0/100

high Risk

www.superbahis1832.com

https://www.superbahis1832.com/

104.17.112.244 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

35 days

HTTP

200 · 23.7s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Superbahis"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Superbahis (www.superbahis1832.com)

Vendors

30/31

Status

partial

✗ norton✓ polyswarm✓ sophos✓ yandex✓ eset✓ microsoft✓ bitdefender✓ brightcloud✓ chainpatrol✓ avast✓ apple✓ emsisoft✓ spamhaus✓ apwg✓ phishreport✓ urlquery✓ cisa✓ openphish✓ drweb✓ isitphish✓ urlscan✓ netcraft✓ virustotal✓ phishtank✓ urlabuse✓ avg✓ mcafee✓ kaspersky✓ threatyeti✓ google✓ fortiguard

Registered-domain escalation

Submit superbahis1832.com as the primary IOC, enriched with evidence from hostile subdomains like www.superbahis1832.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Superbahis (www.superbahis1832.com)

Data Harvesting

gambling · 6/3/2026

Summary

The page presents Superbahis branding but the domain is a newly registered, suspicious domain not associated with the official Superbahis brand. The final URL path /bahis and SPA-style assets render a betting portal with multiple external/tracking scripts and an inline consent modal. Evidence strongly suggests potential credential collection in a SPA context via dynamic forms, API endpoints related to session start and betslip, and an uncoupled hosting/domain with Cloudflare protection. While not definitive phishing for credentials from static HTML, the combination of impersonation signals and dynamic credential capture risk warrants Abuse review.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://www.superbahis1832.com/cdn-cgi/challenge-platform/h/b/jsd/oneshot/0b8fb825cb67/0.11932789166519431:1777544912:OTn8Hca5wVKIUaVOe9EurPeIIuqBvJn3RmDal4KlYo8/9f462d630ba9f9a9.

▸Distinctive asset clues: scripts.332984425e4e5793.js, runtime.0377f4393f975fbc.js, styles.6a1b211505aaffd4.css, superbahis-tr.06b750ce.css, v.gif, live-casino.svg.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 112

Hosts: 7

Domains: 7

Suspicious Endpoints

hxxps://www[.]superbahis1832[.]com/api/SessionServices/V1/ServiceV1_5/session/start?domainId=superbahis-tr

hxxps://www[.]superbahis1832[.]com/api/ContentServices/V1/ServiceV1_1/seo/adHocRedirects

hxxps://www[.]superbahis1832[.]com/api/ContentServices/V1/ServiceV1_1/gateways

hxxps://www[.]superbahis1832[.]com/api/ContentServices/V1/ServiceV1_1/footer

hxxps://www[.]superbahis1832[.]com/api/ContentServices/V1/ServiceV1_1/promotions?hasUserEverLoggedIn=false&group=promotions

hxxps://www[.]superbahis1832[.]com/api/ContentServices/V1/ServiceV1_1/hiddenMarkets

Attack Techniques (5)

impersonation of a known betting brand (Superbahis) on a new domainSPA-based credential collection risk due to absence of static forms but presence of dynamic JS bundlesuse of multiple external and internal API endpoints related to session, promotions, assetspresence of 0 static login fields in HTML but possible credential capture via JavaScriptuse of Cloudflare and multiple third-party script sources (potentially for anti-blocking or loading services)

Indicators of Compromise (9)

▸Page title: Superbahis

▸Branding visible on page (top navigation menu: Spor, Canli, Casino, Promosyonlar, Aviator, etc.)

▸Final path /bahis implying betting domain

▸SSL cert issued by Google Trust Services for domain www.superbahis1832.com

▸Domain age 35 days, recent registration

▸Multiple API endpoints listed under /api/... suggests dynamic content loading

▸Iframe-like content and external script hosts (widgets.sir.sportradar.com, dev.visualwebsiteoptimizer.com)

▸POST request to /cdn-cgi/challenge-platform/h/b/jsd/... oneshot script (challenge platform) indicating anti-bot/verification integration

▸No static login form present in HTML; credential UI likely rendered by JS bundles

Risk AssessmentUsed in abuse reports

The site impersonates a known betting brand (Superbahis) on a new domain with SPA rendering and multiple external scripts. The observed dynamic endpoints such as /api/SessionServices/.../session/start and /api/ContentServices/.../promotions, combined with a lack of static login fields, strongly indicate potential credential collection via JavaScript-rendered UI. The use of Cloudflare and a recent domain creation further adds risk. This warrants suspend/monitor actions and a closer abuse investigation for potential credential harvesting, adtech misuse, or data exfiltration pathways. Recommend blocking or monitoring while verifying brand legitimacy and ownership.

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence