# ai.cyraai.app — SUSPICIOUS

> Phishers abuse ai.cyraai.app, a newly minted domain on Amazon infra, to mimic AI login forms. Site resolves to 18.66.147.

## Summary
ai.cyraai.app is a domain actively weaponized for credential-harvesting phishing campaigns, masquerading as an AI service login portal to trick users into surrendering corporate or personal account credentials. The site leverages Amazon Web Services infrastructure, including a legitimate-looking SSL certificate issued by Amazon, to boost perceived legitimacy and bypass basic browser warnings. Security controls that rely solely on domain reputation or default allow-listing rules may fail to flag this threat, enabling attackers to harvest login details at scale.


PhishDestroy identifies this domain as a live phishing host that poses an elevated risk to any user encountering it. Threat intelligence shows that only 2 out of 95 participating security vendors flagged ai.cyraai.app at the time of analysis, while public blocklists already list the domain. The domain resolves to IP address 18.66.147.44, hosted on Amazon’s infrastructure, and is protected by an active SSL certificate issued by Amazon—tactics consistently observed in credential-phishing operations aimed at bypassing automated detection. Historical DNS data indicates the domain was created recently, which correlates with the rapid deployment cycle typical of opportunistic phishing campaigns.


If you or anyone in your organization visited ai.cyraai.app, immediately rotate any credentials entered on the site and enable multi-factor authentication on all related accounts. Treat the exposed credentials as compromised and scan for follow-on compromise such as lateral movement or data exfiltration. Report the domain to your email and web security gateways and block 18.66.147.44 at the firewall. Forward any screenshots or logs to your SOC for correlation with ongoing threat-hunting efforts. Maintain heightened vigilance for anomalous login attempts across cloud applications for at least 30 days following exposure.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 18.66.147.44

## Detection Status
- VirusTotal: 2 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/6af0adb7-63a8-4549-af7e-3172783b63eb
- PhishDestroy: https://phishdestroy.io/domain/ai.cyraai.app/
- LLM endpoint: https://phishdestroy.io/domain/ai.cyraai.app/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/ai.cyraai.app/
Last updated: 2026-03-22