# download-ledzr-live.pages.dev — SUSPICIOUS

> Ledzr phishing site download-ledzr-live.pages.dev steals credentials. VT detects 1/95 vendors flagging it. Check the full report.

## Summary
PhishDestroy identifies download-ledzr-live.pages.dev as an active phishing domain leveraging a deceptive “ledzr-live” subdomain to masquerade as a legitimate service and harvest user credentials. The infrastructure behind this page mirrors Cloudflare Pages hosting, giving the threat actor cover while the domain itself mimics a plausible SaaS update path via a hypenated subdomain pattern commonly abused in B2B credential phishing campaigns. No specific drainer kit or branded spoof has been confirmed at this time, indicating the actors may be repurposing generic PHP-based credential collectors to siphon credentials entered into the fake login interface.

Technical indicators corroborate the elevated risk: VirusTotal shows only 1 out of 95 security vendors detected the domain as malicious at the time of analysis, underscoring the stealth and recency of the campaign. The domain was registered through Cloudflare, Inc., enabling rapid rotation and TLS termination via a Google Trust Services certificate, which helps evade browser-based warnings. It resolves to IP 188.114.96.3 and has remained unlisted on Google Safe Browsing, contributing to a low initial detection footprint. Recent blocklist checks indicate zero public blocklist hits, amplifying the exposure window for potential victims.

Current status remains active; the domain continues to resolve and serve a counterfeit login form likely targeting enterprise users prompted by convincing social-engineering lures referencing “Ledzr” platform updates. Immediate defensive actions include blocking the domain and IP at DNS and perimeter layers, flagging TLS certificates issued to Cloudflare Pages for the specific subdomain, and updating user awareness training to scrutinize hyphenated subdomains and Cloudflare Pages URLs in unexpected contexts. Remaining risk is elevated due to the domain’s use of reputable hosting and certificate authorities, enabling sustained operation until proactive takedowns or sinkholing measures are implemented.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/8018b084-781f-495b-bcca-e5201b8911b9
- PhishDestroy: https://phishdestroy.io/domain/download-ledzr-live.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/download-ledzr-live.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/download-ledzr-live.pages.dev/
Last updated: 2026-03-26