0/100

high Risk

accounts.evilash.ccwu.cc

https://accounts.evilash.ccwu.cc/pLiZIvOl

43.161.231.117 · Tencent Cloud Computing (Beijing) Co., Ltd

Location

Hong Kong, Hong Kong

Domain Age

264 days

HTTP

200 · 61.7s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "腾讯网"

Save

Domain Intelligence: ccwu.cc

Scanned 4 times since May 9, 2026, 01:35 AM UTC

⚠ High (62)

Registered-domain escalation suggested

Suggested now

Submit ccwu.cc as the primary IOC, enriched with evidence from hostile subdomains like accounts.evilash.ccwu.cc.

2 hostile subdomains across 2 completed scans were observed under this registered domain. Recent hosts: accounts.evilash.ccwu.cc, www.qq.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

腾讯网 (Tencent.com/QQ portal)

Unknown

technology | finance | ecommerce | social_media · 6/3/2026

Summary

The page presents Tencent branding (title 腾讯网) and loads numerous Tencent/QQ resources, but the domain used is accounts.evilash.ccwu.cc which does not belong to Tencent. The final URL redirects to www.qq.com, and the HTML content, scripts, and network activity reference Tencent QQ/inews.qq.com domains, suggesting an impersonation attempt attempting to lure victims to Tencent content. The SPA-like page uses numerous external assets and appears to render credential-like UI via JavaScript, with off-domain endpoints and POSTs to Tencent analytics/ad services observed, indicating potential credential harvesting or data exfiltration behavior despite the final redirection to a legitimate Tencent domain.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is late_render_3s.

▸Off-domain submission or API endpoints observed: https://tnfe.gtimg.com/tnt/api/upload/upload_f00cf80729321a253c695896a832a83b.jpg.

▸Distinctive asset clues: custom_ed041a23.js, react-dom.production.min.js, index.css, 773.css, 0, OA-FXk-4KkVSNwWfINEEb4HJ_kQJLYg6m6fU2NxYmlsaIAA.

Capture

Stages: 2

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 176

Hosts: 31

Domains: 5

Suspicious Endpoints

hxxps://i[.]news[.]qq[.]com/api/ip2city

hxxps://tnfe[.]gtimg[.]com/tnt/api/upload/upload_f00cf80729321a253c695896a832a83b.jpg

Off-Domain Posts

hxxps://tnfe[.]gtimg[.]com/tnt/api/upload/upload_f00cf80729321a253c695896a832a83b.jpg

Observed Signals (4)

Brand impersonation via Tencent/QQ visual branding on a non-Tencent domainSPA-like dynamic credential capture potential (JS-rendered forms suspected despite 0 static forms)Off-domain API calls and PII-related endpoints to Tencent analytics/ad servicesCloud/hosting infrastructure associated with suspicious domain (evilash.ccwu.cc) and recent SSL issuance

Observed Indicators (2)

▸Heavy use of Tencent/QQ hostnames in scripts and network requests (i.news.qq.com, otheve.beacon.qq.com, op.ssp.qq.com, news.ssp.qq.com, vm.gtimg.cn, tnfe.gtimg.com, i.news.qq.com) indicating intended impersonation

▸Visible impersonation cues: Tencent branding and content on a non-official Tencent domain

Risk AssessmentUsed in abuse reports

The scan indicates explicit impersonation of Tencent's Tencent/QQ brand on a non-official domain (accounts.evilash.ccwu.cc) with multiple off-domain API calls and POSTs to Tencent endpoints, suggesting potential credential harvesting or data exfiltration. The final redirect to www.qq.com may be intended to trap victims into believing they reached the legitimate site while initial requests and assets originate from a suspicious host. The presence of an active SPA rendering forms via JavaScript, numerous external scripts, and off-domain analytics calls elevates risk. Recommend treating this as a phishing/branding impersonation attempt with data exfiltration risk and consider takedown actions or suspension of the offending domain if corroborated by hosting/provider policies.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence