Unmasking Global Phishing: Silent Push Exposes CDC Voucher Scammers

Updated
  • Updated on Nov 26, 2025
  • Published on Nov 26, 2025
  • 1 minute(s) read
Prev Next

In mid-2025, Singapore's Ministry of Defence discovered a sophisticated phishing operation impersonating CDC (Community Development Council) voucher redemption portals. Spread via hijacked Telegram channels and SMS blasts, these fake sites used urgent calls to action (“Claim Your Vouchers Now”) to steal citizens’ credentials.

Using only two initial domains, Silent Push helped MINDEF expose and dismantle a 688-domain global phishing ring spanning Singapore, the UK, Indonesia, the UAE, and beyond, all in a single afternoon.

Goal

Start from two suspicious .app domains and systematically uncover the full attack infrastructure, including dedicated IPs, shared phishing kits, cross-country targeting, and actor attribution, using layered SPQL queries, pivoting, and fingerprinting.

Investigation Steps

Broad Reconnaissance in Total View

Loaded the initial IoCs with Domain Wide View enabled. Immediately revealed massive abuse of the railway.app (550k+ A records) and zeabur.app (23k+ A records) — classic disposable phishing hosts.      

SPQL Pattern Matching (Web Scanner)

datasource = ["webscan"]
hostname ~= "^([a-z]{2,}\-){1,}[a-z]{1,}\.([a-z]{2,}\.){1,}app$"
hostname ~= ".*(sgp|redeem|voucher|cdc).*"
scan_date > "now-90d"

Surfaced hundreds of dash-heavy .app subdomains with Singapore-themed keywords → uncovered dedicated phishing IP 147.93.107.167 (Hostinger).

IP Pivot → Dedicated Infrastructure

Pivoting on the IP revealed two additional hotspots (93.127.172.99 and 69.62.87.208) hosting CDC, UK grants, Indonesian bansos, and UAE job scams—final count: 688 high-confidence domains.

SHV + JARM + JS Fingerprinting

datasource = ["webscan"]
body_analysis.SHV = "3571eca0d0ba045825eb368b1d"
jarm = "2ad2ad16d2ad2ad00042d42d000000df133019600a83abfb096ff3e86cd79d"
body_analysis.js_sha256 = "var phoneinput *"

Instantly clustered 188 domains. A follow-up Web Resources pivot on shared home.css expanded the cluster across five countries.

WHOIS Attribution

Registrant email extracted from multiple cluster domains:

  • rindraabi22@gmail.com

Strong indicator for takedown requests and future monitoring.

Outcomes

  • 688 malicious domains identified and neutralized

  • 3 dedicated IPs flagged and blocked

  • Campaign confirmed targeting Singapore • UK • Indonesia • UAE • others

  • Actor email and full fingerprint dataset for ongoing defense

Recommendations for Your Team

  • Block the exported domain/IP list at the ISP and firewall level

  • Monitor rindraabi22@gmail.com in registrar abuse queues

  • Run the SPQL pattern weekly for emerging government-aid phishing

  • Re-run SHV/JARM fingerprints quarterly as kits evolve

Use Case published November 2025 • Based on real MINDEF collaboration    

Related articles