0/100

critical Risk

bossnet.az

https://bossnet.az/portal/medieval-competitors-voting-authentication-v5a4v1d9q7q1i9n4i9y1

185.32.47.214 · Bossnet LLC

Location

Baku, Azerbaijan

Domain Age

—

HTTP

200 · 24.1s

SSL

Valid· R13, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Choose how to log in | Jagex"

Save

Domain Intelligence: bossnet.az

Scanned 4 times since Mar 9, 2026, 12:41 PM UTC

✗ Critical (100)

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (1)Mar 10, 2026, 02:49 AM UTC

jagex-login-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

Jagex

Credential Phishing

technology | ecommerce | finance | gaming | other · 4/5/2026

Summary

The page at hsoutfitters.com presents a login interface titled 'Choose how to log in | Jagex' and visually imitates a Jagex login screen, including a modal resembling the RuneScape login UI. However, the domain hsoutfitters.com is not affiliated with Jagex, and the HTML/network signals indicate credential collection behavior. The URL path and page content impersonate Jagex, constituting a typosquatting/brand-impersonation phishing setup designed to harvest user credentials.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Canonical stage contains password collection UI.

▸Off-domain submission or API endpoints observed: https://malazonafatona.ru/webhook, https://api.ipify.org/?format=json, https://oldschool.gamevote.jagex.com.challenge.vote.gallery.community.akherhalawa.ru.ru/webhook.

▸Distinctive asset clues: pf-bague-sans-pro, 34d292378e1b8.jpg, osrs-icon.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 3

Password fields: 1

Late-stage login UI: No

Resource Signals

Resources: 27

Hosts: 6

Domains: 6

Suspicious Endpoints

hxxps://malazonafatona[.]ru/webhook

hxxps://bossnet[.]az/portal/medieval-competitors-voting-authentication-v5a4v1d9q7q1i9n4i9y1

hxxps://api[.]ipify[.]org/?format=json

hxxps://oldschool[.]gamevote[.]jagex[.]com[.]challenge[.]vote[.]gallery[.]community[.]akherhalawa[.]ru[.]ru/webhook

hxxps://api[.]telegram[.]org/bot6740062754:AAExvDoIlZGup2K-WKEdSSNYMQyurc7bQ-s/sendMessage?chat_id=-1002060238268&text=

Off-Domain Posts

hxxps://malazonafatona[.]ru/webhook

hxxps://api[.]ipify[.]org/?format=json

hxxps://oldschool[.]gamevote[.]jagex[.]com[.]challenge[.]vote[.]gallery[.]community[.]akherhalawa[.]ru[.]ru/webhook

hxxps://api[.]telegram[.]org/bot6740062754:AAExvDoIlZGup2K-WKEdSSNYMQyurc7bQ-s/sendMessage?chat_id=-1002060238268&text=

Attack Techniques (7)

Domain impersonation/brand mismatch (hsoutfitters.com presents as Jagex login)Cloned login UI resembling legitimate Jagex/RuneScape authentication flowNetwork requests to external webhook endpoint (malazonafatonaes.ru/webhook) for data exfiltrationUse of multiple login variation handlers and disabled/enabled states to simulate legitimate form behaviorInclusion of social login icons to emulate a standard auth pageSSl certificate from Let's Encrypt and a new domain age (287 days) with suspicious hostingBlocked or mixed content requests to external resources and IP discovery endpoint (api.ipify.org)

Indicators of Compromise (7)

▸Domain: hsoutfitters.com (not official Jagex domain)

▸Page title: 'Choose how to log in | Jagex' (brand mismatch vs domain)

▸Network POST to https://malazonafatonaes.ru/webhook (data exfiltration channel)

▸GET/POST to external IP discovery service: https://api.ipify.org/?format=text

▸SSL certificate issued by Let's Encrypt for hsoutfitters.com (current validity 2026-02-09 to 2026-05-10)

▸Static HTML contains login/password fields and multiple forms with scripts enabling dynamic validation

▸Resource loading includes brand-appropriate icons and fonts from hsoutfitters.com, not from official Jagex assets

Risk AssessmentUsed in abuse reports

High risk: The domain hsoutfitters.com is impersonating a known brand (Jagex) by presenting a login UI consistent with the RuneScape/Jagex authentication flow. The page contains legitimate-looking password fields and login forms, yet it routes data through an external webhook (malazonafatonaes.ru/webhook), indicating data exfiltration. The combination of a clearly misleading page title, brand impersonation, and a direct POST to a non-affiliated webhook strongly suggests credential harvesting. The presence of a newly issued SSL cert and a relatively new domain age further supports the phishing classification. Immediate action recommended: suspend_domain and block_url, with further investigation into the webhook domain and associated infrastructure.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence