0/100

critical Risk

storm-client.net

https://storm-client.net/

172.66.149.243 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

1242 days

HTTP

200 · 16.3s

SSL

Valid· GlobalSign GCC R3 DV TLS CA 2020, GlobalSign nv-sa, BE

Status

COMPLETED

Visual Evidence

Zoom

Title: "Storm | Premium RuneLite Plugins"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Storm Store (storm-client.net)

Vendors

29/30

Status

partial

✓ avast✓ polyswarm✓ eset✓ avg✓ brightcloud✓ microsoft✗ norton✓ bitdefender✓ yandex✓ drweb✓ phishtank✓ apple✓ openphish✓ cisa✓ phishreport✓ virustotal✓ urlquery✓ urlabuse✓ kaspersky✓ emsisoft✓ spamhaus✓ urlscan✓ netcraft✓ sophos✓ apwg✓ isitphish✓ google✓ mcafee✓ threatyeti✓ fortiguard

KB/IOK Matches (1)Apr 14, 2026, 09:51 AM UTC

storm-store-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

Storm Store (storm-client.net)

Unknown

Technology · 4/29/2026

Summary

The page presents Storm Store branding with a site title and navigation that resemble a legitimate plugin store. The screenshot shows a warning bar stating “Beware of fake websites! storm-client.net is the only official website,” which is itself unusual for a first-party site. Network evidence and static HTML indicate a SPA likely collecting data via dynamic UI, but there is no explicit credential form in the static HTML. The domain uses Cloudflare and has valid SSL; the page content correlates with Storm’s branding, though the attached screenshot reveals a strong impersonation risk if the brand is being cloned for phishing on a non-official domain. Based on the evidence, the page is more suggestive of a legitimate Storm Store landing page with potential impersonation risk depending on user perception, but there is no concrete credential harvesting observed in the static data provided.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸POST targets observed during capture: https://storm-client.net/cdn-cgi/rum?.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516, index.745eeca1.js, index.8fc454b3.css, css2, thumbnail.88a2dc22.png, intro.01ddacc4.gif.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 12

Hosts: 5

Domains: 5

Observed Signals (4)

Single-Page Application (SPA) rendering with dynamic credential form (observed via SPA note and missing static login form)Branding comparison risk (Storm Store visuals) with a defensive banner about official site, suggesting potential impersonation concernsExternal script loading from storm-client.net/assets/index.745eeca1.js indicating dynamic UI and possible credential capture logic within bundled JSPOST request to /cdn-cgi/rum? (likely analytics or a Cloudflare routine, not credential theft) – potential WAF-related activity

Observed Indicators (0)

No suspicious indicators identified

Risk AssessmentUsed in abuse reports

The scan identifies Storm Store branding and a page that appears to be a product landing site (Storm Store) with SPA characteristics. The presence of a prominent warning banner about the official site raises impersonation concerns, but there is no direct evidence in the data provided of credential collection or malware delivery. The domain is age-stable and uses a legitimate CDN/WAF provider (Cloudflare) with a valid SSL cert. Given the visual impersonation risk and the use of SPA that could host credential capture within JavaScript, this warrants closer monitoring and potential verification of official ownership, but the current data does not conclusively demonstrate phishing. Recommend continued observation and verification of the domain’s ownership and branding alignment with Storm’s official assets.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence