{
	"id": "137fe046-0904-463d-a6b1-ead495da67e6",
	"created_at": "2026-04-06T00:17:45.815098Z",
	"updated_at": "2026-04-10T03:30:33.496466Z",
	"deleted_at": null,
	"sha1_hash": "49e964a9074de695747a4655dfe6cd7afae8bf5f",
	"title": "Trojan uncovered by Group-IB targets 50+ Vietnamese banks | Group-IB",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 116052,
	"plain_text": "GoldDigger drains your bank\r\naccount: new Trojan\r\nuncovered by Group-IB\r\ntargets 50+ Vietnamese\r\nbanks\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 1 of 9\n\nMedia Center → Press Releases October 5, 2023 · 4 min to read\r\nFraud Protection Threat Intelligence Trojan Vietnam\r\nGroup-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital\r\ncrime, has discovered a new Android Trojan that specifically targets users of over 50 Vietnamese\r\nbanking applications, electronic wallets, and cryptocurrency wallets, with the aim of stealing their\r\nfunds. Codenamed GoldDigger by Group-IB’s Threat Intelligence unit, the Trojan has been\r\nactive since at least June 2023. The malicious application impersonates a Vietnamese government\r\nportal and an energy company and abuses the Android Accessibility service to extract personal\r\ninformation, steal banking app credentials, intercept SMS messages, and perform various user\r\nactions. The number of infected devices and the amount stolen remains unknown.\r\nGroup-IB’s Threat Intelligence customers were promptly notified upon the discovery of the threat.\r\nGroup-IB’s Computer Emergency Response Team (CERT-GIB) also issued a proactive notification\r\nto the Governmental National CERT of Vietnam (VNCERT) and continues its outreach campaign.\r\nThe malware was first spotted by Group-IB in June 2023. The company’s Threat Intelligence unit\r\nidentified more than ten fake websites posing as Google Play Store pages and fake company\r\nwebsites. To appear more convincing, some fake websites include user reviews and the emblem of\r\nVietnam.\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 2 of 9\n\nFigure 1. Fake website distributing GoldDigger\r\nThese sites were designed to deceive users into downloading the malicious GoldDigger application,\r\nnamed after a specific Android activity, found within the APK file, called “GoldActivity”. Group-IB was\r\nnot able to establish the initial vector, but the Trojan’s operators most likely distributed the links to\r\nthese websites through messengers or traditional phishing. Group-IB detected two different\r\nstrains of GoldDigger – one that impersonated a Vietnamese governmental portal and another\r\nimitating a local energy sector company.\r\nAfter being installed and launched, GoldDigger requests access to Accessibility Service, an Android\r\nfeature designed to assist users with disabilities by allowing apps to interact with each other and\r\nmodify the user interface. By abusing this feature, the malware can monitor and manipulate the\r\ndevice’s functions.\r\nBy granting the Trojan access to Accessibility Service, the user unwittingly enables GoldDigger to\r\nextract sensitive information, such as passwords, intercept SMS messages, simulate user\r\ninteractions, as well as to steal login credentials. The Trojan monitors events related to 51 targeted\r\napplications of Vietnamese financial organizations, as well as e-wallets and crypto apps.\r\nAfter capturing user input (such as logins and passwords), GoldDigger exfiltrates the data to\r\ncommand-and-control (C\u0026C) servers.\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 3 of 9\n\nFigure 2. GoldDigger profile\r\nOne notable feature of GoldDigger is that it uses Virbox Protector – a legitimate software that\r\nprovides advanced obfuscation and encryption. Malware developers employ Virbox Protector to\r\nmake it more challenging for cybersecurity researchers to analyze and reverse-engineer their\r\nmalicious code and avoid detection by conventional anti-fraud solutions. Nonetheless, Group-IB’s\r\nFraud Protection can effectively detect GoldDigger.\r\nAnh Le\r\nGroup-IB’s Business Development Manager in Vietnam\r\n“However, Group-IB’s Threat Intelligence team found that, in addition to\r\nVietnamese, the malware included language translations to Spanish and\r\ntraditional Chinese. The cybercriminals may have plans to further extend\r\nGoldDigger’s reach to Spanish and Chinese-speaking countries in the near\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 4 of 9\n\nfuture. We continue the investigation into GoldDigger and will provide\r\nupdates when they become available.”\r\nTo minimize their risk of downloading banking Trojans such as GoldDigger, Group-IB recommends\r\nusers always check for updates on their mobile devices, avoid downloading applications from\r\nsources outside of the Google Play Store, and check what permissions an application requests once\r\nit is downloaded. Companies seeking to safeguard their users from malware attacks might consider\r\nGroup-IB’s Fraud Protection solution. It monitors user sessions by leveraging machine learning\r\nalgorithms to identify suspicious behavior, the latest fraud techniques, unauthorized remote\r\nsessions, as well as the presence of malware, such as GoldDigger.\r\nTry Group-IB Fraud Protection now!\r\nEliminate fraud across all digital channels in real time.\r\nShare article\r\nRequest demo\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 5 of 9\n\nAbout Group-IB\r\nFounded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity\r\ntechnologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the\r\ncompany’s DNA, shaping its technological capabilities to defend businesses, citizens, and support\r\nlaw enforcement operations.\r\nGroup-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central\r\nAsia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific\r\nthreats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime\r\nprevention and continually expand its threat-hunting capabilities.\r\nGroup-IB’s decentralized and autonomous operational structure helps it offer tailored,\r\ncomprehensive support services with a high level of expertise. We map and mitigate adversaries’\r\ntactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and\r\nrequirements of various industries, including retail, healthcare, gambling, financial services,\r\nmanufacturing, crypto, and more.\r\nThe company’s global security leaders work in synergy with some of the industry’s most advanced\r\ntechnologies to offer detection and response capabilities that eliminate cyber disruptions agilely.\r\nGroup-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted\r\ncyber environment by utilizing intelligence-driven technology and agile expertise that completely\r\ndetects and defends against all nuances of digital crime. The platform proactively protects\r\norganizations’ critical infrastructure from sophisticated attacks while continuously analyzing\r\npotentially dangerous behavior all over their network.\r\nThe comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete\r\nFraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed\r\nExtended Detection and Response (XDR), All-infrastructure Business Email Protection, and External\r\nAttack Surface Management.\r\nFurthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently\r\nelevated industry standards. This includes the 77,000+ hours of cybersecurity incident response\r\ncompleted by our sector-leading DFIR Laboratory, more than 1,400 successful investigations\r\ncompleted by the High-Tech Crime Investigations Department, and round-the-clock efforts of\r\nCERT-GIB.\r\nTime and again, its solutions and services have been revered by leading advisory and analyst\r\nagencies such as Aite Novarica, Gartner®, Forrester, Frost \u0026 Sullivan, KuppingerCole Analysts AG,\r\nand more.\r\nBeing an active partner in global investigations, Group-IB collaborates with international law\r\nenforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 6 of 9\n\ncyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3)\r\nAdvisory Group on Internet Security, which was created to foster closer cooperation between\r\nEuropol and its leading non-law enforcement partners.\r\nRead next\r\nMarch 19, 2026\r\nGroup-IB\r\nPartners with\r\nCopy Cat Group\r\nto Strengthen\r\nIntelligence-Led\r\nCybersecurity\r\nAcross East\r\nAfrica\r\nMarch 13, 2026\r\nGroup-IB\r\nSupports\r\nINTERPOL’s\r\nOperation\r\nSynergia III,\r\nContributing\r\nIntelligence to\r\nGlobal\r\nCybercrime\r\nTakedown\r\nMarch 12, 2026\r\nGroup-IB\r\nExpands into the\r\nAmericas with\r\nLaunch of Digital\r\nCrime Resistance\r\nCenter in Chile\r\nMarch 3, 2026\r\nGroup-IB and\r\nNebrija\r\nUniversity\r\nStrengthen\r\nCybersecurity\r\nEducation\r\nThrough MOU\r\nand Threat\r\nIntelligence\r\nIntegration\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 7 of 9\n\nFebruary 26, 2026\r\nGroup-IB\r\nPartners with\r\nSavex\r\nTechnologies to\r\nAdvance\r\nPredictive Threat\r\nIntelligence and\r\nCyber Fraud\r\nProtection\r\nAcross India and\r\nSAARC\r\nFebruary 16, 2026\r\nNational\r\nPolytechnic\r\nUniversity of\r\nArmenia and\r\nGroup-IB sign\r\nstrategic\r\npartnership to\r\nstrengthen\r\ncybersecurity\r\neducation and\r\nresearch in\r\nArmenia\r\nGo to all Press Releases →\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nCompany\r\nAbout Group-IB\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 8 of 9\n\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.group-ib.com/media-center/press-releases/golddigger-trojan-vietnam/"
	],
	"report_names": [
		"golddigger-trojan-vietnam"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434665,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49e964a9074de695747a4655dfe6cd7afae8bf5f.pdf",
		"text": "https://archive.orkl.eu/49e964a9074de695747a4655dfe6cd7afae8bf5f.txt",
		"img": "https://archive.orkl.eu/49e964a9074de695747a4655dfe6cd7afae8bf5f.jpg"
	}
}