GXC Team-GoogleXcoder alliance reshapes ransomware ecosystem operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
The GXC Team crime-as-a-service model turned phishing kits, Android malware, and support services into a rentable fraud supply chain, expanding the scale of credential theft across banks and public institutions. Emerging in 2023, the operation let customers buy complete tooling through Telegram and use it against victims in multiple countries. Its reach into banks, ecommerce, and transportation organizations made it a durable enabler for banking fraud and mobile compromise. The disruption matters because removing the service reduces access to turnkey phishing and scam infrastructure for downstream criminals.
Related Happenings
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
**Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor MetaAbout this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
GoldFactory Coretax impersonation fraud campaign
Campaign
First: 19.02.2026 17:30
Last: 19.02.2026 17:30
Sources 1
About this happening:
The **GoldFactory**-linked fraud campaign now threatens **Indonesian taxpayers** at scale, with estimated losses of **$1.5m to $2m**. It ran from **July 2025** and intensified in...
GoldFactory Coretax impersonation fraud campaign
CampaignAbout this happening: The **GoldFactory**-linked fraud campaign now threatens **Indonesian taxpayers** at scale, with estimated losses of **$1.5m to $2m**. It ran from **July 2025** and intensified in...
Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor Meta
First: 02.02.2026 18:15
Last: 02.02.2026 18:15
Sources 1
About this happening:
**Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...
Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor MetaAbout this happening: **Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...
Hecker-Sakuya-LiveGamer101 alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 28.01.2026 15:15
Last: 28.01.2026 15:15
Sources 1
About this happening:
**SilverInc** is operating a commercial **access-resale ecosystem** for exposed or weakly authenticated **LLM endpoints**, turning unauthorized access into a monetized supply chai...
Hecker-Sakuya-LiveGamer101 alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **SilverInc** is operating a commercial **access-resale ecosystem** for exposed or weakly authenticated **LLM endpoints**, turning unauthorized access into a monetized supply chai...
Timeline
-
13.10.2025 12:35 2 articles · 7mo ago
GXC Team-GoogleXcoder alliance reshapes ransomware ecosystem operations
Initial DisclosureBy **2023**, GXC Team had already turned phishing and mobile malware into a rentable service for other criminals. The early model centered on cloned credential-harvest pages, an Android trojan, and hands-on support that scaled fraud across many victims.
Show sources
- Spanish Authorities Dismantle ‘GXC Team’ Crime-as-a-Service Operation — www.securityweek.com — 13.10.2025 12:35
- Spanish Authorities Dismantle ‘GXC Team’ Crime-as-a-Service Operation — www.securityweek.com — 13.10.2025 12:35