This rapidly growing group of Masked Actors are part of an affiliation network, suggesting a bigger organized cybercrime operation. Ajina focuses on large-scale financial fraud, targeting banking apps. Group-IB identified this specialized group following an investigation in May 2024.
Our investigation analyzed over 1,400 unique Android malware samples, suggesting a significant number of affected users. Ajina’s victims are everyday users of banking and payment phone apps. Victims are primarily in Central Asia, but the campaign has expanded globally.
Our analysis of file names, sample distribution methods, and other activities shows the attackers seem familiar with Central Asian culture, suggesting local ties. Members operate through a network of affiliates, each distributing malware. Use of Telegram channels indicates a well-coordinated effort.
