0/100

critical Risk

controls.gamingvote.com

https://controls.gamingvote.com/

104.21.90.15 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

4 days ⚠

HTTP

200 · 19.0s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "PANELITO Admin"

Save

Domain Intelligence: gamingvote.com

Scanned 13 times since Mar 10, 2026, 11:26 AM UTC

✗ Critical (100)

Registered-domain escalation suggested

Suggested now

Submit gamingvote.com as the primary IOC, enriched with evidence from hostile subdomains like controls.gamingvote.com.

4 hostile subdomains across 13 completed scans were observed under this registered domain. Recent hosts: osrsjagex.gamingvote.com, rsoldschools.gamingvote.com, rsoldschool.gamingvote.com, osrsaccount.gamingvote.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

PANELITO

Credential Phishing

technology | finance | ecommerce · 4/5/2026

Summary

The page at controls.gamingvote.com presents a LOGIN UI titled PANELITO Admin, with a password field and a single sign-in flow. The domain does not match PANELITO’s branding; visual impersonation is evident from the page title, UI copy, and logo-like circular badge. The static HTML shows a minimal shell, while dynamic JS bundles (admin.js) render a credential capture form, indicating a SPA credential harvesting setup. SSL is valid but on a very new domain (4 days old), increasing risk. External assets and off-domain endpoints hint at exfiltration behavior and third-party beaconing.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Canonical stage contains password collection UI.

▸Off-domain submission or API endpoints observed: https://usb.b63ccd22db3b4e5a4c4d.workers.dev/datasound/discord.mp3.

▸Distinctive asset clues: admin.js, v8c78df7c7c0f484497ecbca7046644da1771523124516, admin.css.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 1

Late-stage login UI: No

Resource Signals

Resources: 9

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://usb[.]b63ccd22db3b4e5a4c4d[.]workers[.]dev/datasound/discord.mp3

Off-Domain Posts

hxxps://usb[.]b63ccd22db3b4e5a4c4d[.]workers[.]dev/datasound/discord.mp3

Attack Techniques (6)

Typosquatting/brand impersonation through non-official domain (controls.gamingvote.com) presenting PANELITO Admin UICloned SPA rendering credential capture form via JavaScript (admin.js) despite no static form in HTMLPassword field present in UI designed to harvest credentialsOff-domain exfiltration endpoints observed (https://usb.b63ccd22db3b4e5a4c4d.workers.dev/datasound/discord.mp3) and beaconing scripts loaded (beacon.min.js)New domain with recent SSL certificate and ownership via Cloudflare hosting; high risk due to domain agePOST to CDN-URL rum endpoint (likely used for data submission)

Indicators of Compromise (6)

▸Domain: controls.gamingvote.com (new, registered 2026-03-09, Cloudflare registrar, WHOIS shows 4 days age)

▸Page title: 'PANELITO Admin' and UI copy 'Welcome to PANELITO', password placeholder hints at admin login

▸External assets: https://controls.gamingvote.com/admin.js, /admin.css, and beacon.js from Cloudflare; admin.js likely contains credential harvesting logic

▸Network POST: https://controls.gamingvote.com/cdn-cgi/rum? (204), indicating data submission flow

▸Off-domain endpoints: https://usb.b63ccd22db3b4e5a4c4d.workers.dev/datasound/discord.mp3 and /sound.mp3 used as exfiltration or tracking signals

▸SSL certificate issued to gamingvote.com (SAN includes controls.gamingvote.com) with very short validity window (Mar–Jun 2026)

Risk AssessmentUsed in abuse reports

Abuse teams should treat this as a credential phishing site. The domain is brand-impersonating, showing PANELITO Admin branding on a page titled accordingly, with a password field and dynamic login UI rendered by JS in an SPA. The static HTML contains no forms, yet the JavaScript bundles (admin.js) render a credential collection interface, indicating intentional credential harvesting. The domain is extremely new (4 days), and the SSL cert is recently issued, both elevating risk. Off-domain exfiltration and beaconing endpoints further corroborate malicious intent. Immediate action is recommended to suspend the domain and block hosting to prevent victims from interacting with this impersonation site.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence