RectifyqBackground
Phishing scams—like Telegram takeovers, fake APK wedding invites, and Bantuan Kerajaan fakesite—have been around for ages. Most IT pros and cybersecurity experts tend to ignore them, thinking they’re “uninteresting” or wondering how anyone could still fall for them. But the fact that these scams are still happening means they work. Even if they don’t catch everyone, they only need to hit the right victim for the financial impact to be devastating.
A few things triggered me to organize this challenge. One was an article by Foxy about recent phishing campaigns, which reminded me of my own previous writing. Then, a “threat actor” actually had the nerve to post a phishing link right in the OWASP Malaysia WhatsApp group!😂 When KDJebat called for an advisory, it gave me an idea: why not create a challenge to push pros and students to actually analyze these campaigns?
It’s a win-win. I get to learn from their findings, and they get to build their portfolios and potentially win prizes.
So, a big shout out to Foxy and KDJebat for the inspiration! 🙌
Challenge Details
With the festive season approaching, scams impersonating local organizations, governments, and local e-wallets are on the rise. We’re looking for Phish Hunters and analysts to help map out these campaigns, warn the community, and get them taken down.
🔍 How to Participate
- Identify: Find an active phishing link or campaign (SMS, Email, Social Media) specifically targeting Malaysians.
- Analyze: Break down the infrastructure and TTP used by Threat Actor. Who is the registrar? Where is it hosted? Can you find the phishing kit etc? (Always use a sandbox/VM).
- Report & Post: File a report with Google Safe Browsing or MyCERT (Cyber999) or any relevant parties. Then, share your findings on LinkedIn, X, Facebook, or your blog to educate others.
- Submit: Drop your analysis and post link in our entry form: [https://forms.gle/ei6EqfBFsbtzdEJU9] before 12 midnight of 15th March 2026 🏆 The Prizes (Touch ‘n Go e-Wallet Credit: Each category will win RM100)
We’re awarding two distinct types of hunters:
- The Apex Hunter (Technical Prize): For the most thorough technical breakdown. We’re looking for high-quality analysis—TTPs, indicators of compromise (IOCs), kit discovery, evidence of reporting and so on. Technical evaluation will be done on 12 noon of 16th March 2026; if you submitted your analysis but have some minor adjustment, please do so before this date.
- The Community Advocate (Engagement Prize): For the Rectifyq’s Linkedin repost (once you submitted your entry, we will repost it in our page) that gets the most Likes & Shares. This is about making the warning go viral to prevent others from falling victim. Counting date fort his prize will be on 12 noon of 18th March 2026. Do share with everyone your specific Rectifyq’s Linkedin repost for everyone to like and share.
Rule: To keep the rewards distributed, one participant cannot win both. If the top technical entry also has the highest engagement, the engagement prize will go to the next runner-up and/or student winner will be prioritized for the community advocate category.
Results for Apex Hunter
2 champions - Mohd Fazri & Ahmad Nazif
Updates
After another round of review and recalculation, the previously announced winner lost 1 point which resulted to a draw between Mohd Fazri & Ahmad Nazif. Therefore, decision has been made to announce both as champion for this challenge with the accumulating of same score points. So, both won the duit raya!
Below are the top 5:
| Article link | Category | Total Points | Extra points given | Room for improvement |
|---|---|---|---|---|
| ayiezola | Working Professional | 26 | Infection chain using AI/clean diagram, nuclei template, comparative analysis, sample of exfiltrated data | No Recommendation included, TTPs listed not using known framework such as MITRE ATT&CK |
| nazif | Working Professional | 26 | Included Impact assessment and usage of PCAP analysis | No infection chain diagram included & report format to be more concise and succinct |
| 171k | Student | 25 | Included TA assessment and TA’s opsec fails | No Action taken (e.g. report to google safe browsing) included, TTPs listed not using known framework such as MITRE ATT&CK |
| Myo | Student | 23 | None | Action taken (e.g. report to google safe browsing) can be beyond the two listed in the google form |
| Alif & Faez | Student | 22 | Included Chain of Code Reuse | TTPs listed not using known framework such as MITRE ATT&CK |
Remaining 6 (listed in random and no particular order)
| Article link | Category | Extra points given | Room for improvement |
|---|---|---|---|
| n3r | Working Professional | OTP Form & Anti analysis | To include executive summary, to include action taken |
| khairul-zuhaili | Student | Telegram bot screenshot with victim data | To include executive summary, IoCs and action taken |
| akmaltaufik | Student | Usage of crt.sh for pivoting | To include executive summary, TTPs using known framework and action taken & report format to be more concise and succinct |
| syazwanisubri | Working Professional | Usage of VT collection | To include infection diagram/attack diagram and screenshots/proof of reporting to be included directly in the article (audience may missed to check in the evidence folder you’ve created) |
| matpwnguin | Working Professional | Included TA assessment and security misconfig | Executive summary is a bit too long - can be more concise, to include action taken |
| amirulhmd | Student | Asked questions to stakeholder (Rectifyq) - which is good to understand stakeholder’s requirement, reporting (action taken) beyond suggested (Cloudflare abuse) | Overview if chosen as executive summary is bit too long, TTPs listed not using known framework such as MITRE ATT&CK |
Results for Community Advocate
Scoring Criteria
- Brief Summary - if it is too short, too long or just right
- Diagrams - if includes screenshots, code snippets, infection chain/attack diagram
- Indicator Pivoting - pivoting from initial indicator (often phishing url) to underlying IP then whois record and so on
- TTP - TTPs listed and usage of known framework such as MITRE ATT&CK or attck4fraud
- IoC - if IoCs were included, compiled and each IoCs has context
- Action Taken - proof of action taken (such as reporting to Google safe browsing and even beyond suggested previously) that gives out result (e.g. site no longer reachable)
- Phishing Kit - found phishing kit used, may pivot to similar campaigns that uses same phsihing kit, or even found the source code of the phishing kit
- Recommendation - provided relevant recommendation, be it to the public or organizations
- Extra points - interesting part of the report which unique to the writer
- Questions to Stakeholder - contacted stakeholder (Rectifyq) to clarify the expectation in terms formatting, or even the scoring criteria
- Follow Rectifyq’s social media - followed all Rectifyq’s social media
Conclusion
This challenge really shows that Malaysia has amazing cybersecurity talent, from students to working pros. Everyone brought something different to the table—whether it was offensive skills or traffic analysis—and used those strengths to break down the phishing campaigns targeting Malaysian.
I learned a ton from organizing this, and the feedback from few participants were great. Like I told one of the participants, I can’t officially promise to make this a regular thing just yet. But hopefully, even if I’m not the one running it next time, I hope this inspires other companies or organizations to host similar challenges.