0/100

low Risk

www.instagram.com

https://www.instagram.com/ancient.kra?igsh=ZjN4aWVicXl0N3Jz

31.13.66.174 · Meta Platforms Ireland Limited

Location

Ashburn, United States

Domain Age

7952 days

HTTP

200 · 24.5s

SSL

Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "americano.kra (@ancient.kra) • Instagram photos and videos"

Save

Registered-domain escalation

Submit instagram.com as the primary IOC, enriched with evidence from hostile subdomains like www.instagram.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Instagram

Unknown

social_media | technology · 4/5/2026

Summary

This page presents an Instagram user profile at ancient.kra on the public Instagram domain, but the URL path and page elements show an impersonation prompt (see screenshot) that mirrors Instagram's login/signup flow. The domain shown is instagram.com (official), yet the scan evidence indicates a potential cloner overlay prompting sign-up/login from a profile page, suggesting targeted credential harvesting via a misleading modal. The page title and UI elements align with Instagram branding, while the underlying path and exfiltration signals indicate manipulation for credential capture or data harvesting.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://www.instagram.com/ajax/qm/?__a=1&__user=0&__comet_req=7&jazoest=22233, https://www.instagram.com/ajax/bz?__a=1&__ccg=UNKNOWN&__comet_req=7&__crn=comet.igweb.PolarisProfileRoute&__d=www&__hs=20525.HYP%3Ainstagram_web_pkg.2.1...0&__hsi=7616756250312460690&__req=2&__rev=1035113083&__s=p8tpsm%3A1nrcs4%3Al01col&__spin_b=trunk&__spin_r=1035113083&__spin_t=1773414260&__user=0&dpr=1&jazoest=22233&lsd=AdSoq2TI0fhm7gr1-y0J6AKMuiY&ph=C3, https://www.instagram.com/ajax/bulk-route-definitions/.

▸Distinctive asset clues: qm, XpnBUoxX61b.js, 6tlTM4nIHJmF5p0sCEVDN9WAcQkLAlwy9PvJg89IT9Ose7mo_RjZ6ADT0QyApb4vzQU27qY87dge1fgQe914iiBfONMKn3YhINqU49pVNahkCklH6Fq_SNKbXQvuWABIjhhRs97xFZK--hBruhBENOpKm_.css, P_NAqbozHHD.css, 600045260_17921587662207589_2191287084115696602_n.jpg.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 1

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 50

Hosts: 4

Domains: 3

Suspicious Endpoints

hxxps://www[.]instagram[.]com/api/v1/users/web_profile_info/?username=ancient.kra

hxxps://www[.]instagram[.]com/api/v1/web/get_ruling_for_content/?content_type=PROFILE&target_id=66167023588

hxxps://www[.]instagram[.]com/api/graphql

hxxps://www[.]instagram[.]com/ancient.kra?igsh=ZjN4aWVicXl0N3Jz

Attack Techniques (3)

SPA-like dynamic credential capture surface rendered via external JavaScript bundlesSuspicious endpoint activity around Instagram web/profile/graphql APIs used in a misleading contextHigh external script count and presence of obfuscated/b64 script payloads

Indicators of Compromise (2)

▸DOMAIN: www.instagram.com (official domain appears in evidence but the page is a profile impersonation overlay)

▸URL path: /ancient.kra?igsh=ZjN4aWVicXl0N3Jz (profile slug that implies impersonation attempt)

Risk AssessmentUsed in abuse reports

Scanner analysis reveals a convincing Instagram-themed page on the official domain that displays a credential-capture style modal overlay, a classic phishing tactic. The site leverages legitimate Instagram assets and heavy JavaScript bundles to render a convincing UI, increasing risk of credential harvesting if a user is prompted to sign in or sign up. The presence of real Instagram endpoints in the network traffic and the modal UX strongly indicate an attempt to harvest login data or other user information, despite the domain showing as instagram.com. This should be treated as high risk and blocked or suspended where possible, given the impersonation signals and potential data exfiltration paths.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence