hosts icon indicating copy to clipboard operation
hosts copied to clipboard
verified publisher icon StevenBlack

[False Negative]: add 5 phishing domains (sf-epal[.]com, en-trezor[.]io, ...)

Open ninjacatcher opened this issue 5 months ago • 0 comments

Executive Summary

This report documents 5 domain(s) that have been identified as part of active phishing operations. These domains exhibit characteristics consistent with malicious infrastructure and pose an immediate security risk to internet users.

The following 5 domain(s) have been analyzed and confirmed as participating in phishing campaign(s):

sf-epal.com
en-trezor.io
en-ledger.io
safepal.com.co
www.en-ledger.io.io

Threat Analysis

Phishing Attack Details

These domains are part of a phishing campaign targeting сompanies and cryptocurrency holders/investors. The attackers use fake login pages and tampered software to steal seeds/keys.

Technical Details

  • Use Cloudflare (maybe Pro or Business) accounts.
  • Cloaked, if the request does not comply with the rules, redirect to a non-existent subdomain "www.www." (in most cases)

Detections

  • sf-epal.com - 2 detections - https://www.virustotal.com/gui/domain/sf-epal.com/detection
  • en-trezor.io - 26 detections - https://www.virustotal.com/gui/domain/en-trezor.io/detection
  • en-ledger.io - 2 detections - https://www.virustotal.com/gui/domain/en-ledger.io/detection
  • safepal.com.co - 6 detections - https://www.virustotal.com/gui/domain/safepal.com.co/detection
  • www.en-ledger.io.io - 0 detections - https://www.virustotal.com/gui/domain/www.en-ledger.io.io/detection

Targeted Brands

  • sf-epal.com - SafePal (safepal.com)
  • en-trezor.io - Trezor Wallet (trezor.io)
  • en-ledger.io - Ledger (ledger.com)
  • safepal.com.co - SafePal (safepal.com)
  • www.en-ledger.io.io - Ledger (ledger.com)

Temporal Information

  • Date of Identification and Submission: 2025-07-21 10:01 UTC
  • Estimated Campaign Activity Start: Approximately 7-14 days prior to detection

Screenshots

(If screenshots are not displayed, see the scans pages)

Screenshots

Screenshot

Screenshot

Screenshot

Screenshot

Scans

  • sf-epal.com - https://urlscan.io/result/01982c69-66bf-7277-b1d0-cda7cb7620a6/
  • en-trezor.io - https://urlscan.io/result/01982c69-6b6f-73de-bc8b-6266a8f91ebb/
  • en-ledger.io - https://urlscan.io/result/01982c69-7044-74b7-bee0-3f6b3f268e47/
  • safepal.com.co - https://urlscan.io/result/01982c69-7304-701c-9c44-0856ff60465f/
  • www.en-ledger.io.io - https://urlscan.io/result/01982c69-7044-74b7-bee0-3f6b3f268e47/

ninjacatcher avatar Jul 21 '25 10:07 ninjacatcher