snoser.top

https://SNOSER.TOP

172.67.206.226 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

8 days

HTTP

200 · 26.0s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Mortar Project — инструменты. анонимность. результат."

Save

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Google

Unknown

technology | other · 6/3/2026

Summary

The page presents branding that resembles a tech/product site named 'Mortar Project' with Cyrillic text. The domain snoser.top is new (8 days old) and uses a Cloudflare-protected host with a Let's Encrypt SSL certificate. There is evidence of dynamic content rendering (SPA) with no static login forms in the HTML, but a POST to /cdn-cgi/rum? and external script/asset loading, including a Cloudflare beacon. Visual branding in the screenshot does not clearly impersonate a widely recognized financial or social platform, but the strong, glossy branding and the presence of credential-capture indicators are inconclusive from static HTML alone. Given the combination of a new, suspicious-top-level-domain site, SPA behavior, and a POST beacon endpoint, there is potential for credential collection, but no direct, explicit impersonation of a specific first-party brand is proven from the provided evidence.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸POST targets observed during capture: https://snoser.top/cdn-cgi/rum?.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516, css2.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 8

Hosts: 4

Domains: 4

Attack Techniques (0)

Indicators of Compromise (0)

No specific IOCs identified in source

Risk AssessmentUsed in abuse reports

The site is a recently registered domain with vanity branding and dynamic content delivery. Although there is no static credential form in the HTML, the SPA nature means credential collection could occur within JavaScript. The POST beacon to /cdn-cgi/rum? and loading of Cloudflare beacon scripts indicate standard analytics usage, but the combination of a new domain on a suspicious TLD and potential UI that resembles a branded product warrants cautious monitoring. The visual branding in the screenshot hints at a polished interface, which could be used for phishing if impersonating a known brand, but there is no explicit first-party brand impersonation confirmed from the evidence. Recommend monitoring and further verification of the actual content rendered by the SPA and any credential collection endpoints.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence