# rbywlt3fdg45tg.jksah7d6sadads.workers.dev — SUSPICIOUS

> PhishDestroy identifies rbywlt3fdg45tg.jksah7d6sadads.workers.dev as a phishing landing page hosted at 172.67.181.107; SEAL has already blocked it.

## Summary
PhishDestroy identifies rbywlt3fdg45tg.jksah7d6sadads.workers.dev as an active phishing domain without any overt brand impersonation or drainer kit in its current payload. The hostname shows a randomized second-level string under workers.dev, indicating opportunistic abuse of Cloudflare Workers rather than a targeted brand campaign. No recognizable branding or spoofed login portals have been observed during initial analysis, suggesting this could be a generic credential harvesting page routed through a worker script.  

Exact technical indicators place this domain at elevated risk: VirusTotal shows 1 of 95 engines detecting the site, the registrar is Cloudflare, Inc., and resolution leads to IP 172.67.181.107. The domain carries a Google Trust Services SSL certificate, yet it is flagged on one external blocklist and blocked enterprise-wide by SEAL. The unique seed ad36f9 confirms this instance has not been previously reported in internal tracking systems.  

Current status is active and generating elevated risk due to the worker-based hosting and SSL coverage, which may fool basic security checks. SEAL has already blocked access, reducing exposure for protected users. Remaining risk stems from the potential for broader distribution via phishing emails or social engineering due to the evasive worker infrastructure. Users should avoid visiting the domain, report any encounters, and rely on SEAL block policies. This domain remains under 24-hour monitoring for changes in payload or infrastructure.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.67.181.107

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["SEAL"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/rbywlt3fdg45tg.jksah7d6sadads.workers.dev
- PhishDestroy: https://phishdestroy.io/domain/rbywlt3fdg45tg.jksah7d6sadads.workers.dev/
- LLM endpoint: https://phishdestroy.io/domain/rbywlt3fdg45tg.jksah7d6sadads.workers.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/rbywlt3fdg45tg.jksah7d6sadads.workers.dev/
Last updated: 2026-04-08