0/100

high Risk

helsana.club

https://helsana.club

172.67.166.153 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

19 days

HTTP

200 · 21.3s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Save

Domain Intelligence: helsana.club

Scanned 2 times since Mar 15, 2026, 12:19 PM UTC

⚠ High (65)

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Unknown

Credential Phishing

finance | technology | ecommerce | cryptocurrency | other · 4/5/2026

Summary

The page at helsana.club presents a 404 Page Not Found in static HTML but loads a Cloudflare beacon script and performs a POST to /cdn-cgi/rum? with no visible login form in the HTML. The SSL cert is from Let's Encrypt and the domain is newly registered (19 days old). Visual indicators in the attached screenshot show no recognizable brand logos, suggesting the page is either a bare, non-functional placeholder or a minimal shell used to stage credential capture via dynamically rendered content. The domain does not match any known major brand from the scanned signals, indicating possible brand impersonation via SPA content loaded at runtime, but no explicit brand identification is present in the static HTML or network IOCs beyond generic Cloudflare assets.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸POST targets observed during capture: https://helsana.club/cdn-cgi/rum?.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 4

Hosts: 2

Domains: 2

Attack Techniques (6)

Newly registered domain (helsana.club) used for phishingSPA-style site rendering credentials via JavaScript (no static login form; forms likely created client-side)External script loading from Cloudflare beacon to monitor or exfiltrate dataPOST to /cdn-cgi/rum? (likely used for tracking or data exfiltration in some cloaked fashion)Brand impersonation attempt without visible brand identifier in static HTMLSSL certificate from Let's Encrypt (common for inexpensive, quickly deployed phishing sites)

Indicators of Compromise (5)

▸Domain: helsana.club (new registration, 19 days old)

▸POST request observed to https://helsana.club/cdn-cgi/rum? (204 No Content)

▸External script: https://static.cloudflareinsights.com/beacon.min.js/v8c78df7c7c0f484497ecbca7046644da1771523124516

▸IP address resolved to Cloudflare (indicating WAF/CDN use) but not branding

▸SSL: Let's Encrypt certificate issued Feb 23 2026, valid through May 24 2026

Risk AssessmentUsed in abuse reports

This site is actively hosting a suspicious page likely intended for credential collection or data exfiltration, yet the static HTML shows no login form and no brand identifiers. The presence of a dynamic SPA and a Cloudflare beacon suggests evasion of static scanners while still attempting to intercept user input. The domain age and new SSL cert add to the risk profile. The lack of visible brand branding in the HTML, combined with the 404-like static content, strongly indicates a behind-the-scenes credential capture mechanism targeting unaware visitors. This warrants immediate action to suspend the domain and investigate potential hosting infrastructure links to credential harvesting operations.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence