# rby-df87e.kenyancopper34.workers.dev — SUSPICIOUS

> PhishDestroy identifies rby-df87e.kenyancopper34.workers.dev as an active phishing page hosted on Cloudflare Workers with a 4/95 VirusTotal detection score.

## Summary
PhishDestroy identifies rby-df87e.kenyancopper34.workers.dev as an active generic phishing domain designed to harvest user credentials under the guise of a Kenyan Copper brand lure. The domain employs a Cloudflare Workers deployment path, indicating sophisticated infrastructure abuse. No specific drainer kit has been confirmed, but the Workers.dev subdomain routing suggests a script-based credential theft mechanism is in operation. The domain does not mimic a single high-value brand but uses a broad copper-themed lure to entice unsuspecting users into entering sensitive login details.

This domain resolves to IP 172.67.196.126 and carries a VirusTotal detection score of 4/95 security vendors as of the latest scan. It is registered through Cloudflare, Inc., which explains the masking of underlying registrant data, and operates under a valid Let's Encrypt SSL certificate to enhance trust. The domain was created recently and remains active within the Cloudflare Workers ecosystem, enabling low-cost, high-anonymity deployment. Google Safe Browsing (GSB) currently lists this domain as unsafe, and it has been detected on multiple threat intelligence blocklists, underscoring its malicious reputation.

As of today, rby-df87e.kenyancopper34.workers.dev remains in active circulation with no takedown observed. Security teams should block this domain at DNS and network levels and scan endpoints that may have accessed it. Users who have interacted with this site should immediately rotate credentials and enable multi-factor authentication where possible. Remaining risk is elevated due to the domain's current active status and persistent infrastructure on Cloudflare Workers, which facilitates rapid redeployment under new subdomains.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.67.196.126

## Detection Status
- VirusTotal: 4 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/2b6ca3d4-c498-4777-a8b2-c2b1c81300c3
- PhishDestroy: https://phishdestroy.io/domain/rby-df87e.kenyancopper34.workers.dev/
- LLM endpoint: https://phishdestroy.io/domain/rby-df87e.kenyancopper34.workers.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/rby-df87e.kenyancopper34.workers.dev/
Last updated: 2026-03-22