expand its digital banking and fintech ecosystem, Silver Fox’s evolving tradecraft increases the risk of prolonged espionage operations targeting strategically important financial organizations.

Target Industries: Banking and financial services, government agencies, industrial organizations, consulting firms, transportation providers, telecommunications companies, and other strategic enterprises across the Asia-Pacific region.

Primary Technologies Targeted: Windows operating systems, enterprise endpoints, corporate email environments, Microsoft Office documents, PDF readers, scheduled tasks, Windows Registry, and enterprise network infrastructure.

Initial Access Vectors: Tax-themed spear-phishing emails, malicious PDF documents containing download links, password-protected archives, malicious executables disguised as legitimate documents, and social engineering using government and regulatory-themed lures.

Key TTPs: Deployment of a customized RustSL loader, delivery of ValleyRAT (Winos 4.0) and ABCDoor, multi-stage malware execution, geofencing, anti-analysis and sandbox evasion, Phantom Persistence, Registry Run keys, Scheduled Tasks, command-and-control over HTTPS, screen capture, clipboard theft, credential access, and long-term persistence.

Motivations: Strategic cyber espionage, intelligence collection, credential theft, long-term access to targeted networks, monitoring of financial and government activities, and acquisition of sensitive financial, operational, and strategic information in support of Chinese state-aligned intelligence objectives.

Yara Rules

rule SilverFox_HighConfidence_2026
{
meta:
description = “High-confidence SilverFox infrastructure detection”
threat_actor = “SilverFox”

strings:
$a1 = “abc.fetish-friends.com” ascii wide
$a2 = “abc.3mkorealtd.com” ascii wide
$a3 = “abc.sudsmama.com” ascii wide
$a4 = “abc.woopami.com” ascii wide
$a5 = “abc.ilptour.com” ascii wide
$a6 = “abc.petitechanson.com” ascii wide
$a7 = “abc.doublemobile.com” ascii wide
$b1 = “mcagov.cc” ascii wide
$b2 = “roldco.com” ascii wide
$b3 = “abc.haijing88.com” ascii wide
$b4 = “vnc.kcii2.com” ascii wide
condition:
2 of them
}

Lotus Blossom (Spring Dragon / Billbug)

Lotus Blossom was observed conducting a sophisticated supply chain campaign between June and December 2025 by compromising the official hosting infrastructure of Notepad++. Rather than tampering with the software itself, the threat actor hijacked the application’s update mechanism, selectively redirecting update requests from targeted victims to attacker-controlled infrastructure.

The campaign primarily targeted government, telecommunications, critical infrastructure, and financial organizations across Southeast Asia, while additional victims were identified in the United States, Europe, and South America. Victims received malicious update packages that deployed Cobalt Strike Beacon or the Chrysalis backdoor through DLL sideloading and Lua script injection, enabling persistent remote access.

The operation demonstrated advanced victim profiling, infrastructure-level compromise, and selective targeting of privileged users such as system administrators and developers, highlighting the group’s focus on long-term cyber espionage rather than disruptive attacks.

Implications for Indonesia’s BFSI Sector

Lotus Blossom’s compromise of a trusted software update infrastructure demonstrates the growing risk of software supply chain attacks against Indonesia’s BFSI sector. Financial institutions relying on widely used enterprise applications could unknowingly deploy malicious updates, enabling attackers to gain privileged access to critical systems, establish long-term persistence, and conduct strategic intelligence collection.

The group’s focus on administrators and high-privilege users further increases the risk of compromise within banking environments, potentially exposing sensitive financial data, payment infrastructure, and internal network resources.

Target Industries: Government, financial services, telecommunications, cloud hosting, critical infrastructure, energy, manufacturing, and software development.

Target Technologies: Notepad++, WinGUp updater, Windows systems, DLL sideloading, NSIS installers, Bitdefender components.

Initial Access: Compromise of the Notepad++ update infrastructure, software supply chain attack, adversary-in-the-middle (AitM) interception of software update requests.

Key TTPs: Supply chain compromise, malicious software updates, DLL sideloading, Lua script injection, deployment of Cobalt Strike Beacon and Chrysalis backdoor, command-and-control communications, selective victim targeting, and long-term persistence.

Motivations: Strategic cyber espionage, long-term intelligence collection, compromise of privileged users and enterprise infrastructure, and covert access to organizations of geopolitical and economic interest.

Yara rules:

rule CYFIRMA_APT_LotusBlossom_NotepadPP_SupplyChain
{
meta:
description = “Detects Lotus Blossom (Spring Dragon/Billbug) Notepad++ supply chain campaign based on embedded infrastructure indicators”
author = “CYFIRMA”
threat_actor = “Lotus Blossom (Spring Dragon/Billbug)”
strings:
/* Domains */
$d1 = “skycloudcenter.com” ascii nocase
$d2 = “self-dns.it.com” ascii nocase
$d3 = “safe-dns.it.com” ascii nocase
$d4 = “cdncheck.it.com” ascii nocase
/* URLs */
$u1 = “/update/AutoUpdater.exe” ascii
$u2 = “/update/Upgrade.exe” ascii
$u3 = “/update/update.exe” ascii
$u4 = “/dpixel” ascii
$u5 = “/help/Get-Start” ascii
$u6 = “/resolve” ascii
$u7 = “/dns-query” ascii
/* IP Addresses */
$ip1 = “95.179.213.0” ascii
$ip2 = “45.76.155.202” ascii
$ip3 = “45.77.31.210” ascii
$ip4 = “45.32.144.255” ascii
$ip5 = “61.4.102.97” ascii
$ip6 = “59.110.7.32” ascii
condition:
(2 of ($d*)) or
(2 of ($ip*)) or
(2 of ($u*)) or
(1 of ($d*) and 1 of ($ip*)) or
(1 of ($d*) and 1 of ($u*)) or
(1 of ($ip*) and 1 of ($u*))
}

Mustang Panda

Mustang Panda continued to evolve its cyber espionage operations during the reporting period, deploying an updated version of the LOTUSLITE backdoor through DLL sideloading using a legitimate Microsoft-signed executable. The campaign marked a notable shift in the group’s targeting, moving from government-focused operations to Asia Pacific (India’s) banking sector through banking-themed lures before expanding to South Korean and U.S. policy and diplomatic organizations using spoofed identities and Google Drive-hosted payloads.

The updated LOTUSLITE variant incorporated enhancements to its command-and-control infrastructure, API resolution, persistence mechanisms, and execution flow while retaining the core architecture and functionality of earlier versions.

Strong code-level similarities, shared infrastructure, residual build artifacts, and consistent delivery tradecraft provide moderate-confidence attribution to Mustang Panda, highlighting the group’s continued refinement of its malware and sustained focus on long-term Chinese state-aligned cyber espionage against financial, government, and diplomatic entities.

Implications for Indonesia’s BFSI Sector

Mustang Panda’s demonstrated shift toward banking-focused campaigns highlights the growing risk to Indonesia’s BFSI sector, particularly as the group continues to refine its malware and delivery techniques. Its use of spear-phishing, trusted Microsoft-signed executables, DLL sideloading, and the evolving LOTUSLITE backdoor enables stealthy compromise, evasion of conventional security controls, and long-term persistence within enterprise environments.

These capabilities could be leveraged to target Indonesian banks, financial institutions, and fintech providers to obtain sensitive financial data, customer information, payment system access, and strategic economic intelligence through sustained cyber espionage operations.

Target Industries: Banking and financial services, government agencies, foreign affairs organizations, policy and research institutions, telecommunications providers, and other strategic organizations across the Asia-Pacific region.

Primary Technologies Targeted: Windows operating systems, Microsoft-signed executables vulnerable to DLL sideloading, enterprise endpoints, corporate email environments, and financial-sector IT infrastructure.

Initial Access Vectors: Spear-phishing emails, banking- and policy-themed social engineering lures, malicious CHM files, JavaScript downloaders, and DLL sideloading through legitimate signed executables

Key TTPs: Deployment of the LOTUSLITE backdoor via DLL sideloading, abuse of legitimate Microsoft-signed binaries, dynamic API resolution to evade detection, command-and-control communications over HTTPS, remote command execution, credential access, registry-based persistence, and long-term cyber espionage.

Motivations: Strategic cyber espionage, intelligence collection against financial and government organizations, acquisition of sensitive financial and geopolitical information, monitoring of policy developments, and support for long-term Chinese state-aligned intelligence objectives

Yara Rules:
rule MustangPanda_LOTUSLITE_HighConfidence
{
meta:
description = “High-confidence Mustang Panda LOTUSLITE detection”
threat_actor = “Mustang Panda”
strings:
$d1 = “editor.gleeze.com” ascii wide
$d2 = “www.cosmosmusic.com” ascii wide
$m1 = “mdseccoUkFuiCkTrump” ascii wide
$m2 = “1ac5e7ee1a107499” ascii wide
$p1 = “C:\\ProgramData\\Microsoft_DNX\\” ascii wide
condition:
2 of them
}

Amaranth-Dragon (APT41 Nexus) – Chinese State-Aligned

Amaranth-Dragon emerged as one of the most significant state-aligned threats affecting Indonesia during the reporting period. Active since at least March 2025, the group has conducted targeted espionage campaigns across Southeast Asia, tailoring its lures to local political and economic events.

On 18 August 2025, it targeted Indonesia with a malicious archive disguised as an official civil servant salary decree, exploiting public interest surrounding the government’s 8% salary increase and becoming the first observed threat actor to weaponize CVE-2025-8088, CVSS: 8.8, a WinRAR path traversal vulnerability, to establish persistence through the Windows Startup folder. In a subsequent campaign in early September 2025, the group distributed a password-protected RAR archive via Dropbox to deliver the Telegram-controlled TGAmaranth RAT. Across the region, Amaranth-Dragon also employed a custom Amaranth Loader alongside the Havoc command-and-control framework, using Cloudflare-fronted, geofenced infrastructure that responded only to victims in targeted countries.

The group’s tooling, infrastructure, and operational overlaps with APT41 suggest that these campaigns form part of a broader Chinese state-aligned cyber espionage effort focused on long-term strategic intelligence collection across Southeast Asia.

Implications for Indonesia’s BFSI Sector

Amaranth-Dragon’s campaigns targeting Southeast Asia, including Indonesia, demonstrate the group’s ability to tailor lures to local events, exploit zero-day vulnerabilities, and establish stealthy persistence on victim systems. These capabilities present a credible threat to Indonesia’s BFSI sector, where similar social-engineering techniques and malware could be used to compromise financial institutions, steal credentials, access sensitive financial data, and conduct long-term cyber espionage against organizations supporting the country’s financial ecosystem.

Target Industries: Government institutions and law enforcement agencies across Southeast Asia, including Indonesia.

Primary Target Technologies: WinRAR (CVE-2025-8088), Windows systems, Startup folder persistence mechanisms, Cloudflare-fronted infrastructure.

Initial Access: Spear-phishing with RAR archives using geopolitically and locally themed lures, such as a fake civil servant salary decree timed to Indonesia’s August 2025 salary increase.

Key TTPs: Exploitation of CVE-2025-8088 to drop malicious files into Startup folders, geofenced command and control that only responds to regional IP addresses, custom Amaranth Loader, Havoc C2 framework, Telegram-controlled TGAmaranth RAT, AES-encrypted payloads decrypted in memory.

Motivations: Long-term geopolitical intelligence collection against government and law enforcement targets, campaigns timed to coincide with sensitive local political developments and official decisions.

Yara Rules:

rule WinntiLinux_Dropper
{
sha256 = “4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a”
strings:
$config_decr = { 48 89 45 F0 C7 45 EC 08 01 00 00 C7 45 FC 28 00 00 00 EB 31 8B 45 FC 48 63 D0 48 8B 45 F0 48 01 C2 8B 45 FC 48 63 C8 48 8B 45 F0 48 01 C8 0F B6 00 89 C1 8B 45 F8 89 C6 8B 45 FC 01 F0 31 C8 88 02 83 45 FC 01 }
$export1 = “our_sockets”
$export2 = “get_our_pids”
condition:
uint16(0) == 0x457f and all of them
}

Shadow Campaigns / TGR-STA-1030 / UNC6619

Shadow Campaigns was one of the most extensive state-aligned cyber espionage operations observed during the reporting period, with confirmed compromises in Indonesia forming part of a broader campaign spanning 37 countries and reconnaissance activity across 155 nations between November and December 2025.

Initially identified by Unit 42 during an investigation into phishing campaigns targeting European governments, the group demonstrated a strong operational focus on Asia and Oceania, particularly countries bordering the South China Sea and the Gulf of Thailand, including Indonesia, Thailand, and Vietnam. In Indonesia, the threat actor compromised an airline operating from Soekarno-Hatta International Airport, reportedly in connection with aircraft procurement interests, while also gaining access to law enforcement and airport-linked government systems associated with mining and aviation developments.

The operation leveraged Microsoft Exchange exploitation, Cobalt Strike, and a custom Linux rootkit, with intrusion activity consistently aligned with significant diplomatic and economic events, indicating a well-resourced adversary conducting long-term strategic intelligence collection rather than opportunistic attacks.

Implications for Indonesia’s BFSI Sector

Shadow Campaigns demonstrated the capability to conduct large-scale reconnaissance, exploit enterprise infrastructure, and maintain stealthy access across multiple countries, presenting a significant risk to Indonesia’s BFSI sector. Financial institutions could be targeted to obtain strategic economic intelligence, customer and financial transaction data, or information related to cross-border payments, trade finance, and investment activities.

The group’s practice of aligning operations with major economic and geopolitical developments also increases the likelihood of targeted intrusions against Indonesian banks and financial organizations during periods of significant financial, regulatory, or investment activity, enabling long-term espionage rather than immediate financial disruption.

Target Industries: Government ministries, law enforcement and border control, aviation, critical infrastructure, finance, and trade-related departments.

Target Technologies: Microsoft Exchange, SSH services, Linux systems, enterprise network infrastructure.

Initial Access: Exploitation of known vulnerabilities, phishing campaigns, targeted reconnaissance, and scanning of government infrastructure.

Key TTPs: Use of Cobalt Strike, custom Linux rootkit, Exchange exploitation, large scale reconnaissance preceding intrusion, targeting timed to align with economic and diplomatic developments such as mining and aviation procurement activity.

Motivations: Strategic, economic, and political intelligence collection, with confirmed compromise of an Indonesian airline at Soekarno Hatta International Airport linked to aircraft procurement interests, alongside access to law enforcement and airport-linked government systems.

Yara Rules:

rule CYFIRMA_APT_UNC6619_ShadowCampaigns_Indicators
{
meta:
description = “Detects UNC6619 (Shadow Campaigns / TGR-STA-1030) malware based on embedded infrastructure indicators”
author = “CYFIRMA”
threat_actor = “UNC6619 / Shadow Campaigns / TGR-STA-1030”
malware_family = “Cobalt Strike, ShadowGuard”
strings:
/* Domains */
$d1 = “abwxjp5.me” ascii nocase
$d2 = “brackusi0n.live” ascii nocase
$d3 = “dog3rj.tech” ascii nocase
$d4 = “emezonhe.me” ascii nocase
$d5 = “gouvn.me” ascii nocase
$d6 = “msonline.help” ascii nocase
$d7 = “pickupweb.me” ascii nocase
$d8 = “pr0fu5a.me” ascii nocase
$d9 = “q74vn.live” ascii nocase
$d10 = “servgate.me” ascii nocase
$d11 = “zamstats.me” ascii nocase
$d12 = “zrheblirsy.me” ascii nocase
/* IP Addresses */
$ip1 = “138.197.44.208” ascii
$ip2 = “142.91.105.172” ascii
$ip3 = “146.190.152.219” ascii
$ip4 = “157.230.34.45” ascii
$ip5 = “157.245.194.54” ascii
$ip6 = “159.65.156.200” ascii
$ip7 = “159.203.164.101” ascii
$ip8 = “178.128.60.22” ascii
$ip9 = “178.128.109.37” ascii
$ip10 = “188.127.251.171” ascii
$ip11 = “188.166.210.146” ascii
$ip12 = “208.85.21.30” ascii
condition:
2 of ($d*) or
2 of ($ip*) or
(1 of ($d*) and 1 of ($ip*))
}

Key Assessment
The cyber threat landscape targeting Indonesia’s BFSI sector is increasingly influenced by China-linked state-aligned threat groups employing sophisticated phishing campaigns, supply chain compromises, zero-day vulnerability exploitation, malware deployment, credential theft, and long-term cyber espionage. SilverFox has directly targeted Indonesian organizations through tax-themed phishing campaigns, while Amaranth-Dragon has leveraged Indonesia-specific lures and novel exploitation techniques to establish persistent access.

Mustang Panda has expanded its operations toward banking organizations across the Asia-Pacific region using refined malware and spear-phishing campaigns, highlighting the strategic value of financial institutions for intelligence collection. Lotus Blossom (Spring Dragon/Billbug) has demonstrated advanced software supply chain capabilities by compromising trusted update mechanisms to selectively target financial and government organizations across Southeast Asia.

Meanwhile, Shadow Campaigns (UNC6619/TGR-STA-1030) has conducted large-scale reconnaissance and strategic intrusions across the region, including confirmed compromises in Indonesia, highlighting its capability to target organizations of economic and strategic importance.

Collectively, these threat actors illustrate an increasingly sophisticated and persistent threat environment in which Indonesia’s BFSI sector faces sustained risks from cyber espionage, credential compromise, supply chain attacks, and long-term intelligence collection targeting sensitive financial and economic assets.

Ransomware Incidents 2026

On 4 April 2026, the ransomware group The Gentleman listed an Indonesian financial services company specializing in life insurance, health insurance, and pension fund management on its leak platform. The Data broker claimed to have compromised the organization’s systems and exfiltrated sensitive data, which was subsequently advertised for sale on the leak site.

Source: The Ransomware Leak Site

On 5 May 2026, the ransomware group ICARUS listed an Indonesian financial technology platform that provides digital cashier (POS) systems, digital school ecosystem services, and business payment solutions on its data leak site. The threat actor claimed to have compromised the organization and exfiltrated sensitive data, subsequently publishing the alleged breach on its leak portal.

Source: The Ransomware Leak Site

Geopolitical Assessment

Indonesia’s BFSI sector operated within a dynamic geopolitical environment throughout 2026, influenced by regional economic competition, accelerating digital transformation, and evolving cyber threats across the Indo-Pacific. As Southeast Asia’s largest economy and a key member of ASEAN, Indonesia continues to attract significant foreign investment and plays an increasingly important role in regional financial connectivity, digital payments, and fintech innovation. Concurrently, heightened strategic competition among major powers in the Indo-Pacific has increased the value of financial and economic intelligence, making financial institutions attractive targets for both cybercriminal and state-aligned threat actors.

Indonesia’s ongoing efforts to expand digital financial inclusion, strengthen its digital economy, and promote cross-border financial integration have accelerated the adoption of online banking, digital payments, and fintech services. While these initiatives support economic growth, they also expand the attack surface available to adversaries seeking access to sensitive financial, customer, and economic data. During 2026, the continued activity of advanced threat groups targeting banking and financial organizations across the Asia-Pacific region highlighted the growing intersection between cybersecurity, economic security, and geopolitical interests.

As a result, Indonesian BFSI organizations face an increasingly complex threat landscape where cyber incidents may be driven not only by financial gain but also by broader intelligence-gathering and strategic objectives, reinforcing the need for enhanced cyber resilience, threat intelligence, and risk management capabilities.

Conclusion

Indonesia’s BFSI sector remains a high-value target for both financially motivated cybercriminals and state-aligned threat actors seeking to obtain sensitive financial, customer, and strategic economic information.

The alleged data breach claims, ransomware incidents, and APT activity observed during 2026 collectively demonstrate a persistent and evolving threat landscape characterized by data theft, extortion, phishing, credential compromise, and long-term cyber espionage.

While the confidence associated with individual incidents varies, the overall trend highlights sustained adversary interest in Indonesia’s expanding digital banking and financial ecosystem.

As financial institutions continue to accelerate digital transformation and strengthen regional connectivity, enhancing cyber resilience through continuous threat intelligence, proactive vulnerability management, robust identity security, and effective detection and incident response capabilities will be critical to mitigating emerging threats and maintaining the security, stability, and trust of Indonesia’s financial sector.

Recommendations

Immediate Actions

  • Validate all reported breach claims (Indonesia banks and related fintech/insurance incidents) and confirm whether any internal systems, credentials, or datasets are exposed.
  • Increase monitoring for phishing, credential theft, and account takeover attempts, particularly campaigns using banking, tax, and regulatory-themed lures.
  • Actively track underground forums, dark web marketplaces, and Telegram channels for renewed listings, data redistribution, or monetization of Indonesian BFSI data.
  • Review privileged access accounts, third-party integrations, and externally exposed services for indicators of compromise or unauthorized access.
  • Strengthen customer and employee awareness programs focused on phishing, impersonation scams, and fraud attempts leveraging leaked or stolen data.

Strategic Recommendations

  • Strengthen sector-wide cyber resilience across Indonesian BFSI institutions through continuous threat intelligence integration and coordinated risk management.
  • Establish a unified data protection approach to safeguard customer PII, financial records, KYC data, and operational banking information.
  • Enhance collaboration between financial institutions, regulators, and cybersecurity stakeholders to improve intelligence sharing and coordinated response to breach activity.
  • Develop proactive cyber threat intelligence and threat-hunting capabilities focused on APT activity (e.g., SilverFox, Mustang Panda) and ransomware ecosystems.
  • Incorporate geopolitical risk considerations into cybersecurity strategy, given increasing alignment of cyber activity with regional intelligence and espionage objectives.

Operational Recommendations

  • Conduct frequent vulnerability assessments and penetration testing of core banking systems, fintech platforms, payment services, and internet-facing applications.
  • Enforce strong identity security controls, including multi-factor authentication (MFA), privileged access management (PAM), and strict least-privilege enforcement.
  • Integrate APT and ransomware indicators (SilverFox, Mustang Panda, ICARUS and The Gentleman) into SIEM, EDR, and SOC detection systems.
  • Strengthen third-party and supply chain security oversight, particularly for fintech providers, payment processors, and service vendors.
  • Enhance incident response readiness through simulation exercises based on data theft, ransomware, and phishing-led intrusion scenarios.
  • Ensure rapid patching and configuration hardening of externally exposed systems to reduce exploitation opportunities.

Tactical Recommendations

  • Deploy detection rules for abnormal login behavior, credential stuffing, account enumeration, and unauthorized access attempts.
  • Rotate and revoke exposed credentials, API keys, and service accounts where compromise is suspected or confirmed.
  • Strengthen endpoint and network monitoring using EDR/NDR solutions to detect persistence mechanisms, malware activity, and lateral movement.
  • Use threat intelligence indicators derived from observed campaigns (APT phishing, LOTUSLITE backdoor activity, ransomware leak patterns) to improve early detection and response capabilities.