# docc-exodusweb.pages.dev — SUSPICIOUS

> docu-exodusweb.pages.dev is a live drainer-as-a-service phishing site hosted on Cloudflare Pages with a 1/95 VirusTotal detection rate.

## Summary
This domain is a confirmed phishing site operating under a drainer-as-a-service model, specifically targeting cryptocurrency and credential harvesting. The infrastructure is hosted on Cloudflare Pages, leveraging the provider’s legitimate service to evade traditional network-based detection mechanisms. Based on seed a0fd56, this campaign exhibits characteristics of a modern, automated phishing kit designed for rapid deployment and high evasion potential. No specific brand impersonation is confirmed, but the generic nature suggests opportunistic targeting rather than a focused corporate or government impersonation.


docu-exodusweb.pages.dev resolves to IP address 172.66.47.172 via Cloudflare, Inc., with an SSL certificate issued by Google Trust Services. The domain was flagged by only 1 out of 95 security vendors on VirusTotal, indicating extremely low detection coverage. The domain was registered through Cloudflare’s registrar services, which obscures true ownership and complicates takedown efforts. The SSL certificate from Google Trust Services further enhances legitimacy perception, increasing the likelihood of user engagement with malicious prompts. The low VT detection rate combined with Cloudflare’s hosting infrastructure suggests this campaign is optimized for short-lived, high-volume operations before being rebranded or discarded.


The campaign remains ACTIVE as of the latest intelligence update under seed a0fd56. Immediate response actions include domain takedown via Cloudflare abuse channels, IP blacklisting at the network perimeter, and user awareness campaigns highlighting the risks of unsolicited document or cryptocurrency-related links. Despite these measures, the remaining risk is ELEVATED due to the drainer-as-a-service model’s adaptability and the use of legitimate cloud infrastructure. Users should treat any interaction with this domain as HIGH RISK, avoid clicking embedded links, and report observed activity to relevant threat intelligence platforms for rapid dissemination.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.172

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/ef71eba2-c573-43f5-9dfe-8b6f9eb5577a
- PhishDestroy: https://phishdestroy.io/domain/docc-exodusweb.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/docc-exodusweb.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/docc-exodusweb.pages.dev/
Last updated: 2026-03-22