SMISHING-ZOYIOSHO-2026-0310

Smishing Threat Actor Investigation

zoyiosho.my.id — Phishing-as-a-Service Campaign Analysis

Date: 2026-03-10 Engine: CorvusEngine v2.0.0 Analyst: CorvusPrime v2.1.0 Classification: UNCLASSIFIED // TLP:AMBER

1 — Executive Summary

0.82

Confidence Score

Encryption Layers

Domains Found

ATT&CK Techniques

70%

Attribution Conf.

Tools Deployed

A smishing campaign using the domain zoyiosho.my.id was identified distributing phishing links via Twitter/X t.co shortener, targeting Spanish mobile users (CF-Ray Madrid PoP).

The phishing kit employs three layers of encryption (AES-128-GCM, custom PRNG-XOR-ROT cipher with eval(), XOR form data) and presents a fake CAPTCHA UI ("Polite Hold in Place") as Stage 1 before credential harvesting. The backend is Laravel PHP on cPanel shared hosting at PT Beon Intermedia (Indonesia, AS55688) behind Cloudflare reverse proxy (AS13335).

Infrastructure and TTP analysis points to a Smishing Triad / Lighthouse PhaaS affiliate with 70% attribution confidence. The group operates a $200/month Phishing-as-a-Service platform responsible for 194,000+ domains across 121 countries with estimated revenue exceeding $1 billion.

CAMPAIGN ACTIVE equity.zoyiosho.my.id

2 — Attack Flow

Kill Chain — 11 Steps

SMS Received

Victim receives smishing SMS on mobile device with shortened link

Twitter/X Shortener

https://t.co/in5dy63sCm — URL shortener abuse for legitimacy

JS Redirect

location.replace() + <noscript> meta refresh fallback

HTTP Landing

http://zoyiosho.my.id/PiLcgSf@L86IDXnT/ — @ symbol for URL parser confusion

307 HTTPS Redirect

Cloudflare upgrades to HTTPS via temporary redirect

Active Phishing Page

https://equity.zoyiosho.my.id/PiLcgSf@L86IDXnT/ — HTTP 200, Laravel backend ACTIVE

Client-Side Decryption

AES-128-GCM decryption via Web Crypto API — 13,182 bytes → 9,270 bytes plaintext

Fake CAPTCHA Display

"Polite Hold in Place" — card UI mimicking Cloudflare/hCaptcha verification with SSL/v3.0 badges

User Interaction

Click checkbox → spinner (0.9s) → checkmark animation → "Verified Successfully" + progress bar

Campaign ID Exfiltration

XOR-encrypted campaign identifier submitted via hidden POST form (form id: tu0, field: yd6)

Stage 2: Credential Harvester

Laravel backend processes POST → serves credential harvesting form (not yet captured)

3 — Phishing Kit Analysis

Triple-Layer Encryption

Layer 1 — Outer

AES-128-GCM — Full Page Encryption

Encrypts the entire phishing page HTML. Prevents static analysis by WAF, antivirus, HTTrack, wget.
Key: wUgGAWmO35BkVktQXe3cfA==
IV: px89rtFJcpVi32Xl
Tag: /OxuIekfNAuwb68CMpWuvA==
Ciphertext: 9,272 bytes → Plaintext: 9,270 bytes

Layer 2 — Inner

Custom PRNG-XOR-ROT Cipher → eval()

Anti-analysis JavaScript payload. Bot detection, DevTools traps, debugger timing.
Seed: 321103 — Formula: (seed * 9301 + 49297) % 233280
Hash: 791c3e2e
Executes via Symbol.toPrimitive → eval() chain

Layer 3 — Form

XOR with MD5 Key — Campaign Identifier

Campaign/session ID encrypted before POST submission.
XOR Key MD5: 1d5abbdd7e22c041d7f6c51f07e9b57d
Decrypted Value: 23798794727476c48ab0369c83cb532b

Anti-Analysis Techniques (9 Detected)

AES-GCM encryption of entire page content
Custom PRNG cipher for eval'd JavaScript
Bot detection: navigator.webdriver, window.callPhantom, window._phantom
Puppeteer detection: User-Agent contains purp
DevTools detection: F12, Ctrl+Shift+I/J/C/K, Ctrl+U disabled
Right-click context menu disabled
Debugger timing trap: setInterval + performance.now()
Anti-analysis redirect to alibaba.com on detection
XOR encryption of form POST data with MD5 key

Fake CAPTCHA UI Details

Visual Design

Title: Polite Hold in Place
Heading: "Continue now"
Prompt: "Please verify to continue to the protected resource"
Checkbox: "Show you're human"
Badges: SSL, v3.0
Footer: "This step helps keep automated bots away from the site"
Width: 320px (mobile-optimized card)

Interaction Sequence

1. Page loads with random Y offset
2. User clicks checkbox
3. Spinner animation (0.9s)
4. Checkmark + "Verified Successfully"
5. Progress bar fills to 100%
6. Hidden form submits after 3s delay
7. POST to Laravel backend (same URL)

4 — Infrastructure Map

Network Topology

flowchart TD
    V["Victim
Spanish mobile user"]
    SMS["SMS Smishing
Delivery vector"]
    TCO["t.co Shortener
Twitter/X"]
    CF["Cloudflare Proxy
AS13335 · Madrid PoP"]
    DNS["Cloudflare DNS
reza.ns / sid.ns"]
    ORIG["Origin Server
cPanel/Apache"]
    HOST["PT Beon Intermedia
AS55688 · Surabaya, ID"]

    V --> SMS
    SMS --> TCO
    TCO -->|"JS redirect"| CF
    DNS -.->|"wildcard A"| CF
    CF -->|"reverse proxy"| ORIG
    ORIG --- HOST

    classDef victim fill:#d4a73a22,stroke:#d4a73a,stroke-width:2px
    classDef delivery fill:#3d9ebe22,stroke:#3d9ebe,stroke-width:2px
    classDef infra fill:#e0525222,stroke:#e05252,stroke-width:2px
    classDef origin fill:#e0904022,stroke:#e09040,stroke-width:2px
    classDef dns fill:#3db87822,stroke:#3db878,stroke-width:1.5px

    class V victim
    class SMS,TCO delivery
    class CF infra
    class DNS dns
    class ORIG,HOST origin

Subdomains Discovered (7)

equity.zoyiosho.my.id ACTIVE PHISHING
Banking/financial theme, Laravel cookies
colab.zoyiosho.my.id CF FLAGGED
Google Colab impersonation
www.equity.zoyiosho.my.id ALIAS
cpanel.zoyiosho.my.id MGMT
mail.zoyiosho.my.id UNUSED
webmail.zoyiosho.my.id UNUSED

TLS Certificates

Google Trust Services WE1 (Current)
CN: zoyiosho.my.id + *.zoyiosho.my.id
Valid: 2026-03-04 → 2026-06-02
ECDSA P-256, Wildcard
Let's Encrypt R12 (Origin/cPanel)
CN: cpanel.zoyiosho.my.id + 8 SANs
Reveals cPanel shared hosting origin
SHA256: 32F12D3B...
Let's Encrypt E7 (t.co delivery)
CN: t.co — TLS 1.3, AES_128_GCM

DNS Configuration

A: 188.114.96.5, 188.114.97.5

AAAA: 2a06:98c1:3120::5, 3121::5

NS: reza.ns.cloudflare.com, sid.ns.cloudflare.com

SOA: reza.ns.cloudflare.com (serial: 2398331862)

