0/100

high Risk

accounts.evilash.ccwu.cc

https://accounts.evilash.ccwu.cc/YZaKpVyf

43.161.231.117 · Tencent Cloud Computing (Beijing) Co., Ltd

Location

Hong Kong, Hong Kong

Domain Age

264 days

HTTP

200 · 25.7s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Google Docs"

Save

Domain Intelligence: ccwu.cc

Scanned 4 times since May 9, 2026, 01:35 AM UTC

⚠ High (62)

Registered-domain escalation suggested

Suggested now

Submit ccwu.cc as the primary IOC, enriched with evidence from hostile subdomains like accounts.evilash.ccwu.cc.

2 hostile subdomains across 2 completed scans were observed under this registered domain. Recent hosts: accounts.evilash.ccwu.cc, www.qq.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Google Docs

Unknown

technology | finance | ecommerce | education | other · 6/3/2026

Summary

The page presents Google Docs branding and a Google Docs page title on a non-official domain (accounts.evilash.ccwu.cc). Visual impersonation is evident, including a Google Docs style UI and an embedded iframe that renders content from the page itself. There is no static login form in the initial HTML, but the SPA behavior and iframe suggest credential capture may be performed via dynamically loaded content. This is consistent with impersonation/phishing intent rather than legitimate first-party usage.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Distinctive asset clues: css2, kix-favicon7.ico.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 6

Hosts: 4

Domains: 3

Attack Techniques (3)

Brand impersonation using Google Docs visuals on a non-official domainSingle-Page Application (SPA) behavior with dynamic credential capture UIIframe embedding to load credential capture surface from the same domain

Indicators of Compromise (2)

▸Page title explicitly 'Google Docs' (brand impersonation signal)

▸SSL certificate issued by Let's Encrypt for *.evilash.ccwu.cc (brand-new cert with leakage of impersonation risk)

Risk AssessmentUsed in abuse reports

The scan shows strong impersonation signals: the hostname is not a Google-owned domain, yet the page title and UI mimic Google Docs. The presence of an iframe and dynamic content loading strongly suggests a credential collection surface designed to deceive users into entering information under the guise of Google Docs. The certificate is legitimate (Let’s Encrypt) but the domain is newly registered (264 days) and hosted on Tencent Cloud, which does not mitigate risk. Given the clear impersonation signals and SPA-based credential surface, this is a high-risk phishing site requiring remediation.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence