0/100

medium Risk

github.app916842.com

https://github.app916842.com/

172.67.216.187 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

10 days

HTTP

403 · 21.4s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Just a moment..."

Save

Registered-domain escalation

Submit app916842.com as the primary IOC, enriched with evidence from hostile subdomains like github.app916842.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Scanner blocked by cloudflare

This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.

github.app916842.com

Unknown

technology | software_development · 4/5/2026

Summary

The page presents GitHub branding in the domain name but the host is a recently registered, suspiciously branded domain (github.app916842.com) under Cloudflare with a 403/blocked presentation. Domain intelligence indicates impersonation signals (brand in domain) and a WAF-block page was encountered, suggesting the operator is attempting to evade analysis. No definitive credential harvesting visible in static HTML, but the SPA hints and Cloudflare challenge activity imply possible credential capture mechanisms embedded in dynamic content.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://github.app916842.com/cdn-cgi/challenge-platform/h/g/flow/ov1/1999988631:1774424211:ufj9z36p3lrOYP8bcoAv7UVXu4jYYHVmCKOcowaP_oM/9e31681b39caf8a7/YEwIqKTmZqaIONyaYYlY5c2q2diShQva3gqyCUub988-1774646086-1.2.1.1-AnrsSHKvbgjFX.1fzBfamvMbk.iXMXb62ZUYbxrxDLkAFSfESNiX5taCTbjcsIe3, https://github.app916842.com/cdn-cgi/rum?, https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/1151758751:1774424211:4o8Wa4Enn-QTt2lnuwi1reIgADkO95lDbuYaz16VfCU/9e31681ddfab43da/EcyhuzEStjJQUJUGBRml13G0bgBN0aMnwkyFnCF91Yw-1774646087-1.2.1.1-KIqdUuzUjLsJs2.BgVydb_Cypti7SRBnEaCWeiQgCM_Xlr1271KQaY5sHB3OTELd.

▸Distinctive asset clues: v1, v8c78df7c7c0f484497ecbca7046644da1771523124516, 1, lIOgzCiD1wdLy-V.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 15

Hosts: 3

Domains: 3

Attack Techniques (2)

Brand impersonation signals (domain contains 'github')SPA/Dynamic credential capture potential (0 static forms, 4 external scripts, opaque POST endpoints to Cloudflare flow)

Indicators of Compromise (0)

No specific IOCs identified in source

Risk AssessmentUsed in abuse reports

The domain is newly registered and uses a brand name in the domain that imitates a well-known service (GitHub). The scanner was blocked by a WAF, indicating active evasion of security tooling. The page appears to be an impersonation clone designed to look like GitHub, with dynamic credential collection likely delivered via SPA JavaScript and Cloudflare challenge infrastructure. While static HTML shows no forms, the observed network activity and fingerprints strongly suggest credential capture capabilities may be present. Recommend monitoring and precautionary action pending fuller content visibility; the combination of impersonation signals and anti-scan blocking elevates risk.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence