0/100

low Risk

uhq.su

https://uhq.su/

104.21.87.7 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

—

HTTP

403 · 16.9s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Just a moment..."

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

uhq.su

Vendors

28/31

Status

partial

✓ spamhaus✓ apwg✓ cisa✓ virustotal✓ netcraft✓ emsisoft✓ urlscan✓ phishreport✓ brightcloud✓ eset✓ bitdefender✓ chainpatrol✗ avast✓ kaspersky✓ microsoft✓ polyswarm✗ threatyeti✓ apple✓ yandex✓ sophos✓ isitphish✓ urlquery✓ openphish✓ avg✗ norton✓ phishtank✓ drweb✓ urlabuse✓ mcafee✓ google✓ fortiguard

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Scanner blocked by cloudflare

This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.

Uhq.su

Unknown

technology | finance | ecommerce | other · 6/3/2026

Summary

The page presented is a Cloudflare-protected 403/Just a moment page at uhq.su, with SSL issued recently and suspected typosquint signals related to DHL. The visible HTML shows a security verification prompt typical of Cloudflare challenges, and the page includes dynamic scripts and requests to Cloudflare Turnstile endpoints, suggesting an anti-bot/captcha flow rather than a credential harvesting surface. There is no clear evidence of an impersonated brand at this time based on page content; the page title and branding do not display a known brand identity beyond the uhq.su domain, and credential collection UI is not observable in the static HTML. Given the strong anti-bot protections and lack of concrete impersonation signals, the current data does not conclusively indicate phishing against a specific brand.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://uhq.su/cdn-cgi/challenge-platform/h/b/flow/ov1/717977852:1779984624:mHBI6UYOkIhAAOLXxFOBSFj-gXARHLobQlCwA02Q00c/a02eaf143f609630/HUNaHUlQZuzdyAJUVAm7yTls27i1ic8pwDPprSHUJM8-1779986245-1.2.1.1-GE13pDFKapHZNfbl7H.aMgarLiJrQS0ui6KLuzd9JlC7J1NBbFcRdS_3OOJes1GQ, https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/flow/ov1/3183894466:1779984626:WdVtbg1Aqx1E9CIYX5MQHMz6PIrLywEbODwRc8ZvH60/a02eaf16dba36b0e/iYYxqO7jG4mCPJYqDAHj9IFtykNAjfzmBSE0q.KLu34-1779986246-1.2.1.1-5gQhqQ4uL2WMayBdqi6qj.S.RYH75nTNVTts0jcfxC._S2frq86NA0s22qSV23Qo, https://uhq.su/cdn-cgi/challenge-platform/h/b/flow/ov1/717977852:1779984624:mHBI6UYOkIhAAOLXxFOBSFj-gXARHLobQlCwA02Q00c/a02eaf3c79a39630/9El_7hQI_FMqCv4up.VCM6TzHGEbuaRQpwdAz8GK0ZY-1779986252-1.2.1.1-zyxlAl1Qql_3CriRsJ2dy8LPz0BbUIiRlqxXdBouxy4YmdpmA8hydWSuX8cUJpk8.

▸Distinctive asset clues: v1, api.js, 1, eRUkOmPDd-BIOcl.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 21

Hosts: 2

Domains: 2

Observed Signals (1)

SPA-like behavior suspected due to zero static forms and dynamic credential capture risk within loaded JavaScript

Observed Indicators (1)

▸Potential typosquat risk signal pointing to DHL-brand similarity in risk factors

Risk AssessmentUsed in abuse reports

The site currently presents a Cloudflare-based anti-bot verification page and does not show concrete impersonation of a known brand in the provided UI. However, the presence of dynamic credential collection logic within SPA scripts cannot be ruled out, and the domain has a recent SSL certificate and Cloudflare challenge components which are commonly used for both legitimate protection and phishing infrastructure. Given the combination of a nonresponsive 403 page, Cloudflare challenge activity, and the potential typosquat risk signal, monitor for any Brand impersonation signals in subsequent fetches or domain activity. The current evidence does not establish a clear phishing or credential-harvesting abuse against a specific brand.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence