# portal-ldgerliv-download.pages.dev — SUSPICIOUS > Investigating portal-ldgerliv-download.pages.dev for payroll data theft phishing. VirusTotal shows 0/95 detections. Review full report. ## Summary PhishDestroy identifies portal-ldgerliv-download.pages.dev as an active payroll data theft phishing domain currently under investigation. This domain employs a spoofed portal naming convention to impersonate legitimate payroll services, specifically targeting employees through a convincing fake login interface designed to harvest sensitive financial credentials. The threat remains unmitigated with zero detections on VirusTotal as of the latest scan, and the infrastructure relies on Cloudflare Pages hosting to evade traditional network defenses. Given the absence of proactive blocking and the domain’s recent registration through Cloudflare, Inc. using Google Trust Services SSL certificates, immediate defensive action is warranted to prevent credential harvesting across corporate networks. This domain resolves to IP address 172.66.44.229 and is hosted on Cloudflare Pages, a platform frequently abused for short-lived phishing campaigns due to its legitimate service facade. The domain shows no presence on any known threat intelligence blocklists, and its SSL certificate is issued by Google Trust Services, which does not inherently indicate malicious intent but enables encrypted credential exfiltration. With 0 out of 95 VirusTotal engines flagging the domain, it remains undetected by most antivirus and security solutions, increasing the risk of successful compromise. The naming pattern—portal-ldgerliv-download—suggests a highly targeted campaign likely aimed at payroll or HR departments, leveraging urgency and familiarity to deceive users into entering corporate login credentials. Organizations should immediately block portal-ldgerliv-download.pages.dev at the DNS and firewall levels to prevent user exposure. Conduct user awareness training emphasizing scrutiny of payroll-related login prompts, especially those delivered via unsolicited emails or internal portals. Monitor network traffic for connections to 172.66.44.229 and inspect SSL/TLS handshakes involving Google Trust Services certificates linked to payroll-themed domains. Additionally, review authentication logs for unusual login patterns from corporate IP ranges and consider implementing multi-factor authentication (MFA) as a secondary defense against credential theft. Given the domain’s low detection rate and high potential for data compromise, proactive blocking and user education are critical to mitigating risk. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.229 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/dd94999a-e234-4428-a535-3e7fdce23e22 - PhishDestroy: https://phishdestroy.io/domain/portal-ldgerliv-download.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/portal-ldgerliv-download.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/portal-ldgerliv-download.pages.dev/ Last updated: 2026-03-24