Rectifyq📃Title: Phantom Casino
📅Date: 2026-06-10
🔗References:
- https://www.syntx.com.my/blog/phantom-casino
- https://soyacincau.com/2023/12/13/malaysia-jakim-halal-portal-hacked-last-saturday/
- https://webcare.co/malaysian-government-website-hacked-sept-2024/
- https://www.facebook.com/groups/developerkaki/posts/2428075947538304/
- https://www.reddit.com/r/malaysia/comments/1li7dl2/i_found_a_govmy_link_that_is_redirecting_to_sport/
- https://pokde.net/system/software/web-application/my-halal-website-hack
Threat Actor
Golden Wheel
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: infra-profile
- sub-category: campaign-analysis
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“Malaysia”
- sector=“Education”
- sector=“Government, Administration”
- software-vendor=“WhatsApp”
- software-vendor=“alibaba”
- software-vendor=“cloudflare”
- software-vendor=“facebook”
- mitre-attack-pattern=[‘T1190’, ‘T1608.006’, ‘T1189’, ‘T1584’]
MISP event uuid: 2603f2d2-024d-4874-a26c-074a965ff561
Indicator of Compromise (IoCs)
type,value,comment
domain, axas888.net, 'wallet, merchant 50703'
domain, axas888.com, 'second axas888 domain'
domain, cikgu88.com, 'wallet, merchant 60569'
hostname, cdn.vefrop.com, 'operator-controlled CDN serving the wallet platform'
ip-dst, 47.84.198.177, 'Alibaba Cloud SG, AS45102'
ip-dst, 47.237.119.71, 'Alibaba Cloud SG, AS45102'
hostname, max-cv4.pages.dev, 'Cloudflare Pages mirror (one of many, rotates)'
domain, hljnx.com, 'cloaking gate (now dead)'
url, https://linkmy.pro/mega888, 'operator bio-link, 301s to the WhatsApp agent'
Full IOCs available in Rectifyq’s MISP