0/100

medium Risk

shooku.tumblr.com

https://shooku.tumblr.com/

74.114.154.18 · TUMBLR, INC

Location

Ashburn, United States

Domain Age

7292 days

HTTP

200 · 36.8s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Bonus Rafı"

Save

Domain Intelligence: tumblr.com

Scanned 3 times since May 27, 2026, 11:33 AM UTC

⚠ Medium (40)

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Tumblr (shooku.tumblr.com)

Vendors

26/31

Status

partial

✓ apwg✓ fortiguard✓ kaspersky✓ sophos✓ polyswarm✓ eset✗ threatyeti✗ bitdefender✓ drweb✓ chainpatrol✓ yandex✓ microsoft✗ norton✗ avast✗ avg✓ brightcloud✓ apple✓ urlquery✓ phishreport✓ mcafee✓ spamhaus✓ netcraft✓ urlscan✓ openphish✓ cisa✓ isitphish✓ virustotal✓ emsisoft✓ phishtank✓ urlabuse✓ google

Registered-domain escalation suggested

Suggested now

Submit tumblr.com as the primary IOC, enriched with evidence from hostile subdomains like shooku.tumblr.com.

2 hostile subdomains across 2 completed scans were observed under this registered domain. Recent hosts: muniea.tumblr.com, shooku.tumblr.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Tumblr (shooku.tumblr.com)

Unknown

Technology · 6/3/2026

Summary

The page loads under the Tumblr subdomain shooku.tumblr.com with a Turkish language title and content that visually resembles a phishing impersonation page, including a large modal and numerous offer-like items. However, the domain is a Tumblr subdomain (official platform) rather than an external brand impersonation; content suggests an unfamiliar or cloaked page potentially phishing Turkish-speaking users. The evidence does not conclusively show credential harvesting on the static HTML, and the page renders as a SPA with dynamic scripts. Given the presence of a plethora of third-party ad/script references and a suspicious Turkish-based UI, the page appears to cloak content and could be used for abuse, but the branding alone points to Tumblr infrastructure rather than a first-party Tumblr service impersonation. The risk remains elevated due to imagery and UI that mimic other brands, but the primary brand shown is Tumblr, not a well-known external brand. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Fake brands phishing. Only works with Turkish IP proxy Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Distinctive asset clues: pre_tumblelog.js, tumblelog_post_message_queue.js, index.build.css, css2, g.gif, impixu.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 20

Hosts: 10

Domains: 6

Observed Signals (2)

Analyst-identified phishing kitTurkish language content and domain context indicating targeted regional phishing attempts

Observed Indicators (4)

▸Domain: shooku.tumblr.com (Tumblr subdomain) – indicates first-party hosting, not a separate impersonation domain

▸Static HTML contains 0 forms; SPA likely renders forms via JS (risk of credential capture concealed in bundles like pre_tumblelog.js, tumblelog_post_message_queue.js)

▸No explicit OAuth/credential endpoints visible in provided data; exfil signals show none

▸Analyst note mentions fake brands phishing and cloaking

Risk AssessmentUsed in abuse reports

The page is hosted on a legitimate Tumblr subdomain, but the visual presentation and SPA behavior strongly resemble credential-phishing layouts designed to deceive Turkish-speaking users. The static HTML contains no forms, implying credentials may be captured via JavaScript within bundled assets, which is a common phishing technique. The presence of multiple ad/tracking scripts and a large promotional modal increases risk of abuse, including credential harvesting if forms are rendered dynamically. Given the cloaking indication and targeted Turkish user base, this warrants cautious escalation and monitoring; if further evidence shows credential collection on this host, escalate to action. No definitive credential harvest observed in static HTML, but the observed indicators are high-risk and warrant monitoring and potential takedown assessment if confirmed. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Fake brands phishing. Only works with Turkish IP proxy Analyst note: this target may cloak content or block scanners.). Because analyst context identifies an active phishing or fraud kit, domain suspension is recommended rather than passive monitoring.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence