hosts icon indicating copy to clipboard operation
hosts copied to clipboard
verified publisher icon StevenBlack

[False Negative]: add 9 phishing domains (trezor-suites[.]biz, secure-ledger[.]org, ...)

Open ninjacatcher opened this issue 5 months ago • 0 comments

Executive Summary

This report documents 9 domain(s) that have been identified as part of active phishing operations. These domains exhibit characteristics consistent with malicious infrastructure and pose an immediate security risk to internet users.

The following 9 domain(s) have been analyzed and confirmed as participating in phishing campaign(s):

trezor-suites.biz
secure-ledger.org
tronlink-wallet.at
dexrsceener.net
dex.screener-v3.com
dexcsreener.net
tfezor-sulte.com
dex.srceener.com
dex.screener-v3.cc

Threat Analysis

Phishing Attack Details

These domains are part of a phishing campaign targeting сompanies and cryptocurrency holders/investors. The attackers use fake login pages and tampered software to steal seeds/keys.

Technical Details

  • Use Cloudflare (maybe Pro or Business) accounts.
  • Cloaked, if the request does not comply with the rules, redirect to a non-existent subdomain "www.www." (in most cases)

Detections

  • trezor-suites.biz - 14 detections - https://www.virustotal.com/gui/domain/trezor-suites.biz/detection

  • secure-ledger.org - 7 detections - https://www.virustotal.com/gui/domain/secure-ledger.org/detection

  • tronlink-wallet.at - 18 detections - https://www.virustotal.com/gui/domain/tronlink-wallet.at/detection

  • dexrsceener.net - 4 detections - https://www.virustotal.com/gui/domain/dexrsceener.net/detection

  • dex.screener-v3.com - 13 detections - https://www.virustotal.com/gui/domain/dex.screener-v3.com/detection

  • dexcsreener.net - 2 detections - https://www.virustotal.com/gui/domain/dexcsreener.net/detection

  • tfezor-sulte.com - 0 detections - https://www.virustotal.com/gui/domain/tfezor-sulte.com/detection

  • dex.srceener.com - 0 detections - https://www.virustotal.com/gui/domain/dex.srceener.com/detection

  • dex.screener-v3.cc - 3 detections - https://www.virustotal.com/gui/domain/dex.screener-v3.cc/detection

    Targeted Brands

    • trezor-suites.biz - Trezor Wallet (trezor.io)

  • secure-ledger.org - Ledger (ledger.com)

  • tronlink-wallet.at - TronLink (tronlink.org)

  • dexrsceener.net - DEX Screener (dexscreener.com)

  • dex.screener-v3.com - DEX Screener (dexscreener.com)

  • dexcsreener.net - DEX Screener (dexscreener.com)

  • tfezor-sulte.com - Trezor Wallet (trezor.io)

  • dex.srceener.com - DEX Screener (dexscreener.com)

  • dex.screener-v3.cc - DEX Screener (dexscreener.com)

Temporal Information

  • Date of Identification and Submission: 2025-07-19 20:17 UTC
  • Estimated Campaign Activity Start: Approximately 7-14 days prior to detection

Screenshots

(If screenshots are not displayed, see the scans pages)

Screenshots

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Scans

  • trezor-suites.biz - https://urlscan.io/result/01982447-f3c3-77ac-9fbe-5769795ee338/
  • secure-ledger.org - https://urlscan.io/result/01982447-fd8f-7795-a33c-e5d8254e6b53/
  • tronlink-wallet.at - https://urlscan.io/result/01982448-03c7-74be-ac6c-8f898c52fa0d/
  • dexrsceener.net - https://urlscan.io/result/01982448-0815-776c-b54c-63672a21fb73/
  • dex.screener-v3.com - https://urlscan.io/result/01982448-0b2f-716f-b817-10a3ed409a89/
  • dexcsreener.net - https://urlscan.io/result/01982448-fa09-7587-97db-66ddbf4f2c4e/
  • tfezor-sulte.com - https://urlscan.io/result/01982447-f3c3-77ac-9fbe-5769795ee338/
  • dex.srceener.com - https://urlscan.io/result/01982448-0815-776c-b54c-63672a21fb73/
  • dex.screener-v3.cc - https://urlscan.io/result/01982448-0b2f-716f-b817-10a3ed409a89/

ninjacatcher avatar Jul 19 '25 20:07 ninjacatcher