Gigabud
Gigabud is an Android banking trojan/remote access trojan associated with mobile banking fraud campaigns in Southeast Asia. It was observed in attacks by the financially motivated Chinese-speaking cybercrime group GoldFactory, which has targeted users in Indonesia, Thailand, and Vietnam since at least October 2024 by impersonating government services and distributing modified banking applications through phone calls, messaging apps, and fake Google Play landing pages. Reporting also states that the banking trojan Android.BankBot.Gigabud.1.origin was used against customers of credit organizations in Indonesia and Malaysia, and that Gigabud was first spotted in mid-2023. In GoldFactory campaigns, Gigabud was deployed alongside other Android RATs such as MMRat and Remo. The malware abuses Android accessibility services for remote control and is delivered via trojanized or modified banking apps that retain normal functionality while malicious code is injected to bypass security features and steal sensitive information. Content links GoldFactory closely to Gigabud and notes the broader campaign used runtime-hooking frameworks and capabilities in modified apps to evade protections, hide malicious activity, and facilitate banking fraud. High-confidence targeting includes banking customers and mobile users in Indonesia, Thailand, Vietnam, and Malaysia.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...resulting in the deployment of a remote access trojan like Gigabud, MMRat, or Remo, which surfaced earlier this year using the same tactics as GoldFactory.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android malware family referenced as connected (operationally) to GoldDigger; no further technical detail in the excerpt.
Android banking trojan targeting customers of financial institutions in Indonesia and Malaysia.
Android banking trojan targeting customers of financial institutions in Indonesia and Malaysia; further technical details not provided in the text.
A remote access trojan deployed via fake banking apps, used to gain remote control over infected Android devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.