Target URL: hxxps[://]bantuan-laptop[.]percumaa477[.]com/

Threat Type: Phishing / Telegram Account Takeover

Severity: HIGH

Date of Analysis: 11-03-2026

Detailed Analysis

i. Executive Summary

This report documents an active phishing campaign impersonating Malaysia's eMadani government assistance program to lure citizens with a fake free laptop offer. The site, hosted at bantuan-laptop.percumaa477[.]com, was built using Next.js with Turbopack and deployed on Cloudflare infrastructure by a threat actor located in Kalimantan Tengah, Indonesia.

Rather than stealing banking credentials directly, this kit executes a full Telegram Account Takeover (ATO) by harvesting the victim's phone number, one-time password (OTP), and two-factor authentication (2FA) password in sequence. The backend acts as a real-time Man-in-the-Middle (MITM) relay between the victim and Telegram's authentication servers. Upon completion, the victim is shown a fake success screen with a 24-hour wait message, buying time while the attacker gains full access to their Telegram account.

The domain was registered 15 days before analysis. Multiple OPSEC failures in the source code, including an exposed localhost reference, Indonesian HTML language tag, and publicly accessible JavaScript source revealing the full attack chain, confirm this is a recycled phishing kit operated by a low-to-mid sophistication Indonesian threat actor.

ii. Infrastructure & Domain Intelligence

WHOIS

DNS Records

Domain: percumaa477[.]com

All DNS is fully managed by Cloudflare (AS13335). Real origin server IP is hidden behind Cloudflare reverse proxy.

Domain Deception Analysis