# PhishDestroy threat dossier — steamrip-sa-com.pages.dev
================================================================

Fetched:   2026-05-04 21:31:06 UTC
Canonical: https://phishdestroy.io/domain/steamrip-sa-com.pages.dev/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 70/100 (PhishDestroy scoring — see methodology below)
Scam classification: Gaming Scam

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/94 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.97.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     raphaela.ns.cloudflare.com, shane.ns.cloudflare.com
Registered:      2026-04-10
Page title:      Steamrip - Free Safe PC Game Downloads (2025 Official)
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-09
Status:     INVALID chain
Fingerprint: c8bda32ee129712cb3f6688b19ffb5ae9e60a3b139887ce941e8f18b6b46a9ee

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-10 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-10 18:33:22 UTC (by PhishDestroy tracker)
Last verified:     2026-04-21 16:08:46 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d7804-ef7a-7663-ab59-4a9c3c56201b/
Wayback Machine:  https://web.archive.org/web/*/steamrip-sa-com.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.steamrip-sa-com.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=steamrip-sa-com.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/steamrip-sa-com.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/steamrip-sa-com.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-10 18:34:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies steamrip-sa-com.pages.dev as a domain actively impersonating Steam Rip Generators to deceive users into downloading malicious content or surrendering credentials. This site is classified under a generic phishing threat vector, likely targeting gamers seeking free or pirated game modifications or tools. The domain utilizes a Cloudflare Pages deployment, leveraging Cloudflare’s infrastructure to obscure its origin while maintaining a facade of legitimacy through Google Trust Services SSL certificates. No specific drainer kit has been identified in open-source intelligence at this stage, but the operational pattern aligns with credential-harvesting or malware-delivery campaigns typical of such impersonation schemes.  

This domain resolves to the IP address 188.114.97.3, which is hosted on Cloudflare’s network, and currently boasts a clean detection score of 0/95 on VirusTotal. It was registered through Cloudflare, Inc., and is protected by a Google Trust Services SSL certificate, which may further enhance its appearance of trustworthiness to unsuspecting users. The domain is part of the *.pages.dev subdomain space, often used for static site hosting but increasingly exploited for phishing and malicious content distribution. As of the latest assessment, this domain has not been flagged on major blocklists, though further investigation is required to ascertain its full operational history and any associated infrastructure.  

The current status of steamrip-sa-com.pages.dev is marked as active, with a risk level categorized as under_investigation. PhishDestroy advises users to exercise extreme caution when encountering this domain or any associated links, particularly in the context of Steam Rip Generators or similar gaming-related content. Immediate response actions include avoiding interaction with the domain, blocking the associated IP address 188.114.97.3 at the network perimeter, and reporting the domain to relevant threat intelligence platforms. The remaining risk is assessed as moderate, given the domain’s clean detection status but active operational state under Cloudflare’s infrastructure. Users are encouraged to verify the legitimacy of any gaming-related download sites and to rely on official sources or trusted repositories to mitigate exposure to potential threats.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       8a06f3772db07a28f94ba0aecac25d24
TLS cert SHA-256:      c8bda32ee129712cb3f6688b19ffb5ae9e60a3b139887ce941e8f18b6b46a9ee

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/steamrip-sa-com.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=steamrip-sa-com.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 145,658 domains (56,101 alive under monitoring, 89,297 confirmed takedowns/dead). Site: https://phishdestroy.io