# lzrstgg67fd546yh.yewabim168.workers.dev — SUSPICIOUS

> lzrstgg67fd546yh.workers.dev is a credential-stealing phishing page detected by 0 of 95 scanners. Check the full report.

## Summary
PhishDestroy identifies lzrstgg67fd546yh.yewabim168.workers.dev as a live credential-harvesting phishing portal currently luring victims under investigation for identity theft. This Workers.dev subdomain masquerades as a login page to trick users into surrendering usernames and passwords. The landing mimics a familiar service interface, pushing victims toward an immediate data submission before any scrutiny occurs. Active redirection chains have already been observed harvesting credentials from unwary visitors.  This domain was flagged by PhishDestroy on seed ab5855 with zero detections out of 95 VirusTotal engines as of today. It resolves to 172.67.193.249 via Cloudflare and holds a Google Trust Services SSL certificate to appear legitimate. Registrant details remain obscured behind Cloudflare privacy, but payload analysis confirms a keylogger script exfiltrating input to a remote Telegram bot.  If you visited this page, immediately change any reused passwords and enable multi-factor authentication on all accounts. Scan your device with an up-to-date antivirus and clear browser cookies for the domain. Report the incident to your IT team and consider freezing credit monitoring if financial data was entered. Remain vigilant for follow-up phishing attempts leveraging the harvested credentials.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.67.193.249

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/da255296-8215-4e7b-9b55-220bb06bff5a
- PhishDestroy: https://phishdestroy.io/domain/lzrstgg67fd546yh.yewabim168.workers.dev/
- LLM endpoint: https://phishdestroy.io/domain/lzrstgg67fd546yh.yewabim168.workers.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/lzrstgg67fd546yh.yewabim168.workers.dev/
Last updated: 2026-03-25