GXC Team Unmasked: The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware

July 29, 2024, 12:34 p.m.

Description

Group-IB discovered a Spanish-speaking criminal group, GXC Team, offering a sophisticated AI-powered phishing-as-a-service platform targeting Spanish bank customers. The group specialized in developing phishing kits, Android malware, and AI-powered scam tools. Their malicious Android app, disguised as a banking application, was designed to intercept OTP codes, affecting users of over 36 Spanish banks and 30 institutions worldwide. Despite not being highly sophisticated, GXC Team's innovative features, such as bundling phishing kits with the Android malware and an AI-powered voice caller, made them a severe threat to banking security in Spain.

External References

https://www.group-ib.com/blog/gxc-team-unmasked/
https://otx.alienvault.com/pulse/66a784fec2978a9e25d73d95
Tags
phishing
android
banking
spain
2024-07-29

Date

  • Created: July 29, 2024, 12:03 p.m.
  • Published: July 29, 2024, 12:03 p.m.
  • Modified: July 29, 2024, 12:34 p.m.

Indicators

  • e65c24d6e5f883ca02f79edc0bd4fdbd28dc130f11fdbca75b7fd26b2587bfa4
  • e047f13914278ad4e5cc63d30cfdac56cf20f86d3a4cf26414001e9aed5f9875
  • b1b0eb10002669be6b32792a196227f1d595e26b0039e719ef9357e2b8f5361b
  • 9c718529f37a6c3ea0b128a8c15a1d1950bb350a9b5039c770651b8b73393007
  • ae2976f99876605df0e043ac62081af43426286ec5759dc3eca080e26cb16b97
  • 944f0568ce0394b4db3fd618d6f1a0c53f94712f91fa162a4f28b1f93ad9f18f
  • 492682f877607ee99df2ddd2bd5953fd727bdf6e19d397de9dbbafd582bcad75
  • 402544c3c74924c7a9f355108f474fd3b0d643a38aba45c933d880b1c2a206de
  • 2826a1c5ed1456ba00421ffdd4e331c691b39fc0334f4590eb860c38452d606b
  • 05a5cf0d0eb2a224d0326f2ac95a2d60ca9935d015070ed17439c2dd7a79d50c
  • www.incidencia-404.com
  • www.es-enter.com
  • www.direct-cuentas.com
  • www-laboraikutxa.com
  • www-bancasabadell.com
  • www-banca-sabadell.com
  • unicajabanco.es-info.su
  • openbank.es-clientes.su
  • santander.esp-aviso.com
  • santander-empresas.grupo-inicios.com
  • lng-direct.es-miparticulares.com
  • laboralkutxa.es-usuarios.online
  • laboralkutxa.es-users.com
  • ing.home-html.com
  • ing.direct-usuario.com
  • dg.esmas.online
  • deutschbank.es-infos.su
  • caixaenginyers.es-cuentas.su
  • bancosantander.es-web.su
  • bancobbva.es-online.su
  • bancaminos.tuscaminos.com
  • bancamarch.es-acceso.su
  • banca.grupocajarural-esp.com
  • arquiabanca.es-accesos.su
  • z-sms.online
  • usuario-e.com
  • uk-lives.su
  • tuscamino.com
  • tuscaminos.com
  • targobank-verificaciones.com
  • targobank-verificacion.com
  • supportfbappeal.com
  • seguridad-mibbva.com
  • seguridad-eurocaja.com
  • seguridad-mi-abanca.com
  • renta4banconets.club
  • renta4banconet.club
  • r4banconet.club
  • opensbank.com
  • movil-abanca.online
  • mioficina-es.com
  • micorreos-notificacion.com
  • micorreo-notificacion.com
  • micorreo-aviso.com
  • mibanca-bankinter.com
  • mi-satander.com
  • mi-sabadell.com
  • mi-laboralkutxa.com
  • mi-laboraikutxa.com
  • mi-kutxabank.com
  • mi-evobanco.com
  • mi-deutschebank.com
  • mi-deustsche-bank.com
  • mi-bankinter.com
  • mi-caixabanca.com
  • mi-bancsabadell.com
  • mi-abanca.com
  • libersbanknets.club
  • liberbanksnet.club
  • liberbankorg.club
  • liberbanknets.club
  • liberbankis.club
  • liberbankiorg.club
  • liberbankes.club
  • liberbanconet.club
  • laboraikuxta-usuarios.com
  • laborakutxa-usuario.com
  • laboraikutxa-web.com
  • incidencia-404.com
  • laboraikutxa-usuario.com
  • hu-alert.online
  • home-html.com
  • hanseaticsbank-da.com
  • hanseaticbank.su
  • grupos-inicio.com
  • grupocajarural-esp.com
  • grupo-inicios.com
  • f-fb-watch.com
  • etherscamorg.club
  • esp-avisos.com
  • esp-aviso.com
  • es-web.su
  • es-usuarios.online
  • es-users.com
  • es-saldo.su
  • es-registros.com
  • es-online.su
  • es-particular-es.com
  • es-miparticulares.com
  • es-miempresas.com
  • es-live.su
  • es-lives.su
  • es-iniciar.online
  • es-info.su
  • es-infos.su
  • es-html.com
  • es-funcion.su
  • es-funciones.su
  • es-entra.online
  • es-cuentas.su
  • es-enter.com
  • es-cuenta.su
  • es-clientes.su
  • es-actualizacion.su
  • es-bsnacional.com
  • es-accesos.su
  • es-acceso.su
  • eligecamino.com
  • dispositivo-triodos.com
  • direct-usuario.com
  • direct-cuentas.com
  • cancelar-recibos.net
  • cornerbanks-ch.com
  • cuenta-app.com
  • cancelacion-transferencias.net
  • caixaeginyers.com
  • cajamar-verificacion.com
  • caixabank-particular.com
  • binacenow.com
  • binacefull.net
  • binacefull.biz
  • binaceeasy.com
  • be-ceca.com
  • binacecoin.net
  • bbvaempresa-es.com
  • bbva-seguridad-es.com
  • bbvacuentaonline.su
  • bbva-atencion-cliente.com
  • bankinter-banca.com
  • bankinter-ingreso.com
  • bancsabadell-esp.com
  • bancosantander-empresas.net
  • bancosantander-empresa.net
  • bancasantander-es-empresa.com
  • bancasantander-empresas.com
  • bancasantander-empresa.com
  • bancasantander-empresa-es.com
  • bancasantander-app.com
  • bancaminos.com
  • bancaminos-es.online
  • banca-laboraikutxa.com
  • banca-deutsche.com
  • banca-arquia.com
  • aviso-laboralkutxa.com
  • aviso-bbva.com
  • au-myposts.com
  • au-lives.su
  • andbank.club
  • antifraudes-es.com
  • amazon-cuentas.com
  • abanca-usuario.com
Download all indicators here!

Attack Patterns

  • GXC Team

Additional Informations

  • Finance
  • Slovakia
  • Spain
  • United Kingdom of Great Britain and Northern Ireland
  • Brazil
  • United States of America