{"id":5802,"date":"2026-04-12T11:11:04","date_gmt":"2026-04-12T04:11:04","guid":{"rendered":"https:\/\/chongluadao.vn\/blog\/?p=5802"},"modified":"2026-04-12T13:24:02","modified_gmt":"2026-04-12T06:24:02","slug":"lua-dao-no-le-va-maas","status":"publish","type":"post","link":"https:\/\/chongluadao.vn\/blog\/en\/2026\/04\/lua-dao-no-le-va-maas\/","title":{"rendered":"Scams, slavery, and MaaS: Tracing Trojans to scam hubs in Cambodia."},"content":{"rendered":"<p>Financial scams and malware-assisted remote access attacks are on the rise, as industrial-scale fraud operations continue to proliferate in Southeast Asia. Many countries in the region have issued official warnings over the past three years. However, tracing specific malware strains back to these notorious complexes remains a difficult challenge to this day.<\/p>\n\n\n\n<p>In collaboration with the Intel Threat expert team. <a href=\"https:\/\/www.infoblox.com\/\" target=\"_blank\" rel=\"noopener\">Infoblox<\/a> &#8211; m\u1ed9t c\u00f4ng ty an ninh m\u1ea1ng c\u00f3 tr\u1ee5 s\u1edf t\u1ea1i California, Hoa K\u1ef3, Ch\u1ed1ng L\u1eeba \u0110\u1ea3o \u0111\u00e3 <a href=\"https:\/\/chongluadao.vn\/blog\/en\/posts\/chong-lua-dao-tham-gia-cuoc-dieu-tra-toan-cau-ve-vu-khi-moi-cua-toi-pham-lua-dao:-ai-ma-doc-va-con-bao-hoan-hao\/\">conduct an investigation<\/a> An Android trojan was operating from multiple locations, including the K99 Triumph City complex in Cambodia. This conclusion was reached based on technical analysis, testimony from escapees, and evidence obtained from within the complex by the victims of human trafficking themselves.<\/p>\n\n\n\n<p>This complex has been widely recognized by the United Nations and numerous other organizations as a fraud hub with links to high-ranking, powerful politicians, and using forced labor to operate large-scale malicious text messaging, calling, and email campaigns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The premise of the investigation<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Malware-as-a-Service platform detected.<\/h3>\n\n\n\n<p>A sudden surge in DNS queries from customers&#039; cloud environments led Infoblox experts to discover a type of malware. Through analysis, the experts identified it as a platform. <strong><a href=\"https:\/\/chongluadao.vn\/blog\/en\/maas\/\">M\u00e3 \u0111\u1ed9c d\u01b0\u1edbi d\u1ea1ng d\u1ecbch v\u1ee5 (Malware-as-a-Service &#8211; MaaS)<\/a><\/strong> Sophisticated. This platform has the capability to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Real-time monitoring of all activity on the victim&#039;s device.<\/li>\n\n\n\n<li>Stealing login credentials and biometric data (fingerprints, facial recognition)<\/li>\n\n\n\n<li>Block SMS messages and calls<\/li>\n\n\n\n<li>Remote access to cameras and microphones.<\/li>\n\n\n\n<li>Installing additional malware after infiltrating the device.<\/li>\n\n\n\n<li>Control all devices remotely using professional monitoring software.<\/li>\n<\/ul>\n\n\n\n<p>Experts have also discovered hundreds of domain names used to attack victims, many of which were cleverly designed to impersonate government agencies. These DNS anomalies were first noted a year ago, but traces of this Trojan may date back to at least 2023.<\/p>\n\n\n\n<p>An estimated 35 new domain names are registered each month. Among the customers using the solution... <em>Infoblox Threat Defense Cloud<\/em>, The areas most severely affected were Southeast Asia, Europe, and Latin America. The highest number of inquiries were recorded from clients in Indonesia, Thailand, Spain, and Turkey, indicating the global reach and impact of this group of actors.<\/p>\n\n\n<style>.kb-image5802_328e2a-01.kb-image-is-ratio-size, .kb-image5802_328e2a-01 .kb-image-is-ratio-size{max-width:730px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_328e2a-01.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_328e2a-01 .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_328e2a-01 figure{max-width:730px;}.kb-image5802_328e2a-01 .image-is-svg, .kb-image5802_328e2a-01 .image-is-svg img{width:100%;}.kb-image5802_328e2a-01 .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_328e2a-01\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1400\" height=\"780\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/SCAMS_map-Artboard_1.BIRdhg3M.png\" alt=\"\" class=\"kb-img wp-image-5804\"\/><figcaption><strong>Figure 1.<\/strong><em> The countries affected by the related malware cluster have been identified by Infoblox.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>Further investigation revealed overlaps in infrastructure and behavior between this MaaS platform and the past activities of identified threat actors. <strong>Vigorish Viper<\/strong> and <strong>Vault Viper<\/strong>. These connections reveal a large-scale, multilingual phishing campaign targeting victims in at least 21 countries across 4 continents (as shown in Figure 1).<\/p>\n\n\n\n<p>Based on linguistic cues, infrastructure patterns, and operational characteristics, experts assess that this malware is highly likely to belong to an unidentified Chinese-speaking MaaS administrator. This individual is currently providing services to numerous phishing operations in the Greater Mekong Subregion, which is used as a base for distributing malware and carrying out online scams. There have been numerous reports of forced labor in this region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Evidence from inside the fraudulent complex.<\/h3>\n\n\n\n<p>From a number of victims who were held captive and forced to commit fraudulent acts inside the complex. <strong>K99 Triumph City<\/strong>, <strong><a href=\"http:\/\/chongluadao.vn\/blog\/en\/\">Anti-Phishing<\/a><\/strong> The necessary evidence was gathered to establish a link to this specific Trojan family. Key details about the scams&#039; internal workings, provided by the evaders, along with malware analysis from Anti-Phishing, paved the way for the investigation team to delve deeper and monitor their activities in real time.<\/p>\n\n\n\n<p>C\u00e1c chuy\u00ean gia \u0111\u00e3 t\u1eadn m\u1eaft ch\u1ee9ng ki\u1ebfn m\u1ee9c \u0111\u1ed9 x\u00e2m nh\u1eadp \u0111\u00e1ng s\u1ee3 c\u1ee7a trojan n\u00e0y: trao cho k\u1ebb t\u1ea5n c\u00f4ng to\u00e0n quy\u1ec1n ki\u1ec3m so\u00e1t thi\u1ebft b\u1ecb b\u1ecb nhi\u1ec5m, cho ph\u00e9p ch\u00fang gi\u00e1m s\u00e1t n\u1ea1n nh\u00e2n v\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u tr\u1ef1c ti\u1ebfp. Ngo\u00e0i ra, nh\u00f3m \u0111i\u1ec1u tra c\u00f2n t\u00ecm \u0111\u01b0\u1ee3c b\u1eb1ng ch\u1ee9ng v\u1ec1 c\u00e1c b\u1ea3ng \u0111i\u1ec1u khi\u1ec3n C2 (Command and Control) \u0111\u01b0\u1ee3c ph\u00e2n m\u1ea3nh theo qu\u1ed1c gia m\u1ee5c ti\u00eau (v\u00ed d\u1ee5: \u201cNh\u00f3m Indonesia,&#8221; \u201cNh\u00f3m Brazil,&#8221; \u201cNh\u00f3m Ai C\u1eadp&#8221;), v\u00e0 trong m\u1ed9t s\u1ed1 tr\u01b0\u1eddng h\u1ee3p l\u00e0 theo t\u00ean g\u1ecdi c\u1ee7a c\u00e1c \u201ckh\u00e1ch h\u00e0ng&#8221; ri\u00eang bi\u1ec7t. \u0110i\u1ec1u n\u00e0y cho th\u1ea5y m\u1ed9t c\u1ea5u tr\u00fac ph\u00e2n c\u1ea5p v\u1eadn h\u00e0nh b\u00e0i b\u1ea3n v\u00e0 c\u00f3 s\u1ef1 ph\u1ed1i h\u1ee3p qu\u1ea3n l\u00fd ch\u1eb7t ch\u1ebd.<\/p>\n\n\n\n<p>This report includes details of the scam campaign, gathered directly from individuals who were held captive at the K99 complex and forced to participate in cybercrime activities. In addition to witness accounts, escapees provided screenshots as direct evidence reinforcing the link between the domains Infoblox was monitoring and activity at the complex.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The origin and model of DNS<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Abnormal DNS query<\/h3>\n\n\n\n<p>In March 2025, experts from Infoblox observed a surge in customer queries (Figure 2), along with a sharp increase in domain name registrations. Data showed that the majority of affected customers were from Southeast Asia, Europe, and Latin America; with the highest query traffic coming from Indonesia, Thailand, Spain, and Turkey. These unusual signs prompted them to investigate, ultimately leading to the discovery of an Android banking Trojan.<\/p>\n\n\n<style>.kb-image5802_c3aa0e-6d.kb-image-is-ratio-size, .kb-image5802_c3aa0e-6d .kb-image-is-ratio-size{max-width:812px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_c3aa0e-6d.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_c3aa0e-6d .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_c3aa0e-6d figure{max-width:812px;}.kb-image5802_c3aa0e-6d .image-is-svg, .kb-image5802_c3aa0e-6d .image-is-svg img{width:100%;}.kb-image5802_c3aa0e-6d .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_c3aa0e-6d\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"2085\" height=\"867\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/querry-doc-hai.png\" alt=\"\" class=\"kb-img wp-image-5807\"\/><figcaption><strong>Figure 2. <\/strong>DNS query traffic related to malware in Infoblox Threat Defense Cloud&#039;s customer network, from January to December 2025. <em>Source: Infoblox<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>Chi\u1ebfn d\u1ecbch n\u00e0y hi\u1ec7n v\u1eabn \u0111ang ho\u1ea1t \u0111\u1ed9ng m\u1ea1nh m\u1ebd, v\u1edbi kho\u1ea3ng 35 t\u00ean mi\u1ec1n m\u1edbi \u0111\u01b0\u1ee3c \u0111\u0103ng k\u00fd m\u1ed7i th\u00e1ng. C\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng c\u1ea3 t\u00ean mi\u1ec1n t\u1ea1o b\u1edfi Thu\u1eadt to\u00e1n t\u1ea1o t\u00ean mi\u1ec1n (RDGA &#8211; Registered Domain Generation Algorithm) l\u1eabn c\u00e1c t\u00ean mi\u1ec1n gi\u1ea3 m\u1ea1o (lookalike domains) &#8211; v\u1ed1n \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 m\u1ea1o danh c\u00e1c t\u1ed5 ch\u1ee9c h\u1ee3p ph\u00e1p v\u00e0 d\u1ecbch v\u1ee5 c\u00f4ng nh\u1eb1m ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c.<\/p>\n\n\n\n<p>These domain names are cleverly designed to impersonate banks, pension funds, social security organizations, utility providers (electricity, water), as well as tax, immigration, telecommunications, and law enforcement agencies. The table below provides some examples.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Domain name<\/strong><\/th><th><strong>False target (Country\/Organization)<\/strong><\/th><\/tr><\/thead><tbody><tr><td>vsgo[.]cc<\/td><td>Philippine Social Security System<\/td><\/tr><tr><td>nmxgo[.]cc<\/td><td>South African police<\/td><\/tr><tr><td>orgo[.]cc<\/td><td>Indonesian State Pension Fund<\/td><\/tr><tr><td>idphil[.]net<\/td><td>Philippine Department of Information and Communications<\/td><\/tr><tr><td>immigration-kr[.]net<\/td><td>Korean Immigration Office<\/td><\/tr><tr><td>openbank-es[.]com<\/td><td>Openbank Spain<\/td><\/tr><tr><td>googleplay[.]djppajakgoid[.]com<\/td><td>Indonesian Tax Directorate<\/td><\/tr><tr><td>cedula-registraduria-gov[.]org<\/td><td>National Civil Registry of Colombia<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Infrastructure analysis and acquisition methods<\/h3>\n\n\n\n<p>Figure 3 below shows some examples of the bait pages used. Recently, the scope of this phishing campaign has expanded both geographically and geographically, including bait pages targeting airlines and e-commerce platforms, as well as extending to countries in Africa and Latin America.<\/p>\n\n\n<style>.kb-image5802_3e0b88-c8.kb-image-is-ratio-size, .kb-image5802_3e0b88-c8 .kb-image-is-ratio-size{max-width:808px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_3e0b88-c8.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_3e0b88-c8 .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_3e0b88-c8 figure{max-width:808px;}.kb-image5802_3e0b88-c8 .image-is-svg, .kb-image5802_3e0b88-c8 .image-is-svg img{width:100%;}.kb-image5802_3e0b88-c8 .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_3e0b88-c8\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"284\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure3.png\" alt=\"\" class=\"kb-img wp-image-5812\"\/><figcaption><strong>Figure 3.<\/strong> Screenshots of bait pages used to spread malware, impersonating organizations such as the Brazilian Federal Tax Service, Ryanair airline, Openbank bank, and the South African Police Agency. <em>Source: Infoblox<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>Experts analyzed 400 decoy domains registered in 2025 used for phishing and malware infection. Evidence suggests these domains were part of a coordinated and centrally managed campaign, designed to be scalable and resilient (against sweeps).<\/p>\n\n\n\n<p>Vi\u1ec7c \u0111\u0103ng k\u00fd t\u00ean mi\u1ec1n cho c\u00e1c trang m\u1ed3i nh\u1eed ch\u1ee7 y\u1ebfu t\u1eadp trung t\u1ea1i c\u00e1c nh\u00e0 \u0111\u0103ng k\u00fd c\u00f3 tr\u1ee5 s\u1edf t\u1ea1i H\u1ed3ng K\u00f4ng nh\u01b0 Dominet (64%), Domain International Services (10%), v\u00e0 Namemart (tr\u01b0\u1edbc \u0111\u00e2y l\u00e0 Domain International Services &#8211; 7%), chi\u1ebfm t\u1edbi 81% h\u1ea1 t\u1ea7ng \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh (H\u00ecnh 4). Nh\u00f3m t\u00e1c nh\u00e2n n\u00e0y \u0111\u1eb7c bi\u1ec7t \u01b0u ti\u00ean c\u00e1c t\u00ean mi\u1ec1n c\u1ea5p cao nh\u1ea5t (TLDs) nh\u01b0 <code>.com<\/code>, <code>.top<\/code>, and <code>.cc<\/code>, accounting for approximately 861 TP3T of the total number of domain names. Most of these domain names are hidden behind Cloudflare&#039;s service.<\/p>\n\n\n<style>.kb-image5802_542b8a-de.kb-image-is-ratio-size, .kb-image5802_542b8a-de .kb-image-is-ratio-size{max-width:683px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_542b8a-de.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_542b8a-de .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_542b8a-de figure{max-width:683px;}.kb-image5802_542b8a-de .image-is-svg, .kb-image5802_542b8a-de .image-is-svg img{width:100%;}.kb-image5802_542b8a-de .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_542b8a-de\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"2135\" height=\"993\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/hinh-3.png\" alt=\"\" class=\"kb-img wp-image-5813\"\/><figcaption><strong>Figure 4.<\/strong> Allocate decoy domain name registrars. <em>Source: Infoblox<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>There is a clear strategy in domain name creation: use a 2- to 5-character prefix, followed by a carefully chosen suffix (usually &#039;\u2018<code>go<\/code>\u2019&#039; or &#039;\u2018<code>gov<\/code>\u2019This is most likely intended to mimic legitimate government top-level domains such as ). <code>.go<\/code> and <code>.gov<\/code>, supporting social engineering and impersonation of government agencies. In some cases, domain names also include geographically specific suffixes such as &#039;\u2018<code>ph<\/code>\u2019, \u2018<code>th<\/code>\u2019&#039; and <strong>\u2018<code>vn<\/code>\u2019<\/strong> (Vietnam), as well as longer suffixes such as &#039;\u2018<code>ind<\/code>\u2019, \u2018<code>mxco<\/code>\u2019, \u2018<code>Peru<\/code>\u2019&#039; and &#039;\u2018<code>Africa<\/code>\u2019.<\/p>\n\n\n\n<p>The domain names used for the C2 control system and other administration panels have slightly different naming conventions and utilize TLDs such as <code>.top<\/code>, <code>.xyz<\/code>, <code>.vip<\/code>, and <code>.pro<\/code>. However, there is a clear preference for the tail. <code>.top<\/code> (This accounts for 39 out of the 42 active C2 domains). All C2 domains use the registrar Domain International Services, Namemart, and the name servers of DomainNameDNS.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">chain of attacks<\/h2>\n\n\n\n<p>The attack involves multiple stages and uses a highly customizable toolkit, allowing for the creation of various malware variants (Figure 5). Through various deceptive tactics, users are redirected to a fake website impersonating reputable services, often those related to banks or government agencies.<\/p>\n\n\n<style>.kb-image5802_8a684d-de .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_8a684d-de\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"2724\" height=\"865\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/Attack-chain-1.png\" alt=\"\" class=\"kb-img wp-image-5816\"\/><figcaption><strong>Figure 5.<\/strong> Simplified attack sequence model of a banking Trojan (APK file).<\/figcaption><\/figure><\/div>\n\n\n\n<p>These bait pages prompt users to download a mobile application. The website uses Base64-encoded JavaScript code to distribute a Trojan file as a 23MB APK. When the user clicks the download button, this code downloads the file in chunked segments while displaying a fake progress bar, ultimately leading to the installation of malware on the device.<\/p>\n\n\n\n<p>After the APK file is executed, the application will display a fake login screen, similar to the examples in Figure 6. The actual login interface will vary depending on the specific objectives of each attack campaign.<\/p>\n\n\n<style>.kb-image5802_7cce53-5b.kb-image-is-ratio-size, .kb-image5802_7cce53-5b .kb-image-is-ratio-size{max-width:711px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_7cce53-5b.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_7cce53-5b .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_7cce53-5b figure{max-width:711px;}.kb-image5802_7cce53-5b .image-is-svg, .kb-image5802_7cce53-5b .image-is-svg img{width:100%;}.kb-image5802_7cce53-5b .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_7cce53-5b\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"496\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure6.png\" alt=\"\" class=\"kb-img wp-image-5817\"\/><figcaption><strong>Figure 6.<\/strong> Screenshots of fake login interfaces after installation, impersonating the Electricity Generating Authority of Thailand, the Brazilian Federal Tax Service, and LATAM Airlines. <em>Source: Infoblox<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>Once installed, the malware operates as a multi-purpose banking Trojan with a wide range of surveillance and intrusion capabilities. As shown in Figure 7, the malware&#039;s core functions include: real-time remote control, SMS and call interception, camera and microphone access, credential collection, and the ability to install additional malware. It also contains a comprehensive device fingerprinting module to systematically collect detailed hardware and system information, then compile and send it to the attacker&#039;s C2 server.<\/p>\n\n\n<style>.kb-image5802_7a08d3-04.kb-image-is-ratio-size, .kb-image5802_7a08d3-04 .kb-image-is-ratio-size{max-width:624px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_7a08d3-04.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_7a08d3-04 .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_7a08d3-04 figure{max-width:624px;}.kb-image5802_7a08d3-04 .image-is-svg, .kb-image5802_7a08d3-04 .image-is-svg img{width:100%;}.kb-image5802_7a08d3-04 .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_7a08d3-04\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"375\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure7.png\" alt=\"\" class=\"kb-img wp-image-5818\"\/><figcaption><strong>Figure 7.<\/strong> <em>The core functions of the malware were analyzed by Anti-Phishing experts.