mass.report
Scan Intelligence Report0/100
low Risk
runechat.com
https://runechat.com/
IP
104.21.81.234 · Cloudflare, Inc.
Location
Toronto, Canada
Domain Age
4414 days
HTTP
403 · 23.9s
SSL
Valid· WE1, Google Trust Services, US
Status
COMPLETED
KB/IOK Matches (0)—
No KB/IOK detections were recorded for this scan.
Scanner blocked by cloudflare
This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.
Unknown
Unknownfinance | technology | ecommerce | cryptocurrency | social_media | education | other · 4/5/2026
Summary
The page at runechat.com presents a Cloudflare security verification block rather than a legitimate brand login. The page title and content do not reveal a recognizable brand, and the actual phishing content cannot be accessed due to a scanner-blocking WAF. Non-page signals indicate potential impersonation signals, but the brand cannot be confirmed from the available data.
Evidence Summary
▸Observed 3 capture stage(s); canonical stage is late_render_3s.
▸POST targets observed during capture: https://runechat.com/cdn-cgi/challenge-platform/h/g/flow/ov1/185675085:1773131099:ut4SdrycC8xb3odFLzYTZZGXyxKNOjirJ09oiKYhgdE/9da15360fbe3f7bd/xTxH9OfBFjl6jtoQpV1oC0aOgzVfIhqPxaZuC8FAt4c-1773135288-1.2.1.1-1KSaFke17C1b6LrX3Bh79eLE2ugZsyYnxuJxyI_9E76nHA3fNK0nb7obSsBu8fzg, https://runechat.com/cdn-cgi/rum?, https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/1216684439:1773131099:HtMdEFlTwGctyultY9VOxuNPc3aWTek6Gto7L1CNz5M/9da153670d4f2ee5/xNqfY24Yt3yWv4NaeibwI0IFcTqGF3ocXv1pi5GEDwY-1773135289-1.2.1.1-LWy89iR0NX1OTsZ.rcetE320Gvba1EeUNquQiJTydUAN5OhLjROsnmhjUvyBusGy.
▸Distinctive asset clues: v1, v8c78df7c7c0f484497ecbca7046644da1771523124516, 1, 68xHfP1f2YqBhIs.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 0
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 15
Hosts: 3
Domains: 3
Observed Signals (1)
SSL issued to runechat.com with Cloudflare fronting, potential typosquint/brand impersonation risk if later content impersonates a brand
Observed Indicators (1)
▸Domain: runechat.com (suspected typosquat/brand-evading domain for runechat.com)
Risk AssessmentUsed in abuse reports
Abuse teams should treat this as a high concern for potential impersonation. The domain runechat.com is fronted by Cloudflare and returns a block page, yet the scan data reveals an attempt to load Cloudflare Turnstile and orchestrated challenge endpoints. The page title is Just a moment..., and there is no visible brand name on the static HTML, but the network activity includes many brand-agnostic Cloudflare challenge artifacts. The presence of hidden form inputs reported in risk factors and SPA-like behavior suggests credential collection logic may be implemented in dynamic JavaScript. Given the WAF evasion signals and the potential for typosquatting or brand cloning, this domain warrants suspension or at minimum blocking of access to prevent credential harvesting.
Recommended Action
Monitor
Cross-Reference8
URL Intelligence
Domain Intelligence
IP Intelligence
Public threat feed available — JSON API