# synhcpanel.pages.dev — SUSPICIOUS

> PhishDestroy flags synhcpanel.pages.dev for CPanel credential theft via a fake control panel. Check the full report.

## Summary
PhishDestroy identifies synhcpanel.pages.dev as a live credential-phishing page masquerading as a CPanel login portal, luring victims to surrender hosting credentials under the guise of account verification. The domain leverages a Cloudflare Workers subdomain (pages.dev) to cloak its infrastructure while presenting a convincing interface that closely mimics legitimate cPanel login forms. No known drainer kit artifacts (e.g., clipboard hijackers, wallet drainers) were detected in this initial assessment, and the page currently focuses solely on harvesting credentials rather than cryptocurrency or session tokens.  

This domain was flagged under the specific threat type “generic_phishing” with zero detections on VirusTotal (0/95 engines) as of the last scan. It resolves to IP 172.66.47.3 via Cloudflare, Inc. as registrar, and holds a Google Trust Services SSL certificate issued for *.pages.dev. The exact creation date is not publicly visible due to Cloudflare’s privacy protection, but the domain is currently active and served from Cloudflare’s edge network. At this time, the domain has not been blocklisted by major threat intelligence feeds including Google Safe Browsing (GSB status: Clean), and no third-party blocklists have flagged it based on available telemetry. The absence of detections suggests either a very recent deployment or a stealthily configured campaign targeting niche users.  

The site remains active with a status of “under_investigation” and