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Inside the malware<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Analyzing attack patterns<\/h3>\n\n\n\n<p>As shown in Figures 8 and 9, upon reviewing the source code, Anti-Phishing experts observed that some early samples included hardcoded information such as IP addresses, ports, login APIs, decryption keys, and other data; whereas later samples used an internal decryption function to dynamically retrieve IP addresses during execution, eliminating any static traces from the source code. This change, combined with updated timelines, <code>BuildConfig<\/code>, This indicates that the malware is still being actively developed.<\/p>\n\n\n<style>.kb-image5802_4acf81-7d.kb-image-is-ratio-size, .kb-image5802_4acf81-7d .kb-image-is-ratio-size{max-width:666px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_4acf81-7d.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_4acf81-7d .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_4acf81-7d figure{max-width:666px;}.kb-image5802_4acf81-7d .image-is-svg, .kb-image5802_4acf81-7d .image-is-svg img{width:100%;}.kb-image5802_4acf81-7d .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_4acf81-7d\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"347\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure8.png\" alt=\"\" class=\"kb-img wp-image-5820\"\/><figcaption><strong>Figure 8.<\/strong> The build configuration displays the C2 server&#039;s IP address and other hardcoded data.<\/figcaption><\/figure><\/div>\n\n\n<style>.kb-image5802_c7dfe8-4d.kb-image-is-ratio-size, .kb-image5802_c7dfe8-4d .kb-image-is-ratio-size{max-width:575px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_c7dfe8-4d.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_c7dfe8-4d .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_c7dfe8-4d figure{max-width:575px;}.kb-image5802_c7dfe8-4d .image-is-svg, .kb-image5802_c7dfe8-4d .image-is-svg img{width:100%;}.kb-image5802_c7dfe8-4d .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_c7dfe8-4d\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"496\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure9.png\" alt=\"\" class=\"kb-img wp-image-5819\"\/><figcaption><strong>Figure 9.<\/strong> Another malware sample no longer displays the hardcoded C2 IP address.<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Tracing C2 servers<\/h3>\n\n\n\n<p>Based on the weak operational security (OPSEC) in older models, it can be inferred that other mistakes would also occur. It didn&#039;t take long for Anti-Phishing to find a C2 server exposed due to a lack of proper access control measures. This allowed investigators to monitor the activity of multiple operators, while directly observing the infection process and attacker behavior in real time.<\/p>\n\n\n\n<p>Through access to the exposed infrastructure, experts observed that the operators were deploying customizable permission request dialogs and app overlay screens to deceive victims. Simultaneously, they extracted various data including contacts, notes, photos, SMS messages, and call logs. This data could be immediately used to support further attacks. The operators also used a web-based admin panel to manage multiple infected devices simultaneously, with different workflows depending on the specific victim.<\/p>\n\n\n\n<p>As shown in Figure 10, during the operation, the victim will see an overlay screen requesting digital verification or electronic identification (KYC). Meanwhile, the attacker simultaneously activates biometric data collection in the background. Facial recognition data is then used to log into the victim&#039;s online banking application without their knowledge. By intercepting the SMS OTP code from the bank, the operator gains full access to the victim&#039;s bank account and can transfer funds wherever they want.<\/p>\n\n\n<style>.kb-image5802_dcc3c9-cc.kb-image-is-ratio-size, .kb-image5802_dcc3c9-cc .kb-image-is-ratio-size{max-width:761px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_dcc3c9-cc.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_dcc3c9-cc .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_dcc3c9-cc figure{max-width:761px;}.kb-image5802_dcc3c9-cc .image-is-svg, .kb-image5802_dcc3c9-cc .image-is-svg img{width:100%;}.kb-image5802_dcc3c9-cc .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_dcc3c9-cc\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"433\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure10.png\" alt=\"\" class=\"kb-img wp-image-5821\"\/><figcaption><strong>Figure 10.<\/strong> Screenshots taken during the Anti-Phishing investigation: 1) The operator is instructing a victim in the Philippines to install a malicious APK file at the domain name. <code>sss.oiago[.]cc<\/code> via Facebook Messenger; 2) The operator then deploys a fake KYC verification screen; 3) and 4) The operator is withdrawing the victim&#039;s funds from BBVA Mexico bank.<\/figcaption><\/figure><\/div>\n\n\n\n<p>This MaaS administrator uses specific subdomains, including &#039;\u2018<code>kef<\/code>\u2019, \u2018<code>ador<\/code>\u2019, \u2018<code>rpc<\/code>\u2019&#039;, as well as &#039;\u2018<code>admin<\/code>\u2019&#039; and &#039;\u2018<code>apim<\/code>\u2019 cho m\u00e1y ch\u1ee7 C2 v\u00e0 c\u00e1c b\u1ea3ng qu\u1ea3n l\u00fd \u1ee9ng d\u1ee5ng Android kh\u00e1c nhau. Vi\u1ec7c s\u1eed d\u1ee5ng c\u00e1c t\u00ean mi\u1ec1n ph\u1ee5 c\u00f3 t\u00ednh quy lu\u1eadt gi\u00fap c\u00e1c chuy\u00ean gia t\u1ea1o ra c\u00e1c \u201cch\u1eef k\u00fd nh\u1eadn d\u1ea1ng&#8221; \u0111\u1ec3 ph\u00e1t hi\u1ec7n th\u00eam c\u00e1c m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n (C2) kh\u00e1c. C\u00e1c m\u00e1y ch\u1ee7 n\u00e0y th\u01b0\u1eddng \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp \u0111\u1ec3 ph\u1ee5c v\u1ee5 c\u00f9ng l\u00fac cho nhi\u1ec1u nh\u00f3m t\u1ed9i ph\u1ea1m kh\u00e1c nhau. H\u1ec7 th\u1ed1ng n\u00e0y bao g\u1ed3m h\u00e0ng lo\u1ea1t b\u1ea3ng \u0111i\u1ec1u khi\u1ec3n C2 \u0111\u01b0\u1ee3c ph\u00e2n lo\u1ea1i c\u1ee5 th\u1ec3 theo qu\u1ed1c gia m\u1ee5c ti\u00eau (nh\u01b0 nh\u00f3m Indonesia, Brazil, Ai C\u1eadp), ho\u1eb7c theo t\u00ean ri\u00eang c\u1ee7a t\u1eebng kh\u00e1ch h\u00e0ng thu\u00ea d\u1ecbch v\u1ee5. \u0110i\u1ec1u n\u00e0y ch\u1ee9ng t\u1ecf quy m\u00f4 v\u1eadn h\u00e0nh r\u1ea5t chuy\u00ean nghi\u1ec7p v\u00e0 c\u00f3 s\u1ef1 ph\u1ed1i h\u1ee3p ch\u1eb7t ch\u1ebd.