ClickCease Deepfakes Malware Attacks: GoldFactory's Advanced Tactics

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Deepfakes Malware Attacks: GoldFactory’s Advanced Tactics

Wajahat Raja

March 1, 2024 - TuxCare expert team

In the ever-evolving landscape of mobile Deepfakes malware attacks, a notorious threat actor named GoldFactory has surfaced, leaving a trail of highly sophisticated banking trojans in its wake. The group, operating since at least mid-2023, has gained notoriety for its advanced techniques, notably introducing a previously undocumented iOS malware called GoldPickaxe. 

This malicious software goes beyond typical exploits, capable of harvesting sensitive data like identity documents facial recognition data, and intercepting SMS messages. Understanding the intricate relationship between Deepfakes and malware techniques is essential in mitigating the growing threat landscape of cyber attacks. 

In this blog, we’ll delve into the world of cybersecurity, shedding light on the rising threat of Deepfakes malware attacks and their implications for online security and privacy.


GoldPickaxe: A Cross-Platform Threat

GoldPickaxe, part of the GoldFactory arsenal, is a versatile threat that targets both iOS and Android platforms. According to a
comprehensive report from Singapore-based Group-IB, GoldFactory is a well-organized Chinese-speaking cybercrime group with close ties to Gigabud. 

The malware family includes GoldDigger, GoldDiggerPlus, and GoldKefu, each playing a specific role in the group’s elaborate schemes. GoldFactory’s social engineering campaigns have strategically targeted the Asia-Pacific region, specifically focusing on countries like Thailand and Vietnam. 

The attackers employ deceptive tactics, masquerading as local banks and government organizations to lure victims. The primary vectors include smishing and phishing messages, guiding targets to shift communication to instant messaging apps like LINE. 

Subsequently, victims are led to click on deceptive URLs that initiate the deployment of GoldPickaxe on their devices.

Deepfakes Malware Attacks Decoded

For Android users, malicious apps are often hosted on counterfeit websites resembling Google Play Store pages or fake corporate websites. On the other hand, GoldPickaxe for iOS takes a different approach, utilizing Apple’s TestFlight platform and booby-trapped URLs. 

These URLs prompt users to download a Mobile Device Management (MDM) profile, granting complete control over iOS devices for the installation of the rogue app. GoldPickaxe’s sophistication becomes evident in its ability to bypass security measures imposed by Thailand. 

In response to facial recognition requirements for larger transactions, the malware prompts victims to record a video within the fake application. This recorded video becomes raw material for creating deepfake videos, accomplished through face-swapping artificial intelligence services.


Dual-Platform Capabilities and Information Gathering

Both Android and iOS variants of GoldPickaxe are equipped to collect a wide array of sensitive information, including ID documents, photos intercepted SMS messages, and proxying traffic through compromised devices. Notably, the iOS variant exhibits fewer functionalities due to the closed nature of the iOS operating system and its stringent permissions.

GoldDigger and its Evolution

GoldDigger, another creation of GoldFactory, shares code-level similarities with GoldPickaxe. While GoldDigger primarily focuses on stealing banking credentials, GoldPickaxe leans towards gathering personal information from victims. 

The Android version of GoldDigger, considered an evolutionary successor of GoldDiggerPlus, masquerades as various applications from Thailand’s government, financial sector, and utility companies to pilfer login credentials.


Deepfakes and Financial Fraud

GoldDigger stands out for its exploitation of Android’s accessibility services, allowing it to log keystrokes and extract on-screen content. It targets over 50 applications from Vietnamese financial companies, saving displayed or written text on the UI, including passwords. The base version of GoldDigger, discovered in
June 2023, has paved the way for upgraded variants like GoldDiggerPlus, which embeds another trojan component called GoldKefu.

GoldKefu’s Deceptive Tactics

GoldKefu’s Deceptive Tactics Integrated with the Agora Software Development Kit (SDK), GoldKefu enables interactive video and voice calls which enhance its functionality. It tricks victims into contacting a fabricated bank customer service by sending fake alerts, creating a false sense of urgency about a fictitious fund transfer. The Android trojan uses fake overlays to collect login information when the most recently opened application belongs to the target list.

An Ongoing Mobile Malware Challenge

This development highlights the persistent threat in the mobile malware landscape. Cybercriminals, such as GoldFactory, continue to find ways to circumvent defensive measures erected by banks to counter such
cybersecurity threats from Deepfakes. The dynamic nature of social engineering schemes adds to the challenge, showcasing the need for constant vigilance.

Mitigating Deepfakes Malware Attacks

Banking security and Deepfakes
intersect in the evolving landscape of cybersecurity, posing new challenges for financial institutions and users alike. To mitigate the risks posed by GoldFactory’s Deepfakes malware attacks and its suite of mobile banking malware, users are strongly advised to avoid clicking on suspicious links. 

In addition, they should also refrain from installing apps from untrusted sites, common vectors for malware. Furthermore, regularly reviewing app permissions, especially those requesting Android’s accessibility services, is crucial in maintaining security.

A Resourceful and Adaptable Adversary

As cybercriminals become increasingly adept at concealing their activities, the challenge of
detecting Deepfakes in malware grows more complex. GoldFactory emerges as a resourceful and adaptable adversary, demonstrating expertise in various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, and the collection of identity and facial recognition data. 

The group’s well-defined processes and operational maturity, coupled with constant enhancements to its toolset, showcase a high proficiency in malware development. Preventing malware with Deepfakes requires a multifaceted approach that combines advanced detection techniques with proactive security measures.


The emergence of sophisticated cyber threats, such as
banking trojans and Deepfakes malware attacks, underscores the urgent need for enhanced cybersecurity measures. As cybercriminals continue to innovate and adapt, it is imperative for individuals and organizations to stay ahead of the curve. 

By understanding the tactics employed by threat actors like GoldFactory and implementing robust security measures, we can collectively mitigate the cybersecurity risks from Deepfakes and safeguard our digital assets.

The sources for this piece include articles in The Hacker News and Secure World


Deepfakes Malware Attacks: GoldFactory's Advanced Tactics
Article Name
Deepfakes Malware Attacks: GoldFactory's Advanced Tactics
Discover the latest on deepfakes malware attacks by GoldFactory. Learn how this Chinese-speaking cybercrime group deploys advanced tactics.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter