0/100

low Risk

uzu.astralspriggan.vip

https://uzu.astralspriggan.vip/

172.67.153.156 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

42 days

HTTP

200 · 24.8s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "uzu.astralspriggan.vip is registered"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

astralspriggan.vip

Vendors

30/31

Status

partial

✓ polyswarm✗ norton✓ eset✓ apple✓ spamhaus✓ phishreport✓ brightcloud✓ chainpatrol✓ bitdefender✓ avg✓ avast✓ isitphish✓ cisa✓ yandex✓ phishtank✓ microsoft✓ apwg✓ urlscan✓ sophos✓ urlquery✓ emsisoft✓ netcraft✓ virustotal✓ openphish✓ urlabuse✓ drweb✓ kaspersky✓ mcafee✓ threatyeti✓ google✓ fortiguard

Registered-domain escalation

Submit astralspriggan.vip as the primary IOC, enriched with evidence from hostile subdomains like uzu.astralspriggan.vip.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

astralspriggan.vip

Unknown

technology | finance | ecommerce | other · 6/3/2026

Summary

The page at uzu.astralspriggan.vip presents a generic domain registration notice with no evident login forms in static HTML. However, the SPA-style hints (dynamic credential capture potential) and the analyst notes suggest cloaking behavior and possible phishing content served conditionally. The page content itself is a neutral domain-registered message, but the visual is cloaked to resemble a brand-driven login page when accessed from certain origins, supported by the included Cloudflare beacon and a POST to aRum endpoint, indicating potential data collection activity without a visible form in the static HTML. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Website is cloaking for Turkish IP + Google Search + Mobile Device or smaller window login. If client is using Turkish IP and coming from Google with Mobile Device or smaller window simulation, it opens the website with...

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸POST targets observed during capture: https://uzu.astralspriggan.vip/cdn-cgi/rum?.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 4

Hosts: 2

Domains: 2

Attack Techniques (1)

Single-Page Application (SPA) with dynamic credential capture potential (no static login form but JS may render forms)

Indicators of Compromise (2)

▸Page title and content state: 'uzu.astralspriggan.vip is registered' rather than impersonation of a known brand directly on the page

▸POST request to /cdn-cgi/rum? (204) which can be used for analytics or data exfiltration

Risk AssessmentUsed in abuse reports

The page shows cloaking indicators and dynamic content rendering behavior that could be used for credential collection without obvious static forms. While the static HTML does not include a login form, the analyst notes and network requests imply possible hidden credential capture via JavaScript, potentially serving different content to certain users. The combination of a new domain, Cloudflare analytics beacon, and a suspicious POST endpoint raises risk for credential phishing through an SPA that may render a login form in runtime. Recommend monitoring and further verification; if impersonation of a brand is observed in runtime content, treat as phishing. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Website is cloaking for Turkish IP + Google Search + Mobile Device or smaller window login. If client is using Turkish IP and coming from Google with Mobile Device or smaller window simulation, it opens the website with...).

Recommended Action

Monitor

Cross-Reference9

URL Intelligence