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Management infrastructure analysis<\/h3>\n\n\n\n<p>Further analysis revealed specialized sub-sectors used to develop modified banking applications and reverse engineering techniques, testing facial recognition and bypassing malware detection mechanisms. They even integrated AI chatbots and deepfake technology into the attack process. Figures 11 and 12 illustrate this point.<\/p>\n\n\n<style>.kb-image5802_a1d6bf-db .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_a1d6bf-db\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"247\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure11.png\" alt=\"\" class=\"kb-img wp-image-5825\"\/><figcaption><strong>Figure 11.<\/strong> Screenshots of sample admin panels for specialized campaigns targeting Thailand and Africa.<\/figcaption><\/figure><\/div>\n\n\n<style>.kb-image5802_7a1a38-2b .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_7a1a38-2b\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"308\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure12.png\" alt=\"\" class=\"kb-img wp-image-5824\"\/><figcaption><strong>Figure 12<\/strong>. Screenshots of the control panels for managing facial recognition and AI tools.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Upon closer analysis of the APK management platform of MaaS service administrators (ironically, it resides on the domain name) <code>safeapk[.]xyz<\/code>Anti-phishing experts have discovered numerous custom applications designed to impersonate organizations in Thailand. As shown in Figure 13, this list includes fake applications impersonating Thai Airways, Kasikorn Bank, LX International, the Office of the Insurance Commission (OIC), and the Tourism Authority of Thailand. These findings are consistent with attack campaigns previously documented through DNS record history.<\/p>\n\n\n<style>.kb-image5802_87f14d-6e.kb-image-is-ratio-size, .kb-image5802_87f14d-6e .kb-image-is-ratio-size{max-width:820px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_87f14d-6e.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_87f14d-6e .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_87f14d-6e figure{max-width:820px;}.kb-image5802_87f14d-6e .image-is-svg, .kb-image5802_87f14d-6e .image-is-svg img{width:100%;}.kb-image5802_87f14d-6e .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_87f14d-6e\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"864\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure13.png\" alt=\"\" class=\"kb-img wp-image-5823\"\/><figcaption><strong>Figure 13.<\/strong> A screenshot of an APK management panel.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Analysis of the infrastructure and related domains reveals that the same system has been used for various activities, including phishing, cryptocurrency investment scams, and more. <a href=\"https:\/\/chongluadao.vn\/blog\/en\/pigbutchering\/\" target=\"_blank\" rel=\"noreferrer noopener\">pig butchering<\/a>. They used domain names such as <code>lx-yindu[.]top<\/code> and <code>orbiixtrade[.]com<\/code> to impersonate the Supreme Court of India and the Thai cryptocurrency trading platform Orbix (Figure 14), in which the fake Indian Court domain name was reported in an official announcement by the Government of that country.<\/p>\n\n\n<style>.kb-image5802_f733ee-ea.kb-image-is-ratio-size, .kb-image5802_f733ee-ea .kb-image-is-ratio-size{max-width:738px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_f733ee-ea.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_f733ee-ea .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_f733ee-ea figure{max-width:738px;}.kb-image5802_f733ee-ea .image-is-svg, .kb-image5802_f733ee-ea .image-is-svg img{width:100%;}.kb-image5802_f733ee-ea .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_f733ee-ea\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1558\" height=\"582\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure14.png\" alt=\"\" class=\"kb-img wp-image-5822\"\/><figcaption><strong>Figure 14.<\/strong> Screenshots of examples of phishing and investment scam websites (pig butchering).<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">OPSEC is really difficult (especially when it comes to forced labor).<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">The victim speaks from inside.<\/h3>\n\n\n\n<p>By the end of 2025, some of the detainees had contacted <strong><a href=\"http:\/\/chongluadao.vn\/blog\/en\/\" target=\"_blank\" rel=\"noreferrer noopener\">Anti-Phishing<\/a><\/strong> \u0111\u1ec3 xin gi\u1ea3i c\u1ee9u t\u1eeb m\u1ed9t khu ph\u1ee9c h\u1ee3p t\u1ea1i Sihanoukville, Campuchia &#8211; m\u1ed9t trung t\u00e2m t\u1ed9i ph\u1ea1m m\u1ea1ng c\u00f3 li\u00ean h\u1ec7 v\u1edbi nh\u00f3m <strong>Vigorish Viper<\/strong>. These individuals claim they were beaten and tortured with electric shocks for failing to meet performance targets. This accusation is entirely consistent with reports from the United Nations and numerous other organizations that have documented similar incidents in the region in recent years.<\/p>\n\n\n\n<p>After being successfully rescued from the K99 complex, the victims provided the investigation team with crucial evidence: from private group chat logs and screenshots to other relevant data. This material not only reinforced previous findings but also confirmed the existence of malware distribution and phishing as a service (MaaS) operations running on the relevant infrastructure. Notably, the evidence obtained showed that several domains in Infoblox&#039;s initial data cluster (Figure 15) were directly used in the phishing campaigns, thus providing a solid basis for concluding that the entire discovery chain is directly related to the K99 location (Figure 16).<\/p>\n\n\n<style>.kb-image5802_13d4e0-83 .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_13d4e0-83\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"458\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure15.png\" alt=\"\" class=\"kb-img wp-image-5829\"\/><figcaption><strong>Figure 15.<\/strong> Screenshots of domain names used to impersonate the Ministry of Public Security, the Ministry of Finance, and the General Department of Taxation were distributed to operators in private chat groups of the scam network based at K99 Triumph City, Sihanoukville, Cambodia.<\/figcaption><\/figure><\/div>\n\n\n<style>.kb-image5802_6b23ec-cf.kb-image-is-ratio-size, .kb-image5802_6b23ec-cf .kb-image-is-ratio-size{max-width:747px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_6b23ec-cf.