0/100

medium Risk

tr.superbahis3.live

https://tr.superbahis3.live/

172.67.135.90 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

1 day ⚠

HTTP

200 · 22.2s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Redirect Chain (2 hops)

302https://tr.superbahis3.live/

301https://up724.com/zIhwh

Visual Evidence

Zoom

Title: "Süperbahis | Elitbahis Güvenli Geçiş & Kampanyalar"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Elitbahis (presented as Süperbahis/Elitbahis combined branding)

Vendors

29/31

Status

partial

✓ apwg✓ cisa✓ isitphish✓ avast✓ avg✓ bitdefender✓ chainpatrol✓ eset✓ microsoft✓ yandex✗ threatyeti✓ sophos✓ openphish✓ polyswarm✗ norton✓ brightcloud✓ apple✓ netcraft✓ spamhaus✓ urlquery✓ urlscan✓ emsisoft✓ phishreport✓ phishtank✓ virustotal✓ drweb✓ urlabuse✓ kaspersky✓ mcafee✓ fortiguard✓ google

Registered-domain escalation

Submit superbahis3.live as the primary IOC, enriched with evidence from hostile subdomains like tr.superbahis3.live.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Elitbahis (presented as Süperbahis/Elitbahis combined branding)

Unknown

gambling | technology · 4/29/2026

Summary

The page is hosted at a new domain tr.superbahis3.live but redirects to venusmedya.net/superbahis.html. Visual branding imitates Elitbahis and Süperbahis styling, with Turkish text and embedded banners. However, the final URL differs from the initial domain, and the HTML shows a redirect/SPA-like setup with no static login form. The page appears to clone or impersonate betting brands, supported by the presence of deceptive redirect, off-brand hosting, and suspicious POST endpoints to cdn-cgi/rum? on external domains. There is no definitive credential harvesting form in static HTML, but dynamic credential capture could be present in the SPA JavaScript. Given the branding and suspicious redirect chain, this warrants attention for impersonation and potential credential phishing risk, though the evidence is not yet conclusive for active credential collection on the visible page.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://venusmedya.net/cdn-cgi/rum?.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516, all.min.css, css2, 728x90x.gif, 728x90.gif.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 15

Hosts: 7

Domains: 7

Attack Techniques (4)

Brand impersonation via visual design resembling Elitbahis / SüperbahisSPA/JS-rendered UI with credentials captured in dynamic content (no static login form in HTML)Off-domain POST requests to cdn-cgi/rum? endpoints (potential data exfiltration channels)Redirect chain to a third-party domain (venusmedya.net) and URL shortening/redirect patterns (url24.link) to obfuscate Final URL

Indicators of Compromise (1)

▸POST requests to https://venusmedya.net/cdn-cgi/rum? and https://www.elitbahis926.com/cdn-cgi/rum? (204 responses) suggesting data exfiltration endpoints

Risk AssessmentUsed in abuse reports

The scan indicates strong impersonation signals: the visual branding aligns with Elitbahis, Süperbahis, and related campaigns, while the final URL is hosted on a different domain and redirects through multiple third-party hosts. The presence of off-domain POST endpoints and a SPA-like structure that could render credential collection scripts raises the risk of credential phishing or data harvesting. The combination of a very new domain, redirected final URL, and cross-domain exfiltration endpoints supports classifying this as suspicious/abusive, warranting containment actions and further verification with registrars and hosting providers. Monitor and consider domain and hosting takedown actions if corroborated by abuse teams.

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence