GoldFactory is a threat Group-IB discovered, named, and tracked from day one — and it introduced something the mobile threat landscape had never seen before. In February 2024, Group-IB publicly disclosed GoldFactory as the group behind GoldPickaxe: the first iOS trojan ever observed stealing facial recognition data from victims. The biometric theft wasn’t opportunistic — it was engineered specifically to bypass facial recognition-based KYC verification in banking applications, turning a security control into an attack surface.
The group operates as a mature criminal ecosystem rather than a single malware family. Developers build and iterate a portfolio of mobile trojans, while distributed regional operator teams handle social engineering, distribution, and fraud execution in each target country. GoldFactory adapts rapidly to local conditions: when Vietnamese and Thai banks introduced stronger KYC procedures, the group released facial data-stealing tools within months. When Indonesia launched the Coretax tax service, GoldFactory built lures around it almost immediately.
The Indonesia Coretax campaign (July 2025–January 2026) abused more than 16 trusted government and financial sector brands in a single operation, timed precisely to Indonesia’s national tax season to maximize victim volume. Group-IB is actively tracking expansion signals beyond APAC — Spanish-language code artifacts and Traditional Chinese-language support in recent tooling suggest the group is actively developing for new target markets.
Key Numbers:
— 15 infections per day across active campaigns
— 16+ trusted government and financial brands abused in a single campaign
— $1,700 average financial loss per successful case
— $3M+ annual regional losses (minimum estimate, single region)
Primary targets are concentrated in APAC - Vietnam (primary), Thailand, and Indonesia — with secondary activity in the Philippines and early signs of expansion into META. Isolated impersonation attempts targeting banks in Peru, Mexico, Brazil, Bangladesh, and Africa have also been observed, but these appear to be outliers rather than strategic targets.
First-ever documented iOS trojan stealing facial recognition data — deployed against banking customers in Thailand and Vietnam to bypass biometric KYC verification. Group-IB original discovery and disclosure.
Fake Coretax tax applications distributed via phishing sites and WhatsApp, combined with vishing, timed to national tax season. Deployed shared infrastructure running Gigabud.RAT and MMRat alongside proprietary GoldFactory tools — abusing 16+ brands simultaneously.
GoldDigger and GoldPickaxe deployed against Vietnamese financial organizations; adapted within weeks of banks introducing stronger KYC requirements.
GoldFactory’s operational playbook combines social engineering, technical exploitation, and campaign timing to maximize fraud success rates across APAC markets.
The group relies heavily on impersonation of legitimate government and financial applications. In Indonesia, attackers created fake Coretax applications replicating the official tax platform, distributing them through phishing websites and WhatsApp-based social engineering. The attack chain integrates phishing sites, malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized fund transfers.
GoldPickaxe prompts victims to capture facial scans and photographs of identity documents under the guise of identity verification. This biometric data is exfiltrated to attacker-controlled infrastructure and can be used to bypass biometric authentication systems in banking applications — potentially enabling deepfake-assisted account takeover.
GoldFactory trojans intercept one-time passwords sent by banks during transaction authorization, neutralizing SMS-based two-factor authentication — one of the most widely deployed verification methods in the APAC region.
Rather than building bespoke infrastructure per campaign, GoldFactory leverages a common backend supporting multiple malware families and brand impersonation campaigns simultaneously. The Indonesia campaign alone deployed Gigabud.RAT and MMRat alongside proprietary tools — enabling rapid horizontal scaling across brands and geographies at reduced cost per campaign.
GoldPickaxe stands out because it combines social engineering with technical persistence in ways that bypass conventional app-level controls. The detection approach that works here is focusing on indicators of attack rather than static signatures — tracking behavioral patterns like abnormal accessibility service abuse or unauthorized screen capture activity in real time, so your SOC can interrupt the intrusion before credential theft is complete.
to detect overlay attacks and accessibility service abuse — GoldFactory's primary credential theft vector.
Do not rely solely on biometric confirmation, which can be defeated by facial data theft and deepfake generation.
A stolen face scan combined with a deepfake engine can bypass static facial recognition checks. Liveness detection closes this gap.
through threat intelligence feeds covering APAC cybercrime communities; the group's infrastructure rotates rapidly and static IOC lists go stale quickly.
for high-value transactions. Push-based authentication, hardware tokens, or app-based TOTP provide stronger protection against GoldFactory's SMS interception capabilities.
GoldFactory is a Chinese-speaking cybercriminal threat group first discovered, named, and publicly disclosed by Group-IB in February 2024. The group targets financial institutions and their customers across the Asia-Pacific region using a portfolio of mobile banking trojans — most notably GoldPickaxe.iOS, the first iOS trojan ever observed stealing facial recognition data. All naming conventions associated with this threat cluster (GoldFactory, GoldDigger, GoldPickaxe) were coined by Group-IB researchers.
GoldPickaxe.iOS prompts victims to provide facial scans under the guise of identity verification — often within a convincing fake banking or government application. The stolen biometric data is exfiltrated to attacker-controlled infrastructure and can potentially be used to create deepfakes or bypass facial recognition authentication systems deployed by financial institutions. This was the first time such a capability had been observed in iOS mobile malware.
GoldFactory is distinguished by three specific factors: its cross-platform reach covering both Android and iOS; its pioneering use of facial recognition data theft via GoldPickaxe; and its industrialized shared infrastructure model enabling rapid scaling of brand abuse across multiple countries simultaneously. CraxsRAT relies primarily on remote access capabilities on Android. GoldFactory’s combination of biometric harvesting and cross-platform deployment represents a fundamentally different and more advanced threat model.
The Indonesian Coretax campaign (initiated July 2025, escalated January 2026) was one of GoldFactory’s most sophisticated operations. Attackers created fake applications impersonating Indonesia’s official Coretax tax platform, distributing them via phishing sites and WhatsApp social engineering, timed to coincide with Indonesia’s national tax filing season. The campaign abused more than 16 trusted brands in a single coordinated operation using GoldFactory’s shared malware infrastructure.
First, obtain suspicious APK or IPA samples and submit them for automated mobile malware analysis, confirming whether the sample belongs to the GoldFactory family. Second, cross-reference device telemetry and application distribution URLs against current GoldFactory IOCs — the group’s infrastructure rotates rapidly. Third, if GoldPickaxe variants are confirmed, immediately enable enhanced liveness detection and anomaly monitoring on all biometric authentication flows, since stolen facial recognition data may already be in the attackers’ possession.
GoldFactory enables direct financial fraud through stolen banking credentials, bypassed biometric authentication via facial recognition theft, and intercepted OTPs. The industrialized scale of campaigns — such as the Indonesia fake Coretax operation which exploited national tax season timing and abused 16+ brands — combined with targeting of both Android and iOS users across multiple APAC countries means aggregate fraud exposure for regional financial institutions is substantial.
