# moonbag-5gw.pages.dev — MALICIOUS

> moonbag-5gw.pages.dev impersonates a fake investment portal with 13/95 VirusTotal detections. PhishDestroy identifies elevated phishing risks.

## Summary
PhishDestroy identifies moonbag-5gw.pages.dev as an active generic phishing domain impersonating an investment portal to harvest credentials. This domain leverages a fraudulent website designed to mimic legitimate financial services, deploying social engineering tactics to deceive users into entering sensitive data. The threat actor behind this campaign appears to use a drainer kit compatible with Cloudflare Workers to host the phishing page, ensuring rapid deployment and evasion of traditional security measures.  

This domain was flagged with a VirusTotal detection score of 13/95 security vendors, indicating partial but not universal threat recognition. Registered through Cloudflare, Inc., it resolves to the IP address 172.66.44.77 and operates under a Google Trust Services SSL certificate, which may be used to lend false credibility to the fraudulent site. While the exact creation date is not publicly disclosed, the domain’s use of Cloudflare Workers suggests recent deployment. The presence of a valid SSL certificate highlights the sophistication of this phishing operation, as threat actors increasingly exploit trusted services to bypass security controls. As of this report, the domain remains active and has not been flagged on major blocklists, allowing continued exploitation.  

The current status of moonbag-5gw.pages.dev is active, with an elevated risk level due to its ongoing use in phishing campaigns. Immediate response actions include blocking the domain at the network perimeter and updating DNS-based security controls to prevent access. Users are advised to avoid interacting with this domain and to report any suspicious encounters to their IT security teams. Despite the elevated risk, the lack of widespread blocklist inclusion suggests that threat intelligence sharing and proactive monitoring remain critical to mitigating this threat. Remaining risk is moderate but could escalate if additional phishing campaigns are launched using this infrastructure.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.44.77

## Detection Status
- VirusTotal: 13 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/b7f94969-9e92-4afd-a81e-dcc133d271cb
- PhishDestroy: https://phishdestroy.io/domain/moonbag-5gw.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/moonbag-5gw.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/moonbag-5gw.pages.dev/
Last updated: 2026-03-25