What If Indonesia’s Gambling Network Is Actually a State-Aligned Cyber Operation?

A decade-long operation hiding in plain sight

For years, researchers have uncovered small fragments of Indonesia’s sprawling gambling cyber-crime ecosystem. But none of these investigations captured the full scale. Malanta’s research now brings the first cohesive picture of an operation active since at least 2011 - an ecosystem with the size, automation, discipline, and persistence typically associated with anAdvanced Persistent Threat (APT).

What began as simple gambling websites has evolved into a global, well-funded, sophisticated, state-sponsored-level attack infrastructure operating across web, cloud, and mobile:

• 328,000+ domains and sub-domains
• 236,000+ gambling domains
• 1,400+ hijacked sub-domains, including Western government assets
• 51,000+ credentials, sold in underground markets linked to the infrastructure
• Thousands of maliciousAndroid applications
• Stealth TLS-terminating reverse proxies planted inside legitimate enterprise and public-sector infrastructure
• 38 GitHub accounts used to host web-shells, templates, and staging artifacts
• 500+ domain lookalikes, masquerading as popular organizations such as Slack, Amazon, Facebook ,Instagram, Shopify and many others.

‍

What if this ecosystem isn’t simply cybercrime? After all, it is blending illegal gambling across hundreds of thousands of domains, mobile malware distribution, persistent domain takeover, sub-domain session hijacking, and tunneling C2 traffic through the legitimate reputation of enterprise and governmental domains, alongside the underground trafficking of compromised credentials. Normally, the scope, scale, and financial backing behind this infrastructure align far more closely with the capabilities typically associated with state-sponsored threat actors.

‍

Key Findings

• A 14-year cyber infrastructure supported by sustained financial backing, large-scale automation, and a level of operational maturity characteristic of state-sponsored-level APAC-based threat actors.
• Large-scale domain and sub-domain hijacking, including multiple U.S. and Western government FQDNs used for session-cookie theft and covert C2 traffic.
• Extensive mobile malware ecosystem delivering thousands of malicious APKs via cloud S3 buckets.
• Mass domain infrastructure used for SEO abuse, redirection, and infrastructure laundering.
• Active social media advertisement campaigns to drive victims to gambling and malware distribution sites.
• Evidence of AI-assisted content generation across templates, phishing kits, and mass domain deployment.

‍

Check Your Exposure

We have published the full list of attacker-owned domains on our GitHub so defenders can take immediate action. Here you can find ourGitHub repository.

However, hijacked sub-domains pose an active risk to thousands of businesses and individuals, and therefore cannot be released publicly.

If you want to verify whether any of your domains or sub-domains appear in this APT’s infrastructure, please contact us at the email below. We will assist you privately and securely.

What If this Infrastructure Chose to Target You

While there were some stories in the media about different parts of the operation, none of these stories showed the full picture. A core differentiator of Malanta’s platform is the identification of Indicators of Pre-Attack (IoPAs) signals that appear before full-blown attacks or breaches begin. With these capabilities we were able to connect the dots and show a fuller picture of this APT’s infrastructure.

What IoPAs detect

• Newly registered or brand-mimicking domains that haven’t yet been used maliciously
• Cloud resources (S3buckets, Azure blobs, GitHub pages) being staged for command-and-control (C2)or malware delivery
• Domain/sub-domain hijack risk vectors: dangling DNS, unclaimed CNAMEs, expired certificates
• AI-generated phishing kits or malicious templates still in staging

How organizations benefit

• Proactive advantage:Detect the adversary before they deploy malware, benefiting from early visibility.
• Reduced attack surface:Nullify threat actor infrastructure while it’s still staging—less remediation cost.
• Strategic intelligence:Understand actor TTPs (tactics, techniques, procedures) and infrastructure patterns, not just payloads.
• Better resource allocation: Prioritise defence based on emerging infrastructure threats rather than chasing alerts after the fact.
• Improved ROI on security spend: Move from reactive triage to proactive disruption of adversary’s build-out phase.

‍

In this current case of theIndonesian-speaking APT, Malanta’s IoPA driven discovery enabled us to uncover the infrastructure years ahead of full attack waves — giving our clients a strategic edge.

‍

Why this matters?

This campaign highlights how cyber-criminal groups are now operating with breadth, automation, and persistence once associated primarily with nation-state actors. By embedding infrastructure across cloud platforms, hijacked government sub-domains, and trustedWordPress/PHP environments, the adversary achieves:

• High stealth, blending malicious traffic into legitimate domains
• Mass scalability, allowing infrastructure to regenerate rapidly
• Global reach, including targets across the U.S., EU, and Asia

‍

For defenders, this is a preview of where cyber-crime is heading: automated, distributed, resilient, and deeply integrated into trusted internet fabric.

‍

How Malanta Helps

Malanta’s platform leverages IoPAs as a foundational building block - surfacing early-stage infrastructure and actor build-out rather than just reacting to payloads.

‍

Our platform enables security teams to:

• Spot newly minted infra aligning with known actor patterns
• Map domain-to-certificate-to-IP graphs for rapid threat triage
• Embed pre-attack risk indicators into existing threat-intel and SOC workflows
• Shift from chasing alerts to preventing breaches before they occur

‍

In short: Malanta helps you stop the attack before it starts.

‍

Protecting Your Organization: Immediate Steps

For domain owners / website teams:

• Audit DNS for danglingCNAMEs/A records (Azure, GitHub Pages, Amazon S3/CloudFront)
• Enforce short TTLs and ensure clean decommissioning of cloud origins
• Use host-only cookies(omit the Domain attribute) for sensitive apps; set HttpOnly, Secure, and appropriate SameSite flags
• Implement CSP(Content-Security-Policy) and SRI (Sub-resource Integrity) where feasible
• Monitor for new sub-domains resolving to cloud-vendor spaces you don’t own

‍

For SOC / defenders:

• Flag outbound traffic where SNI/Host matches a government or enterprise FQDN but destinationIP/ASN is a cloud commodity space not normally seen
• Hunt for unexpected POSTs or renders of Lazada/eBay/Envato look-alike sites from corporate hosts
• Block/alert on connections to unusual domains such as jp-api.namesvr[.]dev
• Detect browser visits to your brand’s hijacked sub-domains immediately preceding user privilege escalations or access to sensitive assets

‍

Stay Ahead of Pre-AttackInfrastructure

This operation shows how today’s adversaries build silently, at scale, and in plain sight. Malanta reveals these structures early - before they become ransomware, data theft, or intrusion campaigns.

If your organistaion wants proactive visibility into adversary infrastructure rather than reactive remediation, Malanta can help.

You can read here the full report here

‍

‍