accounts.evilash.ccwu.cc

https://accounts.evilash.ccwu.cc/

43.161.231.117 · Tencent Cloud Computing (Beijing) Co., Ltd

Location

Hong Kong, Hong Kong

Domain Age

264 days

HTTP

200 · 22.3s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Welcome to nginx!"

Save

Domain Intelligence: ccwu.cc

Scanned 4 times since May 9, 2026, 01:35 AM UTC

⚠ High (62)

Registered-domain escalation suggested

Suggested now

Submit ccwu.cc as the primary IOC, enriched with evidence from hostile subdomains like accounts.evilash.ccwu.cc.

2 hostile subdomains across 2 completed scans were observed under this registered domain. Recent hosts: accounts.evilash.ccwu.cc, www.qq.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Unknown

technology | other · 6/3/2026

Summary

The page at accounts.evilash.ccwu.cc shows a default nginx welcome screen, with no login forms or credential capture UI in the static HTML. Network requests include a call to ipify.org, and the SSL cert is a Let's Encrypt wildcard for evilash.ccwu.cc. The page title and content do not reveal a legitimate brand impersonation, and there is no evidence of a login form or brand-specific UI in the static content. Given the screenshot shows a generic nginx page rather than a branded impersonation, there is insufficient evidence of credential phishing on this page itself. However, the domain age is 264 days and the domain uses an unusual domain (Unstoppable Domains registration) with a recent SSL cert; the overall risk is low based on the current data, but the site could be a placeholder or part of a broader malicious infrastructure.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 1

Hosts: 1

Domains: 1

Observed Signals (1)

Minimal static HTML with no credential collection elements

Observed Indicators (0)

No suspicious indicators identified

Risk AssessmentUsed in abuse reports

The scan indicates a minimal, non-brand-specific nginx landing page with no credential collection UI. The presence of a wildcard SSL for a non-official domain and the unusual domain registration details suggest potential infrastructure setup rather than a direct phishing page. There is no evidence of first-party branding, impersonation, or credential harvesting on the captured page. Recommend monitoring the domain for any future changes or embedded assets pointing to impersonation or credential capture, and consider blocking if broader context indicates abuse activity. The site’s branding is not matched to a known legitimate service, and there is no login surface observed in this snapshot.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence