{ "Event": { "analysis": "1", "date": "2026-03-14", "extends_uuid": "", "info": "[Threat Intel][PhishHuntMY] Phishing Campaign Analysis: \u201cLaptop Percuma / Bantuan E-Wallet\u201d Scam", "protected": false, "publish_timestamp": "1774219626", "published": true, "threat_level_id": "3", "timestamp": "1774219626", "uuid": "2e75d0d3-61e8-431e-8aaa-b047eaa87b52", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"indonesia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"b0c71d51-34fd-47b5-9eb4-dd406ffc607f\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773742193", "to_ids": false, "type": "link", "uuid": "6793d852-eefa-4fae-ac48-6653dcf3549f", "value": "https://myos-esc.gitbook.io/myos-esc./blogs/phishing-campaign-analysis-laptop-percuma-bantuan-e-wallet-scam" }, { "category": "Network activity", "comment": "Main phishing landing page", "deleted": false, "disable_correlation": false, "timestamp": "1773751881", "to_ids": true, "type": "url", "uuid": "e163169f-a1e1-40e9-81fa-93ad3d7be9b0", "value": "http://bantuan-malay.biz.id/66/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Phishing domain", "deleted": false, "disable_correlation": false, "timestamp": "1773751903", "to_ids": true, "type": "hostname", "uuid": "7d7ffe4b-0dde-49a8-958b-5c9bc5374056", "value": "bantuan-malay.biz.id", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Backend data collection server", "deleted": false, "disable_correlation": false, "timestamp": "1773751924", "to_ids": true, "type": "domain", "uuid": "2fc6d86f-bb5c-457c-9027-0117b1c6834c", "value": "xwasq.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Cloudflare proxy IP", "deleted": false, "disable_correlation": false, "timestamp": "1773751945", "to_ids": true, "type": "ip-dst", "uuid": "dcfdce48-c9c8-4d60-a534-2154cdfdf87a", "value": "104.21.78.24", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Cloudflare proxy IP", "deleted": false, "disable_correlation": false, "timestamp": "1773751967", "to_ids": true, "type": "ip-dst", "uuid": "79e574f7-19c8-4482-86ce-af97ecea0606", "value": "172.67.215.26", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Backend phishing infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1773751988", "to_ids": true, "type": "ip-dst", "uuid": "a322761f-cf69-42f7-b1b8-2dd132510476", "value": "103.163.138.21", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Other", "comment": "Attack Flow Diagram", "deleted": false, "disable_correlation": false, "timestamp": "1773742308", "to_ids": false, "type": "text", "uuid": "a231cc32-4297-4eec-8b42-e6b8f2e544ad", "value": "\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 Threat Actor \u2502\r\n\u2502 Creates phishing domain \u2502\r\n\u2502 & phishing kit \u2502\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n \u2502\r\n \u2502 Distributes phishing message\r\n \u2502 \"Laptop Percuma untuk pelajar\"\r\n \u25bc\r\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 Victim \u2502\r\n\u2502 Receives phishing link \u2502\r\n\u2502 via social media / chat \u2502\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n \u2502\r\n \u2502 Clicks malicious link\r\n \u25bc\r\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 Phishing Landing Page \u2502\r\n\u2502 bantuan-malay[.]biz[.]id \u2502\r\n\u2502 Fake Bantuan E-Wallet \u2502\r\n\u2502 verification portal \u2502\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n \u2502\r\n \u2502 Victim submits information\r\n \u2502 (Full name + phone number)\r\n \u25bc\r\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 Backend Data Server \u2502\r\n\u2502 xwasq[.]com \u2502\r\n\u2502 Receives victim data \u2502\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n \u2502\r\n \u2502 Redirect victim\r\n \u25bc\r\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 OTP Verification \u2502\r\n\u2502 code.php \u2502\r\n\u2502 Attempts to capture OTP \u2502\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n \u2502\r\n \u25bc\r\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 Threat Actor \u2502\r\n\u2502 Uses collected data for \u2502\r\n\u2502 fraud / identity theft \u2502\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773752009", "to_ids": true, "type": "url", "uuid": "5b389aa5-e13b-44a7-b016-54015220aa60", "value": "https://xwasq.com/terkini6/send_otp", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Registrant Email", "deleted": false, "disable_correlation": false, "timestamp": "1773742341", "to_ids": true, "type": "email-src", "uuid": "37c33702-c0ed-4fa0-a632-846283356575", "value": "lhepakbudak@gmail.com" } ] } }