0/100

critical Risk

runescapearts.forums.events.quitting.giveaway.gul.org-fm-678-223-176-122345492-182-342.ru

https://runescapearts.forums.events.quitting.giveaway.gul.org-fm-678-223-176-122345492-182-342.ru/portal/medieval-competitors-voting-authentication-yit54ui5tu6y74iuy2iutjgh23441xxs

185.82.200.115 · HostSailor

Location

Amsterdam, Netherlands

Domain Age

—

HTTP

200 · 13.4s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Choose how to log in | Jagex"

Save

Domain Intelligence: org-fm-678-223-176-122345492-182-342.ru

Scanned 2 times since Apr 28, 2026, 12:54 PM UTC

✗ Critical (100)

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Jagex

Vendors

29/30

Status

partial

✓ avast✓ eset✓ brightcloud✓ drweb✓ microsoft✓ yandex✓ urlscan✓ polyswarm✓ bitdefender✓ sophos✓ avg✗ norton✓ cisa✓ isitphish✓ apple✓ urlquery✓ netcraft✓ apwg✓ openphish✓ phishreport✓ phishtank✓ emsisoft✓ spamhaus✓ virustotal✓ urlabuse✓ mcafee✓ google✓ kaspersky✓ threatyeti✓ fortiguard

Registered-domain escalation

Submit org-fm-678-223-176-122345492-182-342.ru as the primary IOC, enriched with evidence from hostile subdomains like runescapearts.forums.events.quitting.giveaway.gul.org-fm-678-223-176-122345492-182-342.ru.

KB/IOK Matches (1)May 28, 2026, 04:04 PM UTC

jagex-login-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

Jagex

Credential Phishing

technology | ecommerce | finance | gaming | other · 6/3/2026

Summary

The page at hsoutfitters.com presents a login interface titled 'Choose how to log in | Jagex' and visually imitates a Jagex login screen, including a modal resembling the RuneScape login UI. However, the domain hsoutfitters.com is not affiliated with Jagex, and the HTML/network signals indicate credential collection behavior. The URL path and page content impersonate Jagex, constituting a typosquatting/brand-impersonation phishing setup designed to harvest user credentials.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Canonical stage contains password collection UI.

▸Off-domain submission or API endpoints observed: https://malazonafatonaes.ru/webhook, https://api.ipify.org/?format=json, https://oldschool.gamevote.jagex.com.challenge.vote.gallery.community.akherhalawa.ru.ru/webhook.

▸Distinctive asset clues: pf-bague-sans-pro, 34d292378e1b8.jpg, icon-google.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 3

Password fields: 1

Late-stage login UI: No

Resource Signals

Resources: 28

Hosts: 6

Domains: 6

Suspicious Endpoints

hxxps://malazonafatonaes[.]ru/webhook

hxxps://runescapearts[.]forums[.]events[.]quitting[.]giveaway[.]gul[.]org-fm-678-223-176-122345492-182-342[.]ru/portal/medieval-competitors-voting-authentication-yit54ui5tu6y74iuy2iutjgh23441

hxxps://api[.]ipify[.]org/?format=json

hxxps://oldschool[.]gamevote[.]jagex[.]com[.]challenge[.]vote[.]gallery[.]community[.]akherhalawa[.]ru[.]ru/webhook

hxxps://api[.]telegram[.]org/bot6740062754:AAExvDoIlZGup2K-WKEdSSNYMQyurc7bQ-s/sendMessage?chat_id=-1002060238268&text=

Off-Domain Posts

hxxps://malazonafatonaes[.]ru/webhook

hxxps://api[.]ipify[.]org/?format=json

hxxps://oldschool[.]gamevote[.]jagex[.]com[.]challenge[.]vote[.]gallery[.]community[.]akherhalawa[.]ru[.]ru/webhook

hxxps://api[.]telegram[.]org/bot6740062754:AAExvDoIlZGup2K-WKEdSSNYMQyurc7bQ-s/sendMessage?chat_id=-1002060238268&text=

Attack Techniques (7)

Domain impersonation/brand mismatch (hsoutfitters.com presents as Jagex login)Cloned login UI resembling legitimate Jagex/RuneScape authentication flowNetwork requests to external webhook endpoint (malazonafatonaes.ru/webhook) for data exfiltrationUse of multiple login variation handlers and disabled/enabled states to simulate legitimate form behaviorInclusion of social login icons to emulate a standard auth pageSSl certificate from Let's Encrypt and a new domain age (287 days) with suspicious hostingBlocked or mixed content requests to external resources and IP discovery endpoint (api.ipify.org)

Indicators of Compromise (7)

▸Domain: hsoutfitters.com (not official Jagex domain)

▸Page title: 'Choose how to log in | Jagex' (brand mismatch vs domain)

▸Network POST to https://malazonafatonaes.ru/webhook (data exfiltration channel)

▸GET/POST to external IP discovery service: https://api.ipify.org/?format=text

▸SSL certificate issued by Let's Encrypt for hsoutfitters.com (current validity 2026-02-09 to 2026-05-10)

▸Static HTML contains login/password fields and multiple forms with scripts enabling dynamic validation

▸Resource loading includes brand-appropriate icons and fonts from hsoutfitters.com, not from official Jagex assets

Risk AssessmentUsed in abuse reports

High risk: The domain hsoutfitters.com is impersonating a known brand (Jagex) by presenting a login UI consistent with the RuneScape/Jagex authentication flow. The page contains legitimate-looking password fields and login forms, yet it routes data through an external webhook (malazonafatonaes.ru/webhook), indicating data exfiltration. The combination of a clearly misleading page title, brand impersonation, and a direct POST to a non-affiliated webhook strongly suggests credential harvesting. The presence of a newly issued SSL cert and a relatively new domain age further supports the phishing classification. Immediate action recommended: suspend_domain and block_url, with further investigation into the webhook domain and associated infrastructure.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence