hsoutfitters.com

https://hsoutfitters.com/portal/medieval-competitors-voting-authentication-v5a4v1d9q7q1i9n4i9y1

107.161.23.11 · RAMNODE

Location

Atlanta, United States

Domain Age

287 days

HTTP

200 · 24.1s

SSL

Valid· R12, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Choose how to log in | Jagex"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Jagex

Vendors

30/30

Status

completed

✓ cisa✓ avg✓ brightcloud✓ drweb✓ bitdefender✓ norton✓ polyswarm✓ sophos✓ yandex✓ microsoft✓ urlquery✓ apwg✓ apple✓ emsisoft✓ avast✓ urlscan✓ spamhaus✓ phishreport✓ openphish✓ virustotal✓ isitphish✓ urlabuse✓ kaspersky✓ google✓ mcafee✓ netcraft✓ phishtank✓ eset✓ fortiguard✓ threatyeti

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Jagex

Credential Phishing

Summary

This page presents a login flow branded as Jagex (Choose how to log in | Jagex) but is hosted on hsoutfitters.com. The domain does not belong to the legitimate Jagex site, and the visual UI mirrors a Jagex-style login, including a password field and multiple login options. The domain impersonation, coupled with a malicious webhook POST to an external domain, indicates credential harvesting.

Attack Techniques (5)

Typosquatting/brand impersonation via non-official domain hsoutfitters.com while displaying Jagex brandingCloned SPA-like login UI with logo and layout resembling Jagex authentication pageBrand asset loading from the page that implies impersonation (icons suggests gaming brand) and external webhook exfiltrationExternal POST to an untrusted webhook endpoint (malazonafatonaes.ru/webhook) for data exfiltrationSuspicious external resource requests and mixed content, including font CDN calls and an external osrs-like iconography

Indicators of Compromise (6)

▸DOMAIN: hsoutfitters.com (not the official jagex.com) – IOC

▸PAGE TITLE: Choose how to log in | Jagex – brand signal

▸POST to https://malazonafatonaes.ru/webhook – exfiltration endpoint

▸Network requests include external assets and a 24-script load from hsoutfitters.com; fonts.cdnfonts.com requests returning 500

▸SSL cert issued by Let's Encrypt for hsoutfitters.com (valid Feb–May 2026) and domain age approximately 287 days

▸URL path includes medieval-competitors-voting-authentication-... which resembles a login/authentication flow

Risk AssessmentUsed in abuse reports

The page hsoutfitters.com/portal/medieval-competitors-voting-authentication-v5a4v1d9q7q1i9n4i9y1 presents a legitimate-looking Jagex login interface but resides on a non-official domain. The presence of a login form with password input, combined with a POST to an external webhook, strongly indicates credential harvesting. Visual branding mimics Jagex (title and UI), and page source includes multiple scripts and assets to reproduce a branded login experience. The site uses a Let's Encrypt certificate (valid for a limited period) and shows a relatively young domain (287 days), which is suspicious for a credential phishing operation. This is a high-risk impersonation attempt requiring immediate takedown and domain suspension.

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence