# ledger-li-ve-us-desktop.pages.dev — SUSPICIOUS > Domain ledger-li-ve-us-desktop.pages.dev poses as Ledger’s desktop app, distributing malware per 0/95 VirusTotal scans. ## Summary The domain ledger-li-ve-us-desktop.pages.dev has been identified engaging in brand impersonation targeting Ledger users as part of an active threat operation. PhishDestroy’s investigation confirms this site mimics Ledger’s official desktop application interface to deceive visitors into downloading counterfeit software. As of this advisory, the campaign remains live and continues to present a credible risk to unsuspecting users seeking legitimate cryptocurrency wallet solutions. Based on hard telemetry, this domain was flagged by 0 of 95 VirusTotal vendors during the initial assessment, indicating it currently evades broad detection despite its malicious intent. The domain is registered through Cloudflare, Inc., resolves to the IP address 172.66.44.221, and operates under Google Trust Services’ SSL infrastructure—exploiting legitimate certificate authorities to appear benign. Notably, the site exploits Pages.dev, a Cloudflare Workers domain, to host malicious content and maintain operational stealth. These technical indicators suggest a deliberate effort to blend into trusted cloud ecosystems while avoiding early detection by conventional security tools. While under active investigation, this domain currently poses a HIGH RISK to users who may install the counterfeit software, potentially leading to credential theft, cryptocurrency wallet compromise, or malware deployment. With no current blocklist presence and zero vendor detections, the threat remains unchecked across many defensive layers. Users are advised to verify software sources through Ledger’s official domain (ledger.com), avoid clicking links from unsolicited messages or third-party sites, and report this domain to their security teams or abuse channels via Cloudflare and Google Trust Services. Additionally, enable device-level monitoring for anomalous outbound connections to IP 172.66.44.221 as a proactive detection measure. Organizations are recommended to update DNS blocklists and conduct employee awareness training emphasizing safe software sourcing practices in cryptocurrency ecosystems. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Ledger ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.221 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/537654c2-31fb-4e70-a1e5-3111ff620f79 - PhishDestroy: https://phishdestroy.io/domain/ledger-li-ve-us-desktop.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/ledger-li-ve-us-desktop.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ledger-li-ve-us-desktop.pages.dev/ Last updated: 2026-03-22