📃Title: Nacsa says Health Ministry, other govt agency websites hacked; urges immediate patch to fix vulnerability
📅Date: 2026-06-27
🔗References:
- https://www.thestar.com.my/tech/tech-news/2026/06/27/nacsa-issues-advisory-on-critical-vulnerability-related-to-hack-of-health-ministrys-website
- https://www.lowyat.net/2026/397029/moh-main-page-appears-to-have-been-hacked-by-anonymous/
- https://www.malaymail.com/news/malaysia/2026/06/27/moh-website-hacked-ministry-warns-malaysians-avoid-site-and-rely-on-verified-platforms/225402
- https://www.nst.com.my/news/nation/2026/06/1473852/health-ministry-website-hacked
- https://www.reddit.com/r/malaysia/comments/1ugoume/moh_kena_hacked/
- https://www.threads.com/@foodbeverageloves/post/DaDvikJGWQV/security-department-mesti-tgh-busy-ni/
- https://www.zone-h.org/archive/notifier=Mushr00w
- https://www.zone-h.org/mirror/id/42570843
Threat Actor
Mushr00w
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: report
- sub-category: critical-vuln
🔖MISP Galaxies:
- target-information=“Malaysia”
- sector=“Government, Administration”
- mitre-attack-pattern=[‘T1190’, ‘T1377’, ‘T1100’, ‘T1505.003’, ‘T1491’, ‘T1059.006’]
MISP event uuid: 409f7b4d-207e-4bad-8938-248248604dd4
Indicator of Compromise (IoCs)
type,value,comment
md5, c4ff68b75e77936478c90dcd96881dde, ''
md5, 097a0d1708f3f685978345c9caf57082, ''
md5, b2a4352e0a34f5d642aa9dec4f34c846, 'No sample in VT\r\nLast check:28/06/2026'
md5, 32bea1ef00228d2629374abfdb38dffb, 'No sample in VT\r\nLast check:28/06/2026'
md5, a0dffda5d499410118275d6dfd05c38e, 'No sample in VT\r\nLast check:28/06/2026'
md5, 3e2256077a55584ee23d5aaba1aa23c1, 'No sample in VT\r\nLast check:28/06/2026'
url, https://t.me/Mushr00w, ''
ip-dst, 103.233.161.81, 'moh.gov.my'
hostname, moh.gov.my, ''
ip-dst, 188.119.4.214, ''
ip-dst, 193.200.134.44, 'Malicious Infrastructure / Command and Control (C2'
ip-dst, 20.226.81.217, 'Vulnerability Scanner / Probing Host / Persistent Scout Bot / Active Scanner'
ip-dst, 35.220.187.228, 'IP sekunder yang digunakan oleh penyerang pada sebelah malam untuk mengakses semula webshell dan memuat naik komponen/skrip tambahan ke dalam pelayan (server) - Malicious Proxy'
ip-dst, 188.119.20.75, 'Active Attacker Node'
url, https://t.me/WebshellSR, ''
Full IOCs available in Rectifyq’s MISP