Full Report
Spanish Guardia Civil have dismantled the "GXC Team" cybercrime syndicate and arrested its alleged leader, a 25-year-old Brazilian known as "GoogleXcoder." [...]
Analysis Summary
# Threat Actor: GXC Team
## Attribution & Identity
The threat actor is the "GXC Team" cybercrime syndicate. The alleged leader is a 25-year-old Brazilian individual known by the alias **“GoogleXcoder.”** The group operated a crime-as-a-service (CaaS) platform.
## Activity Summary
GXC Team operated an active crime-as-a-service (CaaS) platform, primarily focused on generating revenue through phishing and scam tools sold to affiliates. They provided AI-powered phishing kits, Android malware designed to steal one-time passwords (OTPs), and voice-scam tools, distributed primarily via Telegram and a Russian-speaking hacker forum. The group provided technical support and campaign customization services to clients. The operation was dismantled by the Spanish Guardia Civil in coordinated raids conducted on May 20th across several Spanish cities.
## Tactics, Techniques & Procedures
- Offering AI-powered phishing kits that replicated legitimate websites.
- Developing and supplying at least nine strains of Android malware capable of intercepting SMS and one-time passwords (OTPs).
- Operating a CaaS platform for fraudulent activities.
- Utilizing social messaging platforms (Telegram) for promotion and service distribution.
- Customization and technical support services for clients' phishing campaigns.
## Targeting
- Sectors: Banks, transport entities, and e-commerce entities.
- Geography: Spain, Slovakia, the UK, the US, and Brazil.
- Victims: Financial institutions in the Spanish-speaking environment were specifically targeted by the phishing kits.
## Tools & Infrastructure
- Malware families used: At least nine distinct Android malware strains for OTP interception.
- Infrastructure: Phishing kits powered at least 250 phishing sites. Telegram channels (one named "Steal everything from grandmothers") were used for promotion.
## Implications
The dismantling of GXC Team removes a significant, proactive provider of phishing infrastructure tailored for the Spanish-speaking market. The CaaS model indicates a mature operation capable of supporting numerous affiliates simultaneously.
## Mitigations
- Heightened vigilance against phishing campaigns targeting financial credentials, especially those mimicking Spanish and international institutions.
- Monitoring Telegram channels and known hacker forums for the distribution of new phishing kits or Android malware targeting OTPs.
- Enhancing security protocols to detect and block SMS/OTP interception attempts on mobile banking applications.