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_6b23ec-cf .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_6b23ec-cf figure{max-width:747px;}.kb-image5802_6b23ec-cf .image-is-svg, .kb-image5802_6b23ec-cf .image-is-svg img{width:100%;}.kb-image5802_6b23ec-cf .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_6b23ec-cf\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"370\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure16.png\" alt=\"\" class=\"kb-img wp-image-5828\"\/><figcaption><strong>Figure 16.<\/strong> A message from a detained victim sent to Anti-Fraud requested rescue from a location identified as K99 Triumph City in Sihanoukville, Cambodia.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Experts examined the work equipment of one of the victims and found targeted victim profiles built on personal data along with detailed business information, as well as pre-written attack scenarios and forged government documents used for social engineering purposes. Notably, a fake government notification related to a new digital identity program and VAT reduction for registered Vietnamese businesses was used to send to the target business owner or employee. Related campaigns also impersonated dozens of other public services, from utility providers to law enforcement agencies.<\/p>\n\n\n<style>.kb-image5802_6bf0f8-df.kb-image-is-ratio-size, .kb-image5802_6bf0f8-df .kb-image-is-ratio-size{max-width:781px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_6bf0f8-df.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_6bf0f8-df .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_6bf0f8-df figure{max-width:781px;}.kb-image5802_6bf0f8-df .image-is-svg, .kb-image5802_6bf0f8-df .image-is-svg img{width:100%;}.kb-image5802_6bf0f8-df .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_6bf0f8-df\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"457\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure17.png\" alt=\"\" class=\"kb-img wp-image-5831\"\/><figcaption><strong>Figure 17<\/strong>. Screenshot of an insider&#039;s work device at K99 Triumph City<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">The process of fraud and misappropriation of assets.<\/h3>\n\n\n\n<p>According to accounts from those who escaped the scam, the staff would initially contact their targets by phone using software. <strong>eyeBeam<\/strong> (m\u1ed9t lo\u1ea1i ph\u1ea7n m\u1ec1m g\u1ecdi \u0111i\u1ec7n qua internet &#8211; VoIP) \u0111\u1ec3 m\u1ea1o danh c\u00e1n b\u1ed9 ch\u00ednh ph\u1ee7. Sau \u0111\u00f3, ch\u00fang chuy\u1ec3n h\u01b0\u1edbng giao ti\u1ebfp sang \u1ee9ng d\u1ee5ng nh\u1eafn tin ph\u1ed5 bi\u1ebfn l\u00e0 <strong>Zalo<\/strong> They then send a link or QR code leading the victim to a bait page (as described above). There, they instruct the victim to install a malicious APK file and request advanced access permissions on the device, while telling the victim to ignore any security warnings from the system.<\/p>\n\n\n\n<p>Sau \u0111\u00f3, k\u1ebb v\u1eadn h\u00e0nh s\u1ebd gi\u00e1m s\u00e1t ch\u1eb7t ch\u1ebd thi\u1ebft b\u1ecb \u0111\u00e3 b\u1ecb nhi\u1ec5m m\u00e3 \u0111\u1ed9c tr\u01b0\u1edbc khi s\u1eed d\u1ee5ng c\u00e1c th\u00f4ng tin \u0111\u0103ng nh\u1eadp thu th\u1eadp \u0111\u01b0\u1ee3c \u0111\u1ec3 truy c\u1eadp v\u00e0o \u1ee9ng d\u1ee5ng ng\u00e2n h\u00e0ng c\u1ee7a n\u1ea1n nh\u00e2n. Ch\u00fang ti\u1ebfn h\u00e0nh \u0111\u00e1nh ch\u1eb7n m\u00e3 x\u00e1c th\u1ef1c m\u1ed9t l\u1ea7n (OTP) qua tin nh\u1eafn SMS \u0111\u1ec3 x\u00e1c minh danh t\u00ednh, cu\u1ed1i c\u00f9ng l\u00e0 thao t\u00fang n\u1ea1n nh\u00e2n th\u1ef1c hi\u1ec7n quy tr\u00ecnh x\u00e1c th\u1ef1c sinh tr\u1eafc h\u1ecdc (nh\u1eadn di\u1ec7n khu\u00f4n m\u1eb7t) th\u00f4ng qua m\u1ed9t m\u00e0n h\u00ecnh overlay tr\u00f4ng r\u1ea5t chuy\u00ean nghi\u1ec7p. \u0110\u1ebfn th\u1eddi \u0111i\u1ec3m n\u00e0y, n\u1ea1n nh\u00e2n ho\u00e0n to\u00e0n tin r\u1eb1ng nh\u1eefng h\u00e0nh \u0111\u1ed9ng n\u00e0y l\u00e0 c\u1ea7n thi\u1ebft \u0111\u1ec3 tu\u00e2n th\u1ee7 \u201cch\u01b0\u01a1ng tr\u00ecnh m\u1edbi c\u1ee7a ch\u00ednh ph\u1ee7&#8221;.<\/p>\n\n\n\n<p>The harsh reality is that the victim has just completed the final step in giving the scammer full access to their online banking account. The sequence of events is illustrated in Figure 18 below, using images captured from a real-life attack.<\/p>\n\n\n<style>.kb-image5802_941c0d-6d .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_941c0d-6d\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"896\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure18.png\" alt=\"\" class=\"kb-img wp-image-5832\"\/><figcaption><strong>Figure 18.<\/strong> The screenshot shows a scammer deploying a KYC authentication overlay, using the victim&#039;s facial scan data to gain access to their online banking account while running in the background.<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">The K99 Group and its connection to Vigorish Viper and Vault Viper<\/h2>\n\n\n\n<p>According to official business registration records, the complex <strong>K99 Triumph City<\/strong> owned by <strong>K99 Group (Cambodia)<\/strong>. This is a diversified conglomerate operating in the fields of casinos, online gambling, real estate development, and investment. The conglomerate is owned by a tycoon. <strong>Rithy Raksmei<\/strong> (also known as Xie Liguang) is the chairman. He is a member of the Senator&#039;s family. <strong>Kok An<\/strong> &#8211; m\u1ed9t trong nh\u1eefng ng\u01b0\u1eddi gi\u00e0u nh\u1ea5t Campuchia, ng\u01b0\u1eddi t\u1eebng b\u1ecb truy\u1ec1n th\u00f4ng n\u00eau t\u00ean l\u00e0 \u0111\u1ed1i t\u01b0\u1ee3ng b\u1ecb nh\u00e0 ch\u1ee9c tr\u00e1ch Th\u00e1i Lan truy n\u00e3 v\u00ec li\u00ean quan \u0111\u1ebfn l\u1eeba \u0111\u1ea3o qua m\u1ea1ng v\u00e0 r\u1eeda ti\u1ec1n.<\/p>\n\n\n\n<p>Both individuals were recently named in U.S. House Resolution (HR 5490) alleging they are foreign nationals involved with transnational criminal organizations, maintaining large-scale online fraud operations. Reports also describe them as facilitators of criminal networks operating in Southeast Asia through formal business partnerships, including those led by mob bosses. <strong>Alvin Chau<\/strong> (Suncity Group) leads and <strong>Dong Lecheng<\/strong> (ng\u01b0\u1eddi \u0111ang ch\u1ecbu l\u1ec7nh tr\u1eebng ph\u1ea1t t\u1eeb Anh v\u00e0 M\u1ef9), c\u00f9ng nhi\u1ec1u \u0111\u1ed1i t\u01b0\u1ee3ng kh\u00e1c li\u00ean quan \u0111\u1ebfn m\u1ed9t trong nh\u1eefng c\u1ee5m trung t\u00e2m l\u1eeba \u0111\u1ea3o kh\u00e9t ti\u1ebfng nh\u1ea5t t\u1ea1i Sihanoukville, Campuchia, th\u01b0\u1eddng \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 \u201cChinatown&#8221; (H\u00ecnh 19).<\/p>\n\n\n<style>.kb-image5802_726b08-9c.kb-image-is-ratio-size, .kb-image5802_726b08-9c .kb-image-is-ratio-size{max-width:619px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_726b08-9c.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_726b08-9c .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_726b08-9c figure{max-width:619px;}.kb-image5802_726b08-9c .image-is-svg, .kb-image5802_726b08-9c .image-is-svg img{width:100%;}.kb-image5802_726b08-9c .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_726b08-9c\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"569\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure19.png\" alt=\"\" class=\"kb-img wp-image-5833\"\/><figcaption><strong>Figure 19.<\/strong> Key fraud centers linked to K99&#039;s extensive network are located in Sihanoukville, Cambodia. <em>Source: Cyber Scam Monitor, March 2025.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>According to <a href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/vault-viper-high-stakes-hidden-threats\/\" target=\"_blank\" rel=\"noopener\">a previous report<\/a> c\u1ee7a Infoblox, \u201cChinatown&#8221; (Khu ph\u1ed1 T\u00e0u) l\u00e0 m\u1ed9t khu v\u1ef1c bi\u1ec7t l\u1eadp bao g\u1ed3m nhi\u1ec1u s\u00f2ng b\u1ea1c v\u00e0 khu ph\u1ee9c h\u1ee3p l\u1eeba \u0111\u1ea3o \u0111\u01b0\u1ee3c canh ph\u00f2ng c\u1ea9n m\u1eadt. K\u1ec3 t\u1eeb khi b\u1eaft \u0111\u1ea7u ph\u00e1t tri\u1ec3n v\u00e0o kho\u1ea3ng n\u0103m 2017, n\u01a1i \u0111\u00e2y \u0111\u00e3 nhanh ch\u00f3ng tr\u1edf th\u00e0nh m\u1ed9t trong nh\u1eefng trung t\u00e2m l\u1eeba \u0111\u1ea3o c\u00f4ng ngh\u1ec7 cao l\u1edbn nh\u1ea5t th\u1ebf gi\u1edbi. C\u00e1c d\u1ef1 \u00e1n n\u00e0y c\u00f3 m\u1ed1i li\u00ean h\u1ec7 s\u00e2u r\u1ed9ng v\u1edbi c\u00e1c m\u1ea1ng l\u01b0\u1edbi t\u1ed9i ph\u1ea1m n\u00f3i ti\u1ebfng Trung g\u1eafn li\u1ec1n v\u1edbi t\u00ean tu\u1ed5i c\u1ee7a Kok An v\u00e0 Rithy Raksmei.<\/p>\n\n\n\n<p>S\u1ef1 t\u1eadp trung c\u1ee7a c\u00e1c t\u00e1c nh\u00e2n t\u1ea1i khu v\u1ef1c n\u00e0y cho th\u1ea5y m\u1ed9t h\u1ec7 sinh th\u00e1i c\u00f3 t\u00ednh t\u1eadp trung cao \u0111\u1ed9, n\u01a1i m\u1ed9t nh\u00f3m nh\u1ecf nh\u1eefng \u201cng\u01b0\u1eddi trong cu\u1ed9c&#8221; c\u00f3 quan h\u1ec7 ch\u00ednh tr\u1ecb \u0111\u00f3ng vai tr\u00f2 l\u00e0 nh\u1eefng b\u00ean t\u1ea1o \u0111i\u1ec1u ki\u1ec7n then ch\u1ed1t, cung c\u1ea5p quy\u1ec1n ti\u1ebfp c\u1eadn, s\u1ef1 b\u1ea3o k\u00ea v\u00e0 duy tr\u00ec ho\u1ea1t \u0111\u1ed9ng th\u00f4ng su\u1ed1t cho c\u00e1c nh\u00f3m t\u1ed9i ph\u1ea1m xuy\u00ean qu\u1ed1c gia. C\u00e1c c\u00e1 nh\u00e2n li\u00ean quan \u0111\u1ebfn nh\u1eefng khu ph\u1ee9c h\u1ee3p n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c ghi nh\u1eadn l\u00e0 c\u00f3 li\u00ean k\u1ebft v\u1edbi c\u00e1c b\u0103ng \u0111\u1ea3ng t\u1ed9i ph\u1ea1m khu v\u1ef1c th\u00f4ng qua c\u00e1c bu\u1ed5i k\u00fd k\u1ebft h\u1ee3p t\u00e1c r\u1ea7m r\u1ed9, c\u1ea5u tr\u00fac doanh nghi\u1ec7p ch\u1ed3ng ch\u00e9o v\u00e0 s\u1eed d\u1ee5ng chung h\u1ea1 t\u1ea7ng k\u1ef9 thu\u1eadt.<\/p>\n\n\n\n<p>C\u00e1c b\u00e1o c\u00e1o g\u1ea7n \u0111\u00e2y t\u1eeb c\u00e1c nh\u00f3m nh\u00e2n quy\u1ec1n v\u00e0 c\u00e1c ngu\u1ed3n tin kh\u00e1c cho th\u1ea5y K99 Triumph City v\u1eabn \u0111ang ho\u1ea1t \u0111\u1ed9ng t\u00edch c\u1ef1c b\u1ea5t ch\u1ea5p c\u00e1c \u0111\u1ee3t truy qu\u00e9t t\u1ed9i ph\u1ea1m m\u1ea1ng v\u00e0 l\u1eeba \u0111\u1ea3o c\u1ee7a ch\u00ednh ph\u1ee7 Campuchia &#8211; m\u1ed9t k\u1ecbch b\u1ea3n th\u01b0\u1eddng th\u1ea5y trong c\u00e1c m\u1ea1ng l\u01b0\u1edbi trung t\u00e2m l\u1eeba \u0111\u1ea3o quy m\u00f4 l\u1edbn.<\/p>\n\n\n\n<p>Besides K99&#039;s reported links to Senator Kok An, the network has long been described as having close ties to the Cambodian political and military elite (as shown in Figures 20, 21, and 22). Most notably, K99 is located in the same area as the investment company and casino. <strong>Royal Union<\/strong>, along with the former director of this company, <strong>Yim Leak<\/strong> &#8211; con trai c\u1ee7a Ph\u00f3 Th\u1ee7 t\u01b0\u1edbng Yim Chhay Ly. Yim Leak c\u0169ng l\u00e0 c\u00e1i t\u00ean \u0111\u01b0\u1ee3c nh\u1eafc \u0111\u1ebfn trong d\u1ef1 th\u1ea3o \u0110\u1ea1o lu\u1eadt Tri\u1ec7t ph\u00e1 c\u00e1c B\u0103ng \u0111\u1ea3ng L\u1eeba \u0111\u1ea3o N\u01b0\u1edbc ngo\u00e0i c\u1ee7a Qu\u1ed1c h\u1ed9i Hoa K\u1ef3. M\u1ed9t chi ti\u1ebft th\u00fa v\u1ecb l\u00e0 c\u00e1c h\u1ed3 s\u01a1 l\u1ecbch s\u1eed v\u1ec1 s\u1ef1 tham gia c\u1ee7a Leak trong c\u00f4ng ty \u0111\u00e3 b\u1ecb x\u00f3a kh\u1ecfi s\u1ed5 \u0111\u0103ng k\u00fd kinh doanh ch\u00ednh th\u1ee9c c\u1ee7a Campuchia trong nh\u1eefng th\u00e1ng g\u1ea7n \u0111\u00e2y. Tuy nhi\u00ean, may m\u1eafn l\u00e0 c\u00e1c nh\u00e0 \u0111i\u1ec1u tra \u0111\u00e3 l\u01b0u gi\u1eef c\u00e1c b\u1ea3n sao n\u00e0y.<\/p>\n\n\n<style>.kb-image5802_184c3e-52 .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_184c3e-52\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"292\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure20.png\" alt=\"\" class=\"kb-img wp-image-5836\"\/><figcaption><strong>Figure 20.<\/strong> Tycoon Rithy Raksmei attended the groundbreaking ceremony for K99 Triumph City alongside Cambodian Senator Kok An in January 2019. <em>Source: The Cambodia-China Times.<\/em><\/figcaption><\/figure><\/div>\n\n\n<style>.kb-image5802_e37a6c-8c .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_e37a6c-8c\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"958\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure21.png\" alt=\"\" class=\"kb-img wp-image-5835\"\/><figcaption><strong>Figure 21.<\/strong> (Left) Photo of the Royal Union Casino sign at the K99 Triumph City complex in Sihanoukville, December 2023. (Right) Photo of Rithy Raksmei with Yim Leak at Leak&#039;s wedding in Bangkok, November 2018. (Below) Cambodian Business Registration documents showing Yim Leak&#039;s role at Royal Union Investment. <em>Source: Simon Menet, Facebook and the Cambodian Ministry of Commerce, March 2026.<\/em><\/figcaption><\/figure><\/div>\n\n\n<style>.kb-image5802_84e1d6-3d .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_84e1d6-3d\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"292\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure22.png\" alt=\"\" class=\"kb-img wp-image-5834\"\/><figcaption><strong>Figure 22.<\/strong> (Left) Screenshot of K99 Group&#039;s contribution to the Cambodian military, August 2020. (Right) One of several recorded meetings between Rithy Raksmei and Cambodia&#039;s current Prime Minister, Hun Manet, December 2021.<em> Source: Facebook.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>In February 2026, the Anti-Money Laundering Office (AMLO) and the Civil Court of Thailand issued a provisional order. <strong>Assets worth 13.07 billion THB (approximately 407 million USD) were confiscated.<\/strong> This relates to Yim Leak, Kok An, and others as part of investigations into transnational high-tech fraud activities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Persistence and adaptability<\/h2>\n\n\n\n<p>This malicious infrastructure remains active and highly resilient. At the time of writing, hundreds of domains are supporting multiple campaigns running simultaneously across three continents. Activities related to this infrastructure are constantly evolving and expanding, sustaining large-scale campaigns targeting countries such as Thailand, Indonesia, the Philippines, and others. <strong>Vietnam<\/strong>, while also diversifying its targets to include Africa and Latin America.<\/p>\n\n\n\n<p>Continuous monitoring reveals persistent domain rotation through RDGA algorithms and the registration of new fraudulent domains, demonstrating an unceasing demand from criminal networks in the region. Experts also note the continuous integration of new decoys along with the reuse of old domains for new campaigns.<\/p>\n\n\n\n<p>Figure 23 specifically illustrates this change: a domain name originally used as a decoy to impersonate the Philippine government has been redirected to target customers of a Moroccan bank; or another domain name originally used for investment scams in Thailand has been repurposed to impersonate the Philippine government in order to distribute malicious APK files.<\/p>\n\n\n<style>.kb-image5802_8855e7-c6.kb-image-is-ratio-size, .kb-image5802_8855e7-c6 .kb-image-is-ratio-size{max-width:760px;width:100%;}.wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_8855e7-c6.kb-image-is-ratio-size, .wp-block-kadence-column > .kt-inside-inner-col > .kb-image5802_8855e7-c6 .kb-image-is-ratio-size{align-self:unset;}.kb-image5802_8855e7-c6 figure{max-width:760px;}.kb-image5802_8855e7-c6 .image-is-svg, .kb-image5802_8855e7-c6 .image-is-svg img{width:100%;}.kb-image5802_8855e7-c6 .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<div class=\"wp-block-kadence-image kb-image5802_8855e7-c6\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"693\" src=\"https:\/\/chongluadao.vn\/blog\/wp-content\/uploads\/2026\/04\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers-figure23.png\" alt=\"\" class=\"kb-img wp-image-5837\"\/><figcaption><strong>Figure 23.<\/strong> (Above) An example of changing the bait from impersonating the Philippine government on egov.nbsvgo[.]cc to targeting customers of a Moroccan bank. (Below) The vsgo[.]cc domain, previously used to scam investors impersonating the Certified Finance Institute (CFI) in Thailand, is now being reused to impersonate the Philippine government to distribute malicious APKs.<\/figcaption><\/figure><\/div>\n\n\n\n<p>The investigation team&#039;s findings reveal the agility and flexibility of criminal groups at fraud centers in quickly deploying readily available tools into practical operation. With abundant multilingual human resources, increasing technical capabilities, and enormous profits, they not only apply but also customize and commercialize malware, infrastructure, and social engineering attack techniques into flexible and highly scalable attack models.<\/p>\n\n\n\n<p>Nh\u1eefng g\u00ec \u0111ang hi\u1ec7n h\u1eefu l\u00e0 m\u1ed9t h\u1ec7 sinh th\u00e1i nhanh nh\u1ea1y, mang t\u00ednh th\u1eed nghi\u1ec7m v\u00e0 \u0111\u01b0\u1ee3c th\u00fac \u0111\u1ea9y m\u1ea1nh m\u1ebd b\u1edfi l\u1ee3i \u00edch th\u01b0\u01a1ng m\u1ea1i, n\u01a1i c\u00e1c c\u00f4ng c\u1ee5 li\u00ean t\u1ee5c \u0111\u01b0\u1ee3c t\u00e1i s\u1eed d\u1ee5ng, c\u1ea3i ti\u1ebfn v\u00e0 t\u00e1i tri\u1ec3n khai \u0111\u1ec3 t\u1ed1i \u0111a h\u00f3a ph\u1ea1m vi ti\u1ebfp c\u1eadn v\u00e0 l\u1ee3i nhu\u1eadn. Trong m\u00f4i tr\u01b0\u1eddng n\u00e0y, s\u1ef1 \u201c\u0111\u1ed5i m\u1edbi&#8221; kh\u00f4ng ph\u1ea3i l\u00e0 r\u00e0o c\u1ea3n m\u00e0 l\u00e0 ti\u00eau chu\u1ea9n c\u01a1 b\u1ea3n, cho ph\u00e9p c\u00e1c m\u1ea1ng l\u01b0\u1edbi n\u00e0y duy tr\u00ec v\u00e0 m\u1edf r\u1ed9ng c\u00e1c ho\u1ea1t \u0111\u1ed9ng l\u1eeba \u0111\u1ea3o \u0111a th\u1ecb tr\u01b0\u1eddng ph\u1ee9c t\u1ea1p v\u1edbi t\u1ed1c \u0111\u1ed9 c\u1ef1c nhanh.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><em>This article is a collaborative product of Infoblox Threat Intel and Anti-Phishing. All technical analysis and visual evidence are derived from joint research by the two organizations. Original article: <a href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers\/\" target=\"_blank\" rel=\"noopener\">Infoblox Blog<\/a>.<\/em><\/p>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Building upon a MaaS platform, Anti-Fraud and Infoblox collaborated to investigate and trace fraud centers in Cambodia. [\u2026]<span class=\"screen-reader-text\"> From Scams, Slavery, and MaaS: Tracing Trojans to Scam Hubs in Cambodia<\/span><\/a><\/p>","protected":false},"author":3,"featured_media":5805,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5802","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/posts\/5802","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/comments?post=5802"}],"version-history":[{"count":16,"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/posts\/5802\/revisions"}],"predecessor-version":[{"id":5846,"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/posts\/5802\/revisions\/5846"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/media\/5805"}],"wp:attachment":[{"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/media?parent=5802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/categories?post=5802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chongluadao.vn\/blog\/en\/wp-json\/wp\/v2\/tags?post=5802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}