0/100

low Risk

s-a-o-r-s-a.tumblr.com

https://s-a-o-r-s-a.tumblr.com/

74.114.154.22 · TUMBLR, INC

Location

Ashburn, United States

Domain Age

7292 days

HTTP

200 · 61.0s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Bonus Rafı"

Save

Domain Intelligence: tumblr.com

Scanned 3 times since May 27, 2026, 11:33 AM UTC

⚠ Medium (40)

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

tumblr.com

Vendors

27/31

Status

partial

✓ avg✓ brightcloud✗ norton✓ eset✓ microsoft✗ threatyeti✓ polyswarm✓ google✓ sophos✓ urlquery✓ spamhaus✓ apple✓ yandex✓ bitdefender✗ drweb✓ virustotal✓ chainpatrol✗ avast✓ emsisoft✓ phishtank✓ phishreport✓ netcraft✓ cisa✓ urlscan✓ apwg✓ isitphish✓ openphish✓ urlabuse✓ kaspersky✓ mcafee✓ fortiguard

Registered-domain escalation suggested

Suggested now

Submit tumblr.com as the primary IOC, enriched with evidence from hostile subdomains like s-a-o-r-s-a.tumblr.com.

2 hostile subdomains across 2 completed scans were observed under this registered domain. Recent hosts: muniea.tumblr.com, shooku.tumblr.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

tumblr.com

Unknown

technology | ecommerce | finance | social_media · 6/3/2026

Summary

The page is served from s-a-o-r-s-a.tumblr.com with a Turkish language UI and a design that resembles a generic promo/dashboard rather than a canonical Tumblr interface. The HTML indicates no static login form, but SPA-like behavior with multiple JavaScript assets. The analyst notes and evidence suggest cloaking and potential brand faking to scam Turkish users, but the page appears to be hosted on Tumblr’s infrastructure under a subdomain. The combination of SPA assets, Turkish branding, and the analyst context raises suspicion of impersonation or abuse, though direct credential collection signals are not conclusively visible in the static HTML. Further behavioral signals from runtime credential capture would be needed to confirm phishing. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Faking our brand on Tumblr and cloaking on ly for Turkish IP. Scamming our users. Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Distinctive asset clues: pre_tumblelog.js, tumblelog_post_message_queue.js, index.build.css, stylesheet.css, impixu, g.gif.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 21

Hosts: 10

Domains: 6

Observed Signals (1)

Possible cloaking or_brand impersonation signals (Turkish IP cloaking notes by analyst)

Observed Indicators (0)

No suspicious indicators identified

Risk AssessmentUsed in abuse reports

The page is hosted on a legitimate Tumblr subdomain and uses standard Tumblr assets, but the analyst notes explicitly flag cloaking and Turkish-language impersonation aimed at scamming users. The presence of SPA patterns with no static login form, combined with ad/analytics integrations and a suspicious visual presentation in Turkish, supports a concern for potential impersonation or abuse targeting Turkish users. The risk is elevated due to cloaking indicators mentioned by the analyst, though artifact-based evidence in static HTML does not definitively prove credential phishing at this time. Recommend monitoring and additional investigation into runtime credential capture behavior. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Faking our brand on Tumblr and cloaking on ly for Turkish IP. Scamming our users. Analyst note: this target may cloak content or block scanners.).

Recommended Action

Monitor

Cross-Reference9

URL Intelligence