HTTPS/SVCB: h3, h2, ECH enabled

Wildcard DNS: YES — ALL subdomains resolve

MX/TXT/SPF/DMARC/DKIM: NONE

DNSSEC: UNSIGNED

5 — Domain Intelligence

Property	Value
Domain	`zoyiosho.my.id`
Registry ID	19108480_DOMAIN_ID-ID
Registrar	PT Beon Intermedia / JagoanHosting
Created	2026-01-03 23:58:28 UTC
Updated	2026-01-04 16:09:15 UTC
Expires	2027-01-03 23:59:59 UTC
DNSSEC	UNSIGNED
TLD Abuse	HIGH RISK .my.id — #1 most abused SLD in Indonesia (1,215+ abuse cases Q3 2024). Free registration available.
Registrar Abuse	`care@jagoanhosting.id` / `abuse@jagoanhosting.com`
Technical Contact	Farid Rahman (`om.team@jagoanhosting.com`)
Hosting ASN	AS55688 — 23 IPv4 prefixes, 5,888 addresses
Spam Rate	1.85% (13/701 active IPs)
Abuse Trend	ESCALATING 20 events Feb 2026, 17 in March 2026
BGP Anomaly	AS55688 announces bogons (abnormal BGP behavior)
Location	Jl. Jemur Andayani 50, Surabaya, Indonesia

6 — MITRE ATT&CK Mapping (v15)

TA0042

Resource Development

T1583.001 Acquire Infrastructure: Domains

T1583.003 Acquire Infrastructure: VPS

T1608.005 Stage Capabilities: Link Target

T1588.006 Obtain Capabilities: Web Services

TA0001

Initial Access

T1566.002 Phishing: Spearphishing Link

TA0002

Execution

T1204.001 User Execution: Malicious Link

TA0009

Collection

T1056.003 Input Capture: Web Portal Capture

TA0005

Defense Evasion

T1665 Hide Infrastructure

T1027.013 Obfuscated Files: Encrypted/Encoded File

T1027.007 Obfuscated Files: Dynamic API Resolution

TA0011

Command and Control

T1102.002 Web Service: Bidirectional Communication

7 — Diamond Model

Adversary

Smishing Triad Affiliate / Lighthouse PhaaS Customer

Chinese-speaking eCrime group (probable). Operating as PhaaS consumer/affiliate rather than core group.

70% CONFIDENCE

Infrastructure

Domain: zoyiosho.my.id + wildcard subdomains
Proxy: Cloudflare (AS13335, Madrid PoP)
Origin: cPanel/Apache shared hosting
Backend: Laravel PHP
Delivery: t.co URL shortener
Registrar: JagoanHosting (AS55688, Indonesia)

Capability

Kit: 3-layer encrypted phishing kit
Stage 1: Fake CAPTCHA / human verification
Anti-Analysis: Bot + DevTools + debugger detection
Evasion: AES-GCM, subdomain rotation, Cloudflare proxy
Campaigns: banking/equity, tech/colab, unknown/PiLcgSf

Victim

Spanish Mobile Users

Targeting: CF-Ray MAD (Madrid), es-ES locale
Delivery: SMS smishing + Twitter/X t.co shortened links
Lure: Fake verification/CAPTCHA page → credential harvesting

8 — Threat Actor Profile

Smishing Triad / Lighthouse PhaaS

Attribution

70% — MEDIUM-HIGH

Origin

Chinese-speaking eCrime

Active Since

2023

Model

PhaaS — $200/month (Telegram)

Scale

194,000+ FQDNs

Root Domains

136,933

Active / 8 days

25,000 domains

Countries

121 targeted

Revenue Est.

$1 billion+ (3 yrs)

Cards Compromised (US)

15–100 million

Legal Actions

Google RICO lawsuit (Nov 2025)

Tool

Lighthouse phishing kit

Matching TTPs (13)

Cloudflare DNS proxy usage (34.6% of FQDNs)
Cheap disposable TLD (.my.id)
cPanel shared hosting as origin
Wildcard certificate for subdomain rotation
Multiple simultaneous campaign themes (banking, tech)
No email infrastructure (web-only phishing)
Indonesian registrar infrastructure
Spain targeting (CF-Ray MAD PoP)
URL path obfuscation with @ symbol
AES-encrypted phishing pages (anti-analysis)
Fake CAPTCHA/verification UI as first stage
Laravel PHP backend
t.co URL shortener for delivery

Divergent Indicators (3)

.my.id TLD not in documented 187 Smishing Triad TLDs
JagoanHosting registrar vs typical Dominet (HK) Limited (68%)
Indonesian hosting vs typical Tencent/Alibaba infrastructure

These divergences suggest an affiliate/customer using Lighthouse kit on independent infrastructure rather than core Smishing Triad operations.

9 — Investigation Timeline

Domain Registration

Certificate Issuance

Phishing Activity

Investigation

2026-01-03 23:58 UTC

Domain zoyiosho.my.id registered at JagoanHosting

2026-01-04 16:09 UTC

DNS nameservers pointed to Cloudflare (reza/sid)

2026-01-04 20:20 UTC

cPanel AutoSSL certificate issued (Let's Encrypt R12) — reveals origin hosting

2026-01-04

Wildcard cert + Cloudflare Universal SSL issued

2026-03-04

Subdomain equity.zoyiosho.my.id first observed (AlienVault OTX)

2026-03-04

Cloudflare Universal SSL certificate renewed (Google Trust Services WE1)

2026-03-07

Subdomain colab.zoyiosho.my.id first observed

2026-03-07

New Let's Encrypt E8 wildcard certificate issued

2026-03-08

equity.zoyiosho.my.id last observed in OTX

2026-03-10 14:56 UTC

HTTrack mirror attempt failed (SSL error)

2026-03-10 18:37 UTC

URLscan scan via t.co shows 404 on apex domain

2026-03-10 19:16 UTC

CorvusEngine investigation — Cloudflare phishing interstitial on root domain

2026-03-10 19:25 UTC

URLscan confirms HTTP 200 on equity subdomain with Laravel ACTIVE

2026-03-10 19:29 UTC

Phishing page downloaded from equity subdomain (13,182 bytes encrypted)

2026-03-10 19:30 UTC

AES-GCM payload decrypted — fake CAPTCHA page with anti-analysis revealed

2026-03-10 19:35 UTC

Inner eval() payload decrypted — bot detection + DevTools traps identified

10 — Indicators of Compromise

Type	Value	Context
DOMAIN	`zoyiosho.my.id`	Primary phishing domain
DOMAIN	`equity.zoyiosho.my.id`	ACTIVE phishing subdomain (banking)
DOMAIN	`colab.zoyiosho.my.id`	Phishing subdomain (Google Colab)
DOMAIN	`www.equity.zoyiosho.my.id`	Subdomain alias
DOMAIN	`cpanel.zoyiosho.my.id`	Hosting management panel
DOMAIN	`mail.zoyiosho.my.id`	Mail subdomain (unused)
DOMAIN	`webmail.zoyiosho.my.id`	Webmail subdomain (unused)
IPv4	`188.114.96.5`	Cloudflare proxy (AS13335)
IPv4	`188.114.97.5`	Cloudflare proxy (AS13335)
IPv4	`188.114.96.3`	Cloudflare proxy alt (URLscan)
IPv4	`104.21.20.103`	Historical Cloudflare (theHarvester)
IPv4	`172.67.192.85`	Historical Cloudflare (theHarvester)
IPv6	`2a06:98c1:3120::5`	Cloudflare proxy (IPv6)
IPv6	`2a06:98c1:3121::5`	Cloudflare proxy (IPv6)
URL	`https://zoyiosho.my.id/PiLcgSf@L86IDXnT/`	Primary phishing URL (404)
URL	`https://equity.zoyiosho.my.id/PiLcgSf@L86IDXnT/`	Active phishing URL (200)
URL	`https://t.co/in5dy63sCm`	Delivery vector (Twitter/X)
CERT	`10E2A1644E72B364117FF7535276D310`	Cloudflare Universal SSL serial
CERT	`06E50BF736B0A1754E38241FEF5EEF3CF0B4`	cPanel AutoSSL serial (origin)
SHA256	`32F12D3BA5C15D2F42F94425EFC35EB97E7E5AB18E501853396BA40646E3DCDA`	cPanel cert fingerprint
MD5	`1d5abbdd7e22c041d7f6c51f07e9b57d`	XOR key for form encryption
MD5	`23798794727476c48ab0369c83cb532b`	Decrypted campaign identifier
AES KEY	`wUgGAWmO35BkVktQXe3cfA==`	Page encryption key (AES-128)
AES IV	`px89rtFJcpVi32Xl`	Initialization vector
NS	`reza.ns.cloudflare.com`	Authoritative nameserver
NS	`sid.ns.cloudflare.com`	Authoritative nameserver
REDIRECT	`http://alibaba.com`	Anti-analysis redirect target
SITEKEY	`0x4AAAAAABDaGKKSGLylJZFA`	Cloudflare Turnstile sitekey
30 IOCs — 7 domains, 7 IPs, 3 URLs, 3 certs, 2 hashes, 2 AES keys, 2 NS, 2 misc

11 — Evidence Files

File	Size	Description
`investigation_zoyiosho.json`	28 KB	Complete investigation JSON report with all findings
`DECRYPTED_phishing_page.html`	9.3 KB	AES-GCM decrypted phishing page (fake CAPTCHA)
`DECRYPTED_eval_payload.js`	2.5 KB	Decrypted inner JavaScript anti-analysis payload
`equity_phishing_page.html`	13.2 KB	Raw encrypted phishing page from equity subdomain
`root_page.html`	5.1 KB	Cloudflare "Suspected Phishing" interstitial page
`tco_redirect.html`	312 B	Twitter/X t.co redirect page source
`phishing_page.html`	355 B	Initial page capture (404 response)
`headers_equity_phish.txt`	1.5 KB	HTTP headers from active phishing page (Laravel cookies)
`headers_phishing.txt`	494 B	HTTP headers from primary phishing URL
`headers_root.txt`	635 B	HTTP headers from root domain
`headers_tco.txt`	1.0 KB	HTTP headers from t.co shortener
`headers_equity.txt`	643 B	HTTP headers from equity subdomain
`headers_colab.txt`	643 B	HTTP headers from colab subdomain
`urlscan_screenshot_equity.png`	2.0 KB	URLscan.io screenshot of active phishing page
`urlscan_screenshot_original.png`	10 KB	URLscan.io screenshot of 404 page via t.co
`hts-log.txt`	1.1 KB	HTTrack mirror log (SSL failure)
Location: `/home/kali/Desktop/zoyiosho/` — 16 evidence files

12 — Recommendations

Immediate Actions

Report t.co link (t.co/in5dy63sCm) to Twitter/X for takedown
Report equity.zoyiosho.my.id to Cloudflare abuse portal
Report to registrar: care@jagoanhosting.id / abuse@jagoanhosting.com
Submit to PANDI/IDADX: idadx.id/report
Submit to Google Safe Browsing, PhishTank, URLhaus
Flag URLscan scan IDs as confirmed phishing

Next Investigation Steps

Complete POST form submission to identify Stage 2 credential harvester
Discover origin server IP via SecurityTrails / Censys / Shodan cPanel cert search
Search for Twitter/X account that posted the t.co link
Analyze Laravel session tokens for additional campaign infrastructure
Monitor CT logs for new certificates on *.zoyiosho.my.id
Correlate AES key and MD5 hashes with known Lighthouse kit samples
Search for other .my.id domains registered at JagoanHosting on 2026-01-03

Detection Signatures

Alert on AES-GCM encrypted HTML pages with crypto.subtle.decrypt in source
Alert on fake CAPTCHA pages with "Polite Hold in Place" title
Block t.co links redirecting to .my.id domains
Monitor for Laravel sessions from equity/colab subdomains of .my.id
Detect XOR-encrypted form POST values with MD5-structured keys

13 — Intelligence Sources

20 Sources Used

WHOIS (PANDI registry)

DNS (Google + Cloudflare)

crt.sh (CT logs)

AlienVault OTX

RIPE WHOIS

URLscan.io API (2 scans)

Shodan InternetDB

Cloudflare Headers (CF-Ray MAD)

nmap v7.98

wafw00f v2.3.2

WhatWeb

theHarvester v4.9.2

openssl s_client

Python cryptography (AES-GCM)

Silent Push Research

Palo Alto Unit42

KrebsOnSecurity

SecurityWeek

IDADX Statistics

Sublime Security

Kali Tools (16)

dig, whois, nmap, curl, openssl, wafw00f, whatweb, theHarvester, dnsrecon, traceroute, python3, base64, HTTrack, grep, jq, file

Web APIs (6)

URLscan.io, Shodan InternetDB, crt.sh, AlienVault OTX, Wayback Machine CDX, WebSearch OSINT