0/100

medium Risk

accounts.evilash.ccwu.cc

https://accounts.evilash.ccwu.cc/LGrnlbuj

43.161.231.117 · Tencent Cloud Computing (Beijing) Co., Ltd

Location

Hong Kong, Hong Kong

Domain Age

264 days

HTTP

200 · 27.6s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Security Check"

Save

Domain Intelligence: ccwu.cc

Scanned 4 times since May 9, 2026, 01:35 AM UTC

⚠ High (62)

Registered-domain escalation suggested

Suggested now

Submit ccwu.cc as the primary IOC, enriched with evidence from hostile subdomains like accounts.evilash.ccwu.cc.

2 hostile subdomains across 2 completed scans were observed under this registered domain. Recent hosts: accounts.evilash.ccwu.cc, www.qq.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Unknown

technology | finance | ecommerce | other · 6/3/2026

Summary

The page presents a security check UI with an embedded iframe loading content from the same domain path, and the screenshot shows a generic credential-collection style card without explicit branding. The domain does not match a known large brand, and WHOIS shows a recently registered domain with a Let’s Encrypt SSL. The SPA-like behavior and iframe suggest potential credential collection via dynamic content, but there is insufficient explicit evidence of a specific brand impersonation in the static HTML. Treat as suspicious due to iframe usage and SPA rendering; further investigation required to confirm credential harvesting or impersonation against a known brand.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 2

Hosts: 1

Domains: 1

Observed Signals (1)

Iframe load of same-origin content for credential capture UI

Observed Indicators (4)

▸Iframe source: /LGrnlbuj?_0u9t5zxm=1 within the same host, suggesting embedded credential UI

▸Network: requests include api.ipify.org (external visibility check) but no credential endpoint listed

▸Static HTML contains 0 forms or password fields; SPA likely renders credentials via JS

▸SSL subject CN *.evilash.ccwu.cc with 7-month validity window (short-lived cert signals potential phishing domain behavior)

Risk AssessmentUsed in abuse reports

The domain is new (264 days old per WHOIS), uses a wildcard Let’s Encrypt certificate, and loads an iframe from the same domain rendering a credential-like UI. The screenshot attached shows a generic verification dialog rather than a recognized brand login interface, but the presence of an iframe-based UI and dynamic loading strongly suggests potential credential capture flow. Given the combination of SPA rendering, iframe usage, and lack of visible legitimate branding, this warrants cautious interpretation as a suspicious/login-collection attempt on a non-brand domain. Recommend monitoring and additional verification of any credential collection endpoints or data exfiltration behaviors.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence