Cybersecurity researchers have highlighted two service providers that provide online criminal networks with the tools and infrastructure needed to facilitate the Pig Butchering as a Service (PBaaS) economy.
Since at least 2016, Chinese-speaking criminal groups have set up industrial-scale fraud centers across Southeast Asia and created special economic zones specializing in fraudulent investment and identity theft activities.
These facilities are home to thousands of people who are lured by promises of well-paying jobs, but are stripped of their passports and forced to commit fraud under threat of violence. Interpol characterizes these networks as frauds that fuel human trafficking on an industrial scale.
One of the key facilitators of pig slaughter (aka romance baiting) scams are service providers who provide networks with all the tools to perform and manage social engineering operations. It also quickly launders stolen funds and cryptocurrencies and moves ill-gotten proceeds to accounts that are inaccessible to law enforcement.
“Large fraud groups like the Golden Triangle Economic Zone (GTSEZ) are currently using off-the-shelf applications and templates from PBaaS providers,” Infoblox said in a report released last week.
“To make matters worse, barriers to entry have been dramatically lowered, as what once required technical expertise and costs for physical infrastructure can now be purchased as off-the-shelf services offering everything from stolen identities and front companies to turnkey fraud platforms and mobile apps.”
These services are found to offer complete packages and fraud kits that lay the foundation for launching scalable online fraud operations without any hassle. One such threat actor is Penguin Account Store, which also goes by the names Heavenly Alliance and Outsiders Alliance.
Penguin operates on a crimeware-as-a-service (CaaS) model and advertises the “shè gōng kù” dataset, which consists of fraud kits, fraud templates, and stolen personal information of Chinese citizens. The group also sells account data from a variety of popular so-called media platforms, including Twitter, Tinder, YouTube, Snapchat, Facebook, Instagram, Apple Music, OpenAI ChatGPT, Spotify, and Netflix.
It is believed that these credentials were likely obtained through information theft logs sold on the dark web. However, it is currently unclear whether they are operating stealers themselves or simply intermediating stolen data for other threat actors. Prices for pre-registered social media accounts start from just $0.10 and increase depending on registration date and reliability.
Penguin also offers packages of bulk pre-registered SIM cards, stolen social media accounts, 4G or 5G routers, IMSI catchers, and stolen photos (aka character sets) used to entrap victims. In addition to these, the attackers have developed a social customer relationship management (SCRM) platform called SCRM AI that allows fraudsters to facilitate automated victim engagement on social media.
“The threat actor also promotes BCD Pay, a payment processing platform that is directly linked to Bochuang Security, an anonymous peer-to-peer (P2P) solution similar to HuiOne, and deeply rooted in the illegal online gambling space.”
The second service category that is central to the PBaaS economy is customer relationship management (CRM) platforms, which centrally manage multiple individual agents. UWORK, which sells content and agent management tools, offers ready-made templates for creating investment fraud websites. Many scam services claim to integrate with legitimate trading platforms such as MetaTrader in order to increase the site’s credibility by displaying real-time financial information.
These websites are also equipped with know-your-customer (KYC) panels that require victims to upload proof of identity. Website settings are configured by administrators through a dedicated panel, giving them an overview of the entire operation, along with the ability to profile agents who are likely to interact with victims.
Panel to add new victim accounts and assign agents directly
“The admin panel provides everything you need to perform a pig butchering operation, including multiple email templates, user management, agent management, profitability metrics, and even chat and email logging,” Infoblox said. “Managing agents is very complex, and agents can become affiliates of each other.”
PBaaS suppliers were also found to be offering mobile applications for Android and iOS by distributing them in the form of APK files and enrolling a limited number of Apple devices in testing programs in order to circumvent app store controls.
Some threat actors go a step further and choose to release such apps directly to app marketplaces, hiding their functionality under the guise of seemingly innocuous news apps. The trading panel will only be displayed if the user enters a specific password in the search bar.
A website template costs just $50, including hosting. Complete packs that include a website with administrator access, VPS hosting, a mobile app, access to a trading platform, incorporation of a front company in a tax haven to hide its activities, and registration with the relevant local financial regulator can start from around $2,500.
“Sophisticated Asian criminal organizations have created a global shadow economy from their safe havens in Southeast Asia,” said researchers Mael Le Touz and John Wojcik. “PBaaS provides a mechanism to scale operations with relatively little effort and cost.”
Parked domains as a conduit for fraud and malware
The disclosure comes on the back of a new study by a DNS threat intelligence firm that found that a large portion of parked domains – mostly expired or dormant domain names, or common misspellings of popular websites (aka typosquatting) – are being used to redirect visitors to sites offering scams or malware.
Infoblox revealed that visitors to TypoSquat, a legitimate domain belonging to a financial institution, from a virtual private network (VPN) will see a normal parking page, but those visiting from a residential IP address will be redirected to a fraudulent or malware site. Parked pages send visitors through redirect chains while profiling your system using IP geolocation, device fingerprints, and cookies to determine where to redirect.
“In extensive experiments, we found that more than 90% of the time, visitors to parked domains are directed to illegal content, fraud, scareware or antivirus software subscriptions, or malware. This is because ‘clicks’ are sold by parking companies to advertisers, who often resell that traffic to other parties,” the company said. “None of this displayed content was related to the domain name we visited.”
Malicious Evilginx AitM infrastructure facilitates credential collection
In recent months, it has also been revealed that threat actors have been leveraging an adversarial man-in-the-middle (AitM) phishing toolkit named Evilginx in attacks targeting at least 18 universities and educational institutions across the United States since April 12, 2025, with the goal of stealing login credentials and session cookies. As many as 67 domains have been identified as being associated with this activity.
“The low detection rate across the cybersecurity community highlights how effective Evilginx’s evasion techniques have become,” Infoblox said. “More recent versions, such as Evilginx Pro, have added features that make detection even more difficult.”
“These include the default use of wildcard TLS certificates, bot filtering with advanced fingerprinting like JA4, decoy web pages, improved integration with DNS providers (Cloudflare, DigitalOcean, etc.), multi-domain support for fishlets, and JavaScript obfuscation. As Evilginx continues to mature, identifying phishing URLs will only become more difficult.”
Illegal gambling networks show signs of APT operations
Last month, researchers from security firm Maranta detailed a vast infrastructure spanning more than 328,000 domains and subdomains, including more than 236,000 gambling-related domains. This infrastructure has been active since at least 2011 and is likely a dual operation by state-sponsored groups targeting victims in the United States, Europe, and Southeast Asia.
Researchers Enon Azar, Noam Yitzhak, Tsur Leibovitz and Assaf Morag say the network is used primarily to target Indonesian-speaking visitors and is assessed to be part of a larger operation that includes thousands of gambling domains, malicious Android applications, hijacking of domains and subdomains hosted on cloud services, and stealth infrastructure embedded within corporate and government websites around the world.
“This campaign, which combines illegal gambling, SEO manipulation, malware distribution, and highly persistent takeover techniques, represents one of the largest and most complex Indonesian-speaking Indonesian-speaking, well-funded, state-backed ecosystems ever observed,” Maranta said.
This activity includes the systematic exploitation of WordPress, PHP components, unresolved DNS, and expired cloud assets to hijack and weaponize trusted domains. This infrastructure powers a large Android malware ecosystem hosted on Amazon Web Services (AWS) S3 buckets and has also been found to distribute APK droppers with command and control (C2) and data theft capabilities.
The attackers behind this scheme leverage social media and instant messaging platforms to promote gambling sites and entice users to install Android apps. As many as 7,700 domains were flagged as containing links to at least 20 AWS S3 buckets that stage APK files (such as “jayaplay168.apk” and “1poker-32bit.apk”).
Several aspects of this 14-year-old operation have been previously highlighted by Imperva and Sucuri, with the latter tracking it as an online casino spam campaign called Slot Gacor, which was found to hijack existing pages on compromised WordPress websites by replacing them with casino spam pages.
The long lifespan, scale, and sophistication of the infrastructure raises the possibility that it is maintained by advanced persistent threats (APTs) that are deeply embedded in Indonesia’s cybercrime ecosystem, actively exploiting the virtual assets of governments around the world.
Source link
