https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://profilerr.net/uk/najkrashi-chiti-dlya-cs2/&ved=2ahUKEwimpuvrnpWVAxUhUlUIHbpwKEYQFnoECA8QAQ&sqi=2&usg=AOvVaw13ek5NiGTC3ZJiCiytNbEU
142.251.156.119 · Google LLC
Mountain View, United States
10505 days
200 · 87.0s
Valid· WR2, Google Trust Services, US
COMPLETED
Domain Intelligence: google.com
Scanned 5 times since Feb 14, 2026, 10:58 AM UTC
Registered-domain escalation
Submit google.com as the primary IOC, enriched with evidence from hostile subdomains like www.google.com.
No KB/IOK detections were recorded for this scan.
gaming | technology · 7/19/2026
The final URL resolves to profilerr.net with Ukrainian language content offering CS2 cheats. The page title and content clearly impersonate a cheat site for CS2, but the domain is profilerr.net, not a major official brand. There are multiple external tracking/analytics requests and references to cheats, with a potential for credential harvesting, though the static HTML shows no login form or password field. The page displays branding that mimics legitimate gaming/cheat portal aesthetics, and the screenshot indicates CS2 cheat content. Overall, evidence supports a phishing/impostor potentially built to harvest user interactions or deliver malicious scripts, but there is no explicit credential capture form observed in the static HTML. More data would be needed to confirm credential phishing; the presence of suspicious endpoints and SPA behavior suggest abuse potential.
Capture
Stages: 1
Canonical: Settled Render
Changed: No
Credential Signals
Forms: 2
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 91
Hosts: 5
Domains: 5
Suspicious Endpoints
hxxps://profilerr[.]net/uk/api/state
hxxps://profilerr[.]net/uk/api/comments/post/9cc01468-8916-4d73-be80-68b5c36d1084?
hxxps://profilerr[.]net/uk/najkrashi-chiti-dlya-cs2/
The page appears to be Profilerr's content page for CS2 cheats, which is plausible as an abuse site for distributing cheat content. The branding aligns with Profilerr rather than an official CS2 brand, indicating impersonation potential. The presence of analytics POSTs and multiple external scripts suggests data collection of user interactions, which could be used for misuse. The page lacks an obvious credential harvesting form in the static HTML, but SPA behavior means forms could be rendered later via JavaScript. Given the impersonation signals and suspicious endpoints, this warrants monitoring and potential takedown actions if confirming credential harvesting or distribution of illicit cheats; for abuse reports, classify as high-risk impersonation with potential data exfiltration.
Monitor