There is a significant trend in malware (malicious software) attacks currently hitting the Indonesian banking sector. This trend has taken the form of a surge in malicious Remote Access Trojan or RAT attacks. RAT attacks allow hackers to gain unauthorized control over a mobile device remotely.
Beginning towards the end of 2025 and escalating in early 2026, hackers have been using apps mimicking the government tax system to compromise devices. This tax system is known as DJP Online. Some banks have informally admitted that their users have been hacked through this malware strain. Many are trying to find ways to detect and prevent it.
This specific threat mechanic is not limited to Indonesia but is emerging across Southeast Asia. Similar cases have been reported in Malaysia.
There are two important elements to the method of this malware attack.
The malware allows attackers to remote into devices and perform illicit transactions. The stealthy operation of RATs differentiates them from viruses that slow down the computer. RATs are designed to remain hidden, avoid detection, and appear like a reputable application.
Visual making is a front-end privacy feature that automatically obscures sensitive information on a user interface. This malware uses this UI-only protection in its methods of attack. While the attack occurs, the device screen appears black or powered off. This leaves the user completely unaware that the attack is taking place.
Two different trains are worth mentioning.
The previous version that gained significant attention from the banking sector was called DJPOnline App Mimicry. Here, the treat actor created fake mobile and other apps that imitated the legitimate Indonesian Directorate General of Taxes (DJP) online tax reporting platform, DJP Online, to deceive and defraud users.
These fake apps often replicate the logo, colors, and user inference of the official DJP Online platform to gain trust. They were distributed through whatsapp and unofficial and unverified websites, rather than the official Google Play Store.
It’s important to note that the earlier version of this RAT is often referred to as M-Pajak rather than DJP Online.
The banking sector in Indonesia consistently refers to it as M-Pajak malware because the malware specifically mimics the M-Pajak mobile application.
DJP Online typically refers to the web-based version of the tax system, since both are technically the same app.
A new variant has been circulating under the name Coretax. Coretax is the name of the new official tax platform of the DJP. The Coretax Administration System was only launched in 2025. Attackers used this fact, combined with the timing of the annual tax return season, to lure users into downloading fake apps. There is no official Coretax mobile app.
Coretax App Mimicry is a fraudulent phishing scheme that impersonates this platform to trick users into downloading malicious Android apps. These apps really are APK files that enable the attacker to seize control of the device and steal sensitive financial information. Once installed, they lock the user out, while the malware (often identified as MMRat or Gigabud) steals device data and captures banking credentials, leading to unauthorized transactions.
The Coretax RAT has become a primary security concern for many regional banks in Indonesia, with similar threats already gaining traction in neighboring markets like Malaysia. The Coretax scam has caused significant fraud in Indonesia. Some reports have measured the impact of $1.5-$2 million so far. This may be due to high adoption rates of mobile banking in the region.
Currently, many of these institutions lack a deep technical understanding of the underlying malware mechanics and struggle to implement a comprehensive prevention strategy. This is why Promon is keen to help by providing a detailed analysis with a controlled simulation, and protection solutions to this pressing issue.
How does the Coretax malware work?
BRImo is the official mobile banking application from Bank Rakyat Indonesia (BRI). They had reported to Promon previously that the Coretax malware was used against a repackaged version of their app that we analyzed in March 2025. But at that point, we did not have access to the malware, so we were unable to check exactly what it did.
However, Promon’s Security Research team was able to conclude that the repackaged version of the app had removed protections regarding accessibility services and screen mirroring. This made sense to us because with Shield in the app, the most common functionality of a RAT is blocked, so attackers first need to disable these protections to then be able to use a malware like Coretax.
In February 2026, Promon succeeded in performing an analysis of the Coretax malware itself. Our findings were exactly as expected. Coretax is a typical RAT that is directed by attackers through a ‘command and control’ server to perform many different actions on the device of the victim. The most significant of these actions from a mobile application security viewpoint are these.
Screen capture is when malware takes screenshots of a victim's screen, or records it, to steal sensitive information. Screen mirroring allows an attacker to see everything that’s happening in the screen with a RTMP (Real-Time Messaging Protocol) stream back to the server. Coretax malware uses screen mirroring so the attacker can see the victim’s screen.
The malware can dynamically configure its Accessibility-based collection logic to monitor and harvest text or credential input from selected target applications. This allows the attacker to intercept text, inputs presses, and credential from the victim.
This is a cybersecurity threat where malicious apps abuse a legitimate ‘accessibility service’ feature in Android operating systems to gain unauthorized control over a device. Coretax malware uses accessibility service abuse to steal credentials from the UI screen.
This is fake user interaction generated by a program rather than coming from the victim. It can take the form of simulated taps, clicks, or keystrokes. Attacks use it to automate actions or bypass controls that assume input is human-driven. Coretax malware uses emulated input to enter details such as the username and password into the device, so that a money transfer transaction can be performed.
Fake overlays are malicious UI layers drawn on top of a legitimate app to trick the user into interacting with them instead of the real interface. In the Coretax malware, attackers rely on the capacity of fake overlays to capture credentials, intercept input, and redirect actions, so the attacker can control the device from the background.
Promon has conducted further detailed analysis of the Coretax malware. We have been able to write our own control logic for how the Coretax malware works and test the ability of Sheild to protect against it. We will provide a breakdown of exactly how this RAT operates in an App Threat Report later this year.
How do potential victims defend against the Coretax malware?
When it comes to simulating the defense against malware like Coretax, the ideal scenario is for a malware operator to attack us live, so Promon can demonstrate how we protect against it. What Promon’s Security Research team did was create their own command and control server, then patch the malware to use it instead. That enabled Promon to show the attack from the attacker perspective, as well as that of the defender. The team has successfully demonstrated a simulated C2 server controlling the Coretax RAT malware.
We are working on a demonstration video of how Shield detects and defends against the Coretax attack. This video will include segments on:
Initial app and malware installation
Credential capturing and screen mirroring
Malicious, fingerprint, and black overlay
The attack behind the overlay
Untrusted screen reader blocking
Blocking screen mirroring
Blocking emulated input
We will release it soon.
In June of this year, Promon will publish a quarterly App Threat Report that focuses entirely on the Coretax Android banking malware. In it, we’ll cover topics like:
What the Coretax malware does
How a Coretax malware attack begins
The screen flow that the victim seems
What the Coretax malware can do
What it can automate on its own
What the action set shows about its capabilities
What each capability sends back to the server
What an attack using Coretax malware looks like
Indicators of a compromised device
Coretax RAT malware shows how quickly mobile banking threats can adapt to local context, user behavior, and public-sector trust signals. For banks across Southeast Asia, the priority is clear: protect the app at runtime, detect abuse as it happens, and stop attacks before remote access leads to financial loss.