Phishing Campaign Analysis: “Laptop Percuma / Bantuan E-Wallet” Scam
Date: 14 March 2026
Target URL:
http://bantuan-malay[.]biz[.]id/66/Threat Type: Phishing / Social Engineering / Credential Harvesting
Target Theme: Malaysian Government Assistance (E-Wallet / Laptop Program)
Executive Summary
A phishing campaign targeting Malaysian users was identified. The campaign spreads via a social engineering message claiming that registration for a free laptop program for students (“Laptop Percuma”) has opened.
However, victims who click the link are redirected to a fake Bantuan E-Wallet eligibility verification page that attempts to harvest personal information including the victim’s name and phone number.
Infrastructure analysis revealed that the phishing domain is recently registered and is protected by Cloudflare reverse proxy services, while victim data is transmitted to an external backend server hosted on xwasq[.]com.
Additional threat intelligence indicates the phishing template is reused across multiple domains impersonating Malaysian government assistance programs, suggesting a broader phishing campaign.
Discovery
The phishing activity was discovered through a suspicious message distributed on the messaging platform Telegram. The message contained a phishing link and promoted a program described as: "Pendaftaran program Laptop percuma untuk pelajar dibuka hari ini."
Figure 1: Telegram message containing Phishing Link
The wording indicates that the campaign specifically targets students, particularly those who may not be able to afford a laptop. By leveraging the promise of free devices, the threat actor attempts to exploit financial vulnerability and increase the likelihood that recipients will click the provided link.
After accessing the link, victims are redirected to a phishing website presenting itself as a government assistance eligibility verification portal.
Infrastructure and Threat Intelligence
Domain Infrastructure
Domain
bantuan-malay[.]biz[.]id
Registrar
PT Dewabisnis Digital Indonesia
Creation Date
2026-03-01
Expiry Date
2027-03-01
Domain Age
~11 days
Recently registered domains are a common indicator of phishing infrastructure.
DNS and Hosting
A
104.21.78.24 , 172.67.215.26
AAAA
2606:4700:3032::6815:4e18 , 2606:4700:3037::ac43:d71a
Name Servers
titan.ns.cloudflare.com , heidi.ns.cloudflare.com
Start of Authority
heidi.ns.cloudflare.com
These IP addresses belong to Cloudflare Inc. (AS13335). Cloudflare is acting as a reverse proxy, hiding the real hosting server.
Backend Infrastructure
The phishing page sends collected data to: https://xwasq[.]com/terkini6/send_otp
Backend Domain Details
Domain
xwasq[.]com
Registrar
Web Commerce Communications Ltd (WebNIC)
IP Address
103.163.138.21
Location
Indonesia
Registrant Name
Budak Lhepak
Registrant Location
Malang, Indonesia
Registrant Email
lhepakbudak@gmail[.]com
Phishing Infrastructure
To identify related phishing infrastructure, a search was performed using URLScan based on the page hash, which revealed multiple domains hosting similar phishing templates.
Figure 2: URLScan search results revealing multiple related phishing domains impersonating Malaysian assistance programs
This suggests the threat actor may be operating a phishing kit deployed across multiple domains targeting Malaysian users.
Technical Analysis
Phishing Page
Figure 3: Main Landing Page
Figure 4: Name & phone number input of Landing Page
Figure 5: Verification of Landing Page
The page visually mimics government assistance portals to increase credibility.
Attack Flow Diagram
Code Analysis
Inspection of the phishing page source code reveals the mechanism used to collect victim information and transmit it to the attacker-controlled backend infrastructure.
The form collects the following information from the victim:
fullName
Victim’s full name (claimed to match MyKad identity)
phone
Victim’s Telegram phone number
The JavaScript code then sends the captured data to a remote server using an AJAX POST request.
Code observed in the page source:
The destination endpoint is defined in the JavaScript configuration:
This indicates that victim data is transmitted to the following backend API:
After successful submission, the victim is redirected to another page:
This behavior suggests the phishing kit attempts to simulate a verification process, likely intended to capture OTP codes or further authentication information from victims.
MITRE ATT&CK Mapping
Phishing
T1566
Social engineering lure
Masquerading
T1036
Impersonation of government aid
Credential Harvesting
T1056
Collection of personal information
Proxy Infrastructure
T1090
Use of Cloudflare as reverse proxy
Exfiltration Over Web
T1041
Data sent to attacker server
Indicators of Compromise (IOCs)
Network IOCs
URL
http://bantuan-malay[.]biz[.]id/66/
Main phishing landing page
Domain
bantuan-malay[.]biz[.]id
Phishing domain
Domain
xwasq[.]com
Backend data collection server
IP Address
104.21.78.24
Cloudflare proxy IP
IP Address
172.67.215.26
Cloudflare proxy IP
IP Address
103.163.138.21
Backend phishing infrastructure
Content IOCs
Page title
BANTUAN E-WALLET - SEMAKAN STATUS
Metadata
SEMAKAN STATUS KELAYAKAN BANTUAN E-WALLET
UI text
SILA ISI MAKLUMAT DENGAN BETUL
API endpoint
send_otp
Redirect page
code.php
Behavioral IOCs
POST to /send_otp
Victim phone harvesting
Redirect to code.php
OTP harvesting attempt
Cloudflare proxy usage
Infrastructure concealment
Mismatch lure vs page theme
Phishing kit reuse
Recommendations
Users and organizations should take the following actions when encountering phishing campaigns similar to this investigation.
Report the Phishing Domain
If you encounter the phishing URL identified in this report, consider reporting it to the relevant service providers to help prevent further victimization.
Possible reporting channels include:
Figure 6: Phishing domain successfully reported to Google Safe Browsing
User Safety Recommendations
Users should:
Avoid clicking unsolicited links promising financial assistance
Verify government aid programs through official websites
Avoid submitting personal information on unknown websites
Organizations should:
Block the phishing domain at DNS or firewall level
Monitor network traffic for connections to identified IOCs
Educate users about social engineering tactics
Conclusion
This investigation uncovered an active phishing campaign targeting Malaysian users by impersonating government assistance programs.
Key findings include:
Use of recently registered phishing domains
Infrastructure hidden behind Cloudflare
External data exfiltration server
Reuse of phishing templates across multiple campaigns
The mismatch between “Laptop Percuma” messaging and an “E-Wallet assistance” landing page strongly suggests the attacker is reusing a phishing kit across different scam campaigns.
Users should avoid interacting with unsolicited aid program links and verify any government assistance announcements through official sources.
Last updated