Threat Hunting
Roster of known malicious kits and campaigns — each anchored to a deterministic structural fingerprint (byte-identical and obfuscation-resistant) or a YARA rule. Every scanned script and page is matched against this roster automatically.
Login chunk of the Indonesian gambling kit (UC framework: uc_login.js).
127-host gambling/casino app Vue PWA kit. ONE operator running random brand hostnames across .shop/.world/.store/.site/.website/.com TLDs. Page titles include "Tower Rush", "Chicken Road", "Lucky Casino", "Chicken Road 2", "BEAST GAMES: ICE FISHING", "Ice Fishing", "Revolut Slots" (Revolut bank brand impersonation in a slots scam). Path pattern /assets/<chunk>-v431.js + PWA service workers (/PwaWorker.js, /push/vapp/VappWorker.js).
Vendor bundle of the gambling Vue PWA kit (Vue runtime core, v431 cohort).
Marketplace page chunk for the gambling kit — renders the fake-casino game catalogue.
23+ host Indonesian gambling SPA. Brand titles: "Bansos188", "SKYLAR88", "SOGOSLOT", "Dausbet", "CAGURBET" — all Indonesian gambling brand patterns with "Slot Online", "Slot Gacor", "Anti Rungkat", "Maxwin" terminology. Hosts: gasing777tidakindex.shop, apktiptoplock.sbs, babejd.icu, cagurbetkyu.icu, ndxskylar88.click. Extensive feature set: live chat, login, banners, announcements, page searching.
Desktop layout module for the Indonesian gambling kit.
Multi-brand credential-phishing kit deployed across 220+ *.pages.dev hosts under one operator. Brand cohorts: sso-godaddy (100h), update (39h), excel (16h), pdf/adobe/adobe-pdf (19h), 360-yandex-mail (9h), hostinger-mail (7h), nid-naver-mail (6h), zoho-mail, mailhostbox, nate-mail, dropbox, dhl, outlook-mail, office365-mail, we-tl, mail-one-update. Page title "Are you not a robot?" — fake-CAPTCHA pretext. jg.js is the shared handler script across all cohorts.
PWA service worker (/push/vapp/VappWorker.js) of the gambling kit. The PWA architecture is distinctive — most kits don't register service workers; this one does (for push notifications / offline-mode fake-app feel).
Universal kit-internal js1.js across the multi-brand pages.dev operator. 206 hosts.
Newer cohort build (v442) of the same gambling Vue PWA kit. Same operator, kit upgraded.
Webpack chunk 5193 of the fake-Telegram kit.
Extension of the existing btbuu-fake-crypto-exchange operator family targeting a new brand: Bursa Malaysia (Malaysian stock exchange). 7-host cluster including bursamalaysia.space, served from the same /Public/Static/js/layer/layer.js path the btbuu operator uses on btbuu.com and trade-maxs.com. Same operator, new brand.
GoDaddy SSO cohort js.js — 100 hosts.
Massive 139-host Telegram brand-impersonation operation. ONE operator running random-letter hostnames across .icu/.sbs/.xyz/.top/.lat/.homes/.shop/.cn/.com/.org/.love/.life TLDs (dashan.icu, danvato.icu, eldravox.icu, claw111a.xyz, ai123h.xyz, bot789c.xyz, euhe-tg.com, htrx-tg.com, hujli.shop, telegarm-jp.org, yfhmg.love, fdshfgjd.{lat,homes}, …). Pages titled "Telegram" or "Secure Messenger". Operator-built Vue.js SPA. The "-tg" suffix in domain names and Japan/JP brand hints suggest Telegram-Japan credential-harvest focus.
Brand-impersonation phishing kit targeting AMP Futures (US futures broker, ampfutures.com). Deployed across 62 random-letter .xyz hostnames matching pattern [a-z][0-9][a-z][0-9][a-z].xyz (a2q6w.xyz, a4k7n.xyz, b2k9t.xyz, …). All 62 hosts serve the page title "AMP Futures"; all were graded Low Risk or Medium Risk by the verdict layer.
"update" generic cohort js.js — 38 hosts.
Browser-compatibility probe of the fake-Telegram kit.
Webpack chunk 7283 of the fake-Telegram kit.
Companion build of the Telcel MX kit — same 23 hosts, second anchor chunk under the same /apps/MX_PT_06/ path.
Brand-impersonation phishing kit targeting Telcel (Mexico's dominant mobile carrier). 23 hosts on .top/.vip with mx-prefixed names (mxstelcec.top, mxtecelah.top, mxtelelsuy.top, mxtelesvip.vip, …). URL path /apps/MX_PT_06/assets/index-*.js — the "MX_PT_06" naming matches the Tigo SV kit's "SV_PT_01", strong evidence of one operator running localized LATAM carrier kits.
Companion build of the Tigo SV kit — same 19 hosts, second anchor chunk.
Brand-impersonation phishing kit targeting Tigo El Salvador (major LATAM telecom). 19 hosts on .cc/.help/.click/.art/.sbs/.top with tigo-prefixed names (sv-tigo.cc, tigoboss.help, tigosrwvp.help, tigovseop.click, tigovspom.help, …). Page title: "La primera Red 5G de El Salvador | Tigo El Salvador" (direct quote from real Tigo SV marketing). URL path /apps/SV_PT_01/assets/index-*.js — sister to the Telcel MX MX_PT_06 kit, same operator.
PDF/Adobe cohort js.js — 16 hosts.
Excel/Office365 cohort js.js — 13 hosts.
6-host operator hosting fake trading platform on Azure Static Web Apps + .top with port: comex309.z1.web.core.windows.net + secondary, tada1912.z23.web.core.windows.net + tada93179, web6699.313675.top:39395. "COMEX" = Commodity Exchange impersonation; "tada" branding signals throwaway cohorts.
Naver (Korean) cohort js.js — 8 hosts.
360-yandex-mail cohort js.js — 9 hosts.
Vendor bundle for the Medtronic brand-impersonation kit. Vue+ElementUI+etc. compiled by the operator's specific webpack build.
Brand-impersonation phishing kit targeting Medtronic (the medical-device manufacturer). Vue.js SPA deployed across 4 sister hosts (medtronicwmn.com, medtronicwrr.cc, medtronicwrz.com, medtronicwtt.cc) under /static/js/ paths. Chunks reveal a fake-login + fake-account-detail flow (pages-login, pages-welcome, pages-account-account-detail, pages-Detail, pages-Particulars).
Welcome-page chunk for the Medtronic brand-impersonation kit. Small, highly diagnostic.
6-host operator running MULTIPLE major financial-brand impersonations from a single template: cmeamex.com, cmeamexs.com, cmenyse.com (CME+AMEX, CME+NYSE), schwabvs.com (Charles Schwab), tradesoksca.com, tradesokscs.com. Single SPA deployed under each broker's name.
4-host operator: login-client-6i5.pages.dev, metasuite-business.com cohort. Numbered "login-client" Cloudflare Pages deployments paired with "metasuite-business" branding — textbook MS 365 / business-suite credential-harvest naming.
6-host operator: comex-ex.com, comex-glob.com, comex-next.com, comex-next-desk.com, ortexlabs.com, ortexportal.com. COMEX + Ortex (real institutional trading-research firm) impersonation. Sister of the d7a2 cluster.
5-host Chinese WhatsApp brand impersonation: it-web-whatsapp.hl.cn, llg-whatsapp.com.cn, etc. Third-region sister of whatsapp-bd-771c (Bangladesh) and whatsapp-pk-96b1 (Pakistan) — same kit-as-a-service operator targeting more countries.
1 host (shoopeifyus.com) impersonating Shopify. Triple-vowel "shoopeify" + "us" suffix is a textbook brand-typo phishing pattern.
2-host operator impersonating OneKey (real crypto-wallet brand). onekey1.com cohort. Crypto wallets are high-value phishing targets — credential theft = drained wallets.
3-host operator impersonating BitMart (real crypto exchange). Surfaced via cosine pivot on btbuu-fake-crypto-exchange anchors. Hosts include bitmartsweb.com.
Same fake-CAPTCHA flow as the PowerShell variant but the copied command is a non-PowerShell Windows LOLBin (msiexec /i <URL>, mshta, wmic, certutil, regsvr32, curl, iex, Invoke-Expression). First validated live on 00c29c34fd.nxcli.io from threatfox's IClickFix-tagged feed (scan 52b189eb / 2f465516 / f6c071f8). Markup-tolerant string matchers (<b>R</b> / <b>V</b> / <b>Enter</b>) catch kits whose instruction text is HTML-formatted.
3-host operator impersonating MeridianLink (real US lending/banking tech company). meridianlinkgroup.com cohort.
Sister cohort of multi-broker-impersonation-195a. 3 hosts: cmenyses.com (CME+NYSE), cmekeya.com (CME+Keya). Same operator running additional broker-name combinations.
2-host operator impersonating FP Markets (real Australian forex broker). fpmarts.com cohort.
1 host (trustucoin.com) impersonating Trust Wallet / Trust Coin brand.
Okta-themed brand-impersonation phishing kit. Landing URL has the ?passtoken=&redirect=/ signature; backend.php polls for MFA-bypass state; pingServer heartbeat; Telegram-channel credential exfiltration. Attributed to the ShinyHunters cluster.
1 host (www.whaleoex.com) impersonating Whale (real crypto-derivatives exchange / similar branding).
Companion build of the Tokyo Financial Exchange impersonation kit. Same host (tokyofinancialexchange.work) but second chunk hash — different cohort build of the same kit.
1 host so far (tokyofinancialexchange.work) impersonating Tokyo Financial Exchange (real Japanese exchange). Operator-built anchor — canonical_ast_hash trigger will catch any future cohort rebuilds.
1 host (mtsgoldr.com) impersonating MTS Gold (real precious-metals broker). The trailing "r" is typo-brand phishing.
Fake-CAPTCHA HTML page that copies a `powershell -enc <base64>` command to clipboard for the victim to paste into Win+R. Social-engineering pretext: "Verify you are human" / "Not a robot" / "Verification Steps" / "Press Windows Key + R / Ctrl + V / Enter". YARA rule reports 283 samples matched, >60% zero AV detection at time of analysis.
Next.js SPA deployed across 37+ Indonesian-language online gambling sites. Brand+number naming (ammo88jaya, apek88-apk2, banteng328bersama, banteng328goyang.site, bos56.xyz, dragon969resmi.site, elang55b.com, eth77original.site, …). Page titles in Bahasa Indonesia: "Situs Slot Online Gampang Menang", "Login Situs Slot 4d Mahjong yang Pasti Bayar 2025", "RTP Gacor Hari Ini" (slot/mahjong/RTP terminology).
Online-gambling/betting kit deployed across 43 brand-prefixed hostnames on .win/.mom/.vip TLDs. Includes 1xbet-style impersonation (1x-clz.vip, 1x-gzm.vip, 1x-xl.vip) and generic bet/win brands (0227bet.win, 107win.mom, 208win2.vip). All hosts graded "Low Risk" or "Medium Risk".
Single shared main.v2.js deployed across 17 throwaway domains on cheap/suspicious TLDs (.icu, .sbs, .cfd, .cyou, .shop, .wiki, .one, .asia, .club). Includes telegran.one — Telegram brand impersonation. The 17 hosts have inconsistent verdicts (Low Risk → Malicious); the roster catches all of them via a single fingerprint.
Vue.js webpack SPA deployed across 63 random-letter hostnames on .icu/.sbs/.cyou/.shop TLDs. Hostnames are keyboard-mash strings (e.g. baiiwerogkasdfg.sbs, bbqupospdkgkaj.shop, bjioqjksdjkskzx.cyou). Every host in the cluster was graded "Low Risk" or "Medium Risk" by the verdict layer.
Companion pages/_app build for the Indonesian gambling Next.js SPA.
Vue.js webpack SPA deployed across 33 random-letter hostnames on .cyou/.shop/.sbs/.icu TLDs (oodjdfuigewjkfdssf.cyou, bcmnrjwyrishfdjdgf.shop, dsfjngfwisdjfoisdjs.shop, …). TLSH body identical to the 0e990c cluster — likely the same template, different operator cohort.
Vue.js webpack SPA deployed across 40 hostnames ALL on the .forum TLD with 8-character random hostnames (cmkpxlpv.forum, lhivtxfx.forum, ruxkxjyybs.forum, …). The uniformity of TLD + filename-length is a strong operator signal.
42-host Chinese gambling operator running "Kaiyun" brand impersonation across cn-kaiyunapp.vip, zh-kaiyuntiyu.vip, danti4833.com subdomains with random hostname prefixes. Path pattern /js/app.<hash>.js. Kaiyun (开云) is a known Chinese gambling brand frequently impersonated; "kaiyun" naming + Chinese-numeric subdomains is a strong operator signature.
Sister cohort of forum-tld-kit-b86d1a / forum-tld-kit-6ed2. 39 .forum hosts with uniform 8-char random hostnames (bgvwaihj.forum, bosmehqu.forum, …). Path pattern /js/app.<hash>.js — different chunk path than the earlier forum kits.
Vue.js webpack SPA deployed across 31 hostnames ALL on the .click TLD with 8-character random hostnames (aicjgkjk.click, cbcsljlc.click, pshhttokse.click, qhzelnxa.click, …). Uniform TLD + hostname pattern is a strong operator signal.
Vue.js webpack SPA across 26 random-letter hostnames on .cyou/.shop/.qpon/.click/.icu TLDs (huwhnkjahksjwnak.cyou, klajlkza12jasdjk131.click, mblgfkltkllpuoprfltp.icu, …). Same kit-as-a-service template as the migration-080 random-domain kits.
Numeric webpack chunk for the teje-rotating-domain kit.
Vue.js webpack SPA deployed across 32 random-letter hostnames on .sbs/.qpon/.cyou/.click/.icu TLDs (iewyrgajdghfvdhdjs.sbs, jkahskdnzl6kajhmza.qpon, …). Includes the .qpon TLD which is rare and a strong scam-infrastructure marker.
Vue.js webpack SPA across 21 random-letter hostnames on .icu/.cyou/.qpon/.shop/.click/.sbs TLDs. Sister cohort of the kit-as-a-service template.
Sister cohort of random-letter-com-199c. 18 hosts with 10-letter random .com hostnames (2zrlupki.com, luckrfbyjg.com, …). Different bundler path (/js/app.<hash>.js) than the original 199c kit.
19-host operator running numbered Cloudflare Pages deployments: status-account-{8,10,13,14,16-21,43,53,70,71,75,122,123,124,125}.pages.dev. Hostnames are textbook account-suspended phishing pattern (Microsoft/Google "your account has been suspended" credential harvest).
8-host operator running Portuguese/Brazilian-language gambling brands: 54rr.win, 91-earring-pg.vip, muito-777.win ("777" + Portuguese for "a lot"), okokflash.mom, voy-brow-pg.vip, we-operapg.mom ("opera-pg"), wgbetkk.win, wg-relogio.win ("relogio" = watch).
Operator across 16 hosts impersonating Meituan (Chinese super-app): qiqimeituan.xyz, shengmeituan.xyz, plus generic Chinese-themed names (songsong123.xyz, tangtang123.asia, zhanxupeng6.asia) and qazwsxNNN.asia placeholders.
Vue.js webpack SPA across 17 hostnames mostly on .click TLD (bpqsfyum.click, deddrvta.click, hxrygdhl.click, …) plus shakti.top and tea01.bahfn.cn. Different operator from a260ef.
Vue.js webpack SPA across 15 random-letter hostnames on .icu/.click/.cyou/.cfd/.shop/.sbs TLDs.
Vue.js webpack SPA across 13 random-letter hostnames on .shop/.sbs/.cyou/.icu TLDs.
Operator running a numbered series of `yjdm[NNNN].com` + `yjdm[NNN].club` sister hosts (yjdm1371-1395.com, yjdm332-355.club — 18 hosts total). Likely Chinese gambling/lottery brand.
Operator running multi-brand crypto-wallet impersonation across 17 hosts: rwusdtc[a-y].com (USDT impersonation), axexclub/axexhub on .com+.top, safeger/safegnr/safetar.com, plus dbecrede.com, exintir.com. Fake-wallet credential harvesting.
11-host operator running 10-letter random .com hostnames (cjnwqvprty.com, dkpvtrmzla.com, fgrtqpxlme.com, …).
Vue.js webpack SPA across 16 random-letter hostnames on .shop/.cyou/.icu/.sbs TLDs.
7-host operator abusing free cloud storage to host the SPA: 5 Azure Static Web Apps (*.zNN.web.core.windows.net) + Tencent Cloud Object Storage (*.pichk.myqcloud.com). The cloud-vendor domains lend false legitimacy.
Vue.js webpack SPA across 17 .forum TLD hosts (bqetfpng.forum, bvgapqrm.forum, djtzmlwl.forum, …). Distinct operator from the migration-080 b86d1a cluster.
Sister cohort #2 of the .forum-TLD rotation family. 17 hosts with random 10-char hostnames (hvwvwvjwso.forum, nbilrwodrt.forum, …). Different build hash from f969.
Vue.js webpack SPA across 16 random-letter hostnames on .cyou/.icu/.shop/.sbs TLDs.
5-host operator impersonating BitMax (real crypto exchange now rebranded to AscendEX). bitmax123.com cohort.
Vue.js webpack SPA across 15 random-letter hostnames on .icu/.shop/.cyou/.sbs TLDs.
15-host operator running two parallel brand prefixes: cimamedia[88|92|9i|aa|io|ip|vi|vip|vvip].com and speedride[88|92|9i|ia|io|vi].com.
10-host numbered series operator: 532810.top, nyadegd[326|517].top, nydash812.com, nyedfrt[017|195|367|591|728|937].top.
12-host operator running acce[afae|afaf|dew|dzz|eann|haiu|kioa|lnn|mfg|mmrk|qrf|rmk].com sister hosts. Uniform `acce` prefix, two-three random suffix characters.
9-host operator running Portuguese-language brand impersonation: bbq-kf.com, bbqkf.com, bbqkfpg.com, carros-ty.com, carrosty.com, okcarros.com, ty-carros.com, tycarros.com, vip-carros.com (BBQ + cars).
7-host operator on .cn TLD with letter+digit random pattern: j3h1k9.cn, m9u6y0.cn, n4c6v5.cn, p4i6o3.cn, q4x9v6.cn, q7e2r6.cn, q8t4y7.cn.
10-host operator running auto-generated word-pair brand names: deeply-marketsearch.com, deeps-datastudy.com, finely-stylecraft.com, quicks-cdbuild.com on .com + findraregive/getfastrun/grabfreshsell/keepgoodsave/makesweetbake/picksmartubuy on .shop. Lure: looks like quick-build / market-research / save-money brand.
5-host Brazilian Portuguese gambling sister of pt-brazil-gambling-80be. Hosts: 7v-elefante.com, 7v-leao.vip ("elephant", "lion"). Same operator, 7v-prefix cohort.
Browser-compatibility probe used by the teje-rotating-domain kit. Tiny but unique.
Long-poll companion to Comet.js — secondary WebSocket channel used by the J365 illegal-gambling platform.
Custom WebSocket C2/heartbeat code (/websocket/Comet.js) used by the J365 illegal-gambling platform. Operator-specific real-time channel for bet placement, balance updates, and admin control.
Chinese-language illegal online-gambling platform served from a rotating set of brand-prefixed landing domains (j365*.xyz, lvs*.vip, hgty*.vip, hg*.vip, usdbetvip*.biz, xpj*.com — including punycoded variants) backed by a small set of operator CDN hosts on pham.xin and yqdkrj.com under the path /ftl/commonPage/. Offers fish-shooter, casino, sports, chess games. gui-base.js is the kit's shared UI framework.
Sister cohort of the existing random-letter-multitld-4ba7 kit. 6 hosts: klajlzmopkiak9kanz.{icu,qpon}, myj9qlcd05jj.qpon, nhgijgskjmriaks.icu, yjksnolkdjhikakr.{click,cyou}. Cosine-pivoted at sim=1.0000.
8-host operator running andes-prefixed brands: andekhu5, andesapply24, andesapply8k, andeshsk11, andesiodshuqian22, andesjhsh2, andessdf3, andsskli8 on .com.
7-host operator using DEEPLY-NESTED random subdomains (4+ labels): cccys.zokide.6x1qko1.com, ccyy.xmsck.jluoo8h.com, cuiu.yw9u2e.esh536.com, cyppt.apxpiff.ztlcsqwf.com, cyqqt.x01jjex.ay9fc.com, cyttp.cokpa.lyaj69w.com, hue.oaiweu.6o99od.com. Wildcard-DNS abuse pattern.
10-host numbered series: hanhan12.com + hhmh1[386|387|388|389|390|397|398|399|400].com.
Fake crypto-derivatives exchange kit. Operator-deployed K-line / Contract / Trade UI across btbuu.com, wbitx.cfd, trade-maxs.com, evergreen-capital.org. Path pattern /Public/Static/js/*, page pattern /Contract/index, /Trade/index?type=buy&symbol=*. Earlier sweep had bounced on the kit's pako.min.js (real zlib library) — these are the operator-specific files.
WebSocket feed client used by the btbuu fake crypto-exchange UI to render fake real-time price ticks.
5-host operator running random-named .top hostnames anchored on htxnadf.top.
Sister of the existing `cloud-storage-abuse-72ea` kit. 5 hosts on Azure Static Web Apps: abw219, hk3091, london25, nsd90317, xdl719 — geographic-cohort naming (HK=Hong Kong, london, etc.) suggests targeted-region phishing.
9-host operator running aaoopg.{app,cc,net,one,vip} + eejjkf.{app,com,net,one}. Same prefix across multiple TLDs — characteristic of bulk-domain phishing.
7-host operator: 266229.com, 500698.com, 500798.com, klyl6.net, www.uuyl.net, www.uuyl.xyz, xpj2487.com. Chinese-style numeric gambling/lottery brands.
7-host operator: aeychdent.com, caichdfdt.com, daochderu.com, ejgchdcbt.com, fjhchdlep.com, gajchdvbt.com, hajchdkru.com. Uniform `chd` substring at positions 4-6 in random-alpha .com hostnames.
Webpack-bundled SPA deployed across an 8-host rotation that all share the `teje` prefix on cheap/suspicious TLDs (tejehqnfih.work, tejehqzjxt.club, tejeiviusk.asia, tejeiwdeow.cloud, tejeiycpyh.asia, tejeizzifa.wiki, …). Most graded Malicious by the verdict layer, some Low Risk — the roster catches the misses.
4-host wildcard-DNS abuse sister of nested-subdomain-9003, serving on non-standard port 3443: tyyx.dakowe.1bdbr3.com:3443, tyyx.ooios.mgqlfa.com:3443.
7-host operator: xtcuf.com, xtdli.com, xtfue.com, xtjvn.com, xtlwh.com, xtnmc.com, xtpxd.com. Uniform xt[CCC].com pattern.
7-host operator running long random alphanumeric .vip hostnames: cxwf0r2o9t9w1o9w7.vip, hiut9h0v4l2d7a7v0.vip, ijne8g2c1f5q0f9l5.vip, kmkf1e3z8z8s5q2k0.vip, vbja9y9n8u0w5s2b6.vip, vbjk2x2t9z3m6g7s2.vip, vcve2mcixbkl3kfd32fg.vip.
5-host operator impersonating Pionex (real crypto trading bot platform): pioddnexqye.com, pionexadv.com, etc. The "pionex" substring is the operator's mimicry of the brand.
7-host mix of Cloudflare Pages + .top TLDs: elmapp.pages.dev, ggzszfl.top, ghtsmr.top, hptsmn.top, mgtred.top, qnqb61.top, sizeg.top.
7-host operator impersonating WhatsApp: bd1whatsapp.com, bd2wapp.com, bd2whatsapp.com, bd3wapp.com, bd3whatsapp.com, bdwhatsapp.com, pk6wagetmoney.com. The "bd"/"pk" prefixes suggest Bangladesh/Pakistan targeting.
Entry chunk for the Pages.dev Vue investment-scam kit (vindax cohort build).
Cloudflare-Pages-hosted Vue.js fake-investment kit. ONE operator running brand cohorts (vindax/mint/digtal/pimco impersonation) on *.pages.dev, all sharing the same Vue.js webpack skeleton with cohort-specific branding strings. This anchor catches the vindax-1xy / vindax-9io / mint-5st cohort.
Index page chunk for the Pages.dev Vue investment-scam kit (vindax cohort build). Shows the fake exchange order book.
6-host sister cohort of the random-letter-multitld kit family. Random keyboard-mash hostnames on .icu/.shop.
6-host numbered-brand series: crimsonagility[22|33|55|…].com.
Sister cohort of the existing `cimamedia-speedride-682f` kit: cimamedia0i.com, cimamedia99.com, cimamediaia.com, speedride0i.com, speedridecc.com, speedridezz.com. Same operator, second build hash.
Sister of the existing `nested-subdomain-9003` kit using wildcard-DNS abuse with deeply-nested random subdomains: lycl.cjilea.b7ryzkx.com, lypz.j9ado3.ikxoxfjp.com, uicl.oiusnx0w0.c7m26j3n2k.com:3443 (also serving on non-standard port 3443).
Pakistan-targeting WhatsApp brand impersonation: pak2whatsapp.com, pak3whatsapp.com, pakwhatsapp.com, pk2wapp.com, pk3wagetmoney.com, pk7wagetmoney.com. Sister of the existing `whatsapp-bd-771c` Bangladesh cohort — same kit-as-a-service operator targeting different countries.
Vue.js single-page application deployed across mailNNN.com sister hosts (mail238/279/799 known) as a fake credits / fake banking platform. Users register, "recharge" (deposit), see fabricated balances, and cannot actually withdraw. Chunk names: pages-login-login, pages-recharge-index, pages-withdrawal-index, pages-record-index, pages-user-address-index. index.js is the SPA's entry chunk.
Home/dashboard chunk showing fabricated account balances after login.
4-host operator running "Golden Shield AI" investment-scam brand across multi-TLD: goldenshieldai.homes, goldenshieldai.lat, goldenshieldai.online. Same brand, throwaway TLDs.
4-host operator impersonating DDEX (decentralized exchange brand): ddex319.top, ddex329.top, plus raw IP 112.213.125.56:35971. The raw-IP serving is suspicious infrastructure.
Login page chunk for the mailNNN.com fake-credits Vue SPA. Renders the credential-harvesting form.
3-host random-domain sister cohort surfaced via cosine pivot. tuops.top cohort.
Sister cohort of the existing click-tld-kit-a260ef. 2 hosts: manwasite.cc, mwxz10.cc. Cosine-pivoted at sim=1.0000.
4-host same-prefix multi-TLD operator: dhptgo.cc, dhptgo.sbs, dhptgo.top.
4-host numbered brand series: ldwebsync[32|73|78|…].top.
4-host numbered brand sister of the existing nyedfrt-top-3af6 kit. Hosts: nyadegd856.top, nyduehs598.top, nyduehs621.top.
4-host same-prefix multi-TLD operator: aazzkf.cc, aazzkf.com, aazzkf.org, aazz-kf.com. Sister pattern to aaoopg-eejjkf-02d6.
4-host numbered brand series: slh005.com, slh006.com, …, slhofworld.vip.
4-host operator running Huawei brand impersonation: huaw3.cn, huaw3.com plus wzg56.cc, wzg71.cc sister hosts. "huaw" is the operator-chosen prefix mimicking "huawei".
PIMCO-impersonation cohort of the Pages.dev Vue investment-scam kit. PIMCO (Pacific Investment Management Company) is a major real-world asset manager — this kit lures users into a fake investment platform under that brand.
Sister cohort of the random-letter-multitld kit family. 3 hosts: hjuiwansdjjsdjks.cyou, nbjiwuqnskdkza.icu, nuhjsjjjskwjaksjs.icu. Cosine-pivoted from existing 9d69 and 4ba7 anchors.
Companion build of the zhesin-sister kit.
2-host operator: zhesinc.com, zhesinr.com (variants of "zhesin" brand prefix). Surfaced via cosine pivot.
mint-b1v.pages.dev cohort build of the Pages.dev Vue investment-scam kit.
1 host (minexusvip.com) — Minexus is a real crypto-mining brand. The "vip" suffix is operator-added.
1 host (mufolio-portal-x.com) impersonating a portfolio/asset-management brand. "Mufolio" is operator-coined.
mint-bnq.pages.dev cohort build of the Pages.dev Vue investment-scam kit.
digtal-du.pages.dev cohort build of the Pages.dev Vue investment-scam kit. "Digital" finance brand impersonation (misspelt).
mint-34z.pages.dev cohort build of the Pages.dev Vue investment-scam kit.