0/100

medium Risk

detuks-client.com

https://detuks-client.com/

172.67.138.101 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

103 days

HTTP

200 · 28.5s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Detuks Client | Premium OSRS Plugins"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Detuks Client

Vendors

30/30

Status

completed

✓ openphish✓ phishreport✓ microsoft✓ sophos✓ eset✓ yandex✓ drweb✓ brightcloud✓ polyswarm✓ avast✓ norton✓ bitdefender✓ avg✓ fortiguard✓ apple✓ isitphish✓ urlquery✓ urlabuse✓ cisa✓ netcraft✓ apwg✓ emsisoft✓ spamhaus✓ phishtank✓ virustotal✓ urlscan✓ kaspersky✓ mcafee✓ google✓ threatyeti

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Detuks Client

Data Harvesting

technology | ecommerce · 4/15/2026

Summary

The page presents as Detuks Client, a RuneLite-based OSRS plugin store/client. However, the static HTML contains no forms, and the SPA is heavy with external JS bundles. Visual cues and the screenshot indicate a consumer-facing product site rather than a classic credential-phishing page, but the SPA rendering means credential capture could occur in the executed JavaScript. The domain age is moderate (103 days) with a recent certificate. There is no explicit impersonation of a well-known brand in the visible branding, but the page’s structure and numerous external scripts warrant caution for credential collection via dynamic UI.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://detuks-client.com/cdn-cgi/rum?, https://api2.amplitude.com/2/httpapi.

▸Distinctive asset clues: main-app-6b8d4ceb5e59942e.js, error-f7e1818e465b4f3d.js, ee3a50f84b291c21.css, caa2aa8cacec3968.css, 34562783-0ed9-4a42-99a5-69c57cf52775-inferno.webp, c4082f0b-d489-4a0e-ae9b-7edfd8030142-colosseum.webp.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 77

Hosts: 5

Domains: 3

Suspicious Endpoints

hxxps://detuks-client[.]com/api/auth/get-session

hxxps://detuks-client[.]com/api/trpc/user.get?batch=1&input=%7B%220%22%3A%7B%22json%22%3Anull%2C%22meta%22%3A%7B%22values%22%3A%5B%22undefined%22%5D%2C%22v%22%3A1%7D%7D%7D

Attack Techniques (3)

Single-Page Application (SPA) rendering forms via JavaScript (static HTML contains 0 forms; 62 scripts loaded).Heavy use of external JS bundles and dynamic content loading to render UI and potential credential capture forms.External image assets and fonts loaded from the same domain with branding centered on 'Detuks Client'.

Indicators of Compromise (6)

▸Page title and meta description clearly state 'Detuks Client | Premium OSRS Plugins' and 'OSRS Official Client' branding.

▸No static login forms detected in HTML; SPA likely renders forms client-side.

▸POST to https://detuks-client.com/cdn-cgi/rum? (204) and POST to https://api2.amplitude.com/2/httpapi (200) indicating analytics and possible abuse telemetry.

▸SSL cert issued to detuks-client.com by Google Trust Services; domain age ~103 days; Cloudflare IP 172.67.138.101.

▸External script sources point to detuks-client.com/_next/static/chunks/... indicating Next.js SPA.

▸Visual screenshot shows OSRS plugin storefront with bright UI rather than a classic credential form; no explicit impersonation of a well-known external brand inferred from visible branding in the screenshot.

Risk AssessmentUsed in abuse reports

The site is a live SPA-based product site for Detuks Client with OSRS plugins. There is no clear credential-harvesting form visible in static HTML, but the SPA architecture means credential capture could be performed by dynamically loaded JavaScript. The scanner detected 62 external scripts and several network requests, including an analytics endpoint, which can be normal for a storefront but also provides an avenue for hidden analytics or data exfiltration if misused. Given the lack of static forms and the branding aligned with the Detuks brand, there is not strong evidence of impersonation of a third-party brand, but the dynamic rendering and WAF-related network activity warrant cautious monitoring for potential credential collection via the SPA.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence