0/100

high Risk

lemon.trueforceteam.ru

https://lemon.trueforceteam.ru/oyzy4kx8fjoz.html

91.92.243.119 · Omegatech LTD

Location

New York, United States

Domain Age

—

HTTP

200 · 59.6s

SSL

Valid· R12, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Sign In"

Save

Registered-domain escalation

Submit trueforceteam.ru as the primary IOC, enriched with evidence from hostile subdomains like lemon.trueforceteam.ru.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

AOL

Credential Phishing

Technology · 4/5/2026

Summary

The page presents a Sign In interface that visually imitates AOL branding, but the domain lemon.trueforceteam.ru is not an official AOL domain. The UI shows a credential collection form rendered by JavaScript (SPA behavior) with a password field, and a suspicious off-domain POST target to https://easytrueforce.shop/... indicating credential exfiltration. The page title is Sign In and resources include a script pz4pp3b1jkpu.js loaded from the same domain, while an external POST endpoint on a different domain suggests credential theft flow. SSL is valid but issued recently; domain appears untrusted and the IP is registered to an unknown entity. Overall, evidence supports credential phishing via impersonation of AOL, delivered through a SPA login UI that collects credentials and transmits them to an attacker-controlled domain.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸Canonical stage contains password collection UI.

▸POST targets observed during capture: https://easytrueforce.shop/dtnwpjkbsoxywsdlmbmjesljolcaolkhiyxtiyjoqihdgn.

▸Distinctive asset clues: pz4pp3b1jkpu.js.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 1

Late-stage login UI: No

Resource Signals

Resources: 6

Hosts: 2

Domains: 2

Attack Techniques (5)

Brand impersonation (AOLing branding on a non-official domain)Single-Page Application (SPA) rendering credential login via external JavaScriptCredential collection form rendered dynamically (no static HTML form)Exfiltration to an off-domain endpoint (POST to easytrueforce.shop)Use of free SSL cert from Let's Encrypt on a dubious domain

Indicators of Compromise (8)

▸Page title: Sign In

▸Brand visuals resembling AOL (top navigation, dark theme) on domain lemon.trueforceteam.ru

▸Password input field present in UI

▸Static HTML contains 0 forms; credential UI rendered by external script pz4pp3b1jkpu.js

▸POST request observed to https://easytrueforce.shop/dtnwpjkbsoxywsdlmbmjesljolcaolkhiyxtiyjoqihdgn

▸External script loaded from lemon.trueforceteam.ru (pz4pp3b1jkpu.js)

▸IP resolve to Omegatech LTD; domain appears untrusted/low reputation

▸SSL certificate issued 3 days prior to scan (Let’s Encrypt)

Risk AssessmentUsed in abuse reports

The scan shows strong phishing signals: the page imitates AOL branding on a non-official domain and dynamically renders a login form that captures credentials. The observed POST to an attacker-controlled domain indicates credential exfiltration. Although the SSL is valid, this is not enough to reassure; the domain’s branding and SPA behavior strongly suggest credential harvesting. Recommend treating as a credential-phishing campaign and taking action to block and investigate the domain and its hosting/redirect endpoints.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence