Rectifyq📃Title: Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
📅Date: 2026-05-15
🔗References:
- https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure
- https://tria.ge/260516-m8tsssf12m/behavioral2
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: infra-profile
- target: targeted
- MY-relevancy: relevant
- action-taken: diamond-model
🔖MISP Galaxies:
- target-information=“Malaysia”
- sector=“Government, Administration”
- online-service=“8206e5d7-9189-4d8b-855d-339fa45e9c47”
- mitre-attack-pattern=[‘T1100’, ‘T1505.003’, ‘T1552.001’, ‘T1567.002’, ‘T1190’, ‘T1587.001’, ‘T1003.003’, ‘T1059.001’, ‘T1059.006’, ‘T1003.002’, ‘T1071.001’, ‘T1021.006’]
MISP event uuid: a30d2c51-b056-4b55-ad4d-971722af82d8
Indicator of Compromise (IoCs)
type,value,comment
ip-dst, 20.17.161.118, 'Adversary Infrastructure'
url, https://7d83b67b237af36f803533a57d8a4843.r2.cloudflarestorage.com/, 'External Data Exfiltration to Cloudflare Storage'
url, http://20.17.161.118/, ''
url, http://20.17.161.118:8888/rce_ekyc_chain2, 'Laravel RCE Exploit Chain'
url, http://20.17.161.118:8888/rce_ekyc_chain9, 'Laravel RCE Exploit Chain'
url, http://20.17.161.118:8888/rce_ekyc_chain10, 'Laravel RCE Exploit Chain'
url, http://20.17.161.118:8888/rce_ekyc_chain14, 'Laravel RCE Exploit Chain'
url, http://20.17.161.118:8888/rce_ekyc_chain20, 'Laravel RCE Exploit Chain'
url, https://20.17.161.118/, 'C2 URL'
hostname, www.ros.gov.my, ''
url, http://103.156.82.221/assets/health.php, ''
ip-dst, 103.156.82.221, ''
hostname, jpa.gov.my, ''
hostname, hrmis2.eghrmis.gov.my, ''
Full IOCs available in Rectifyq’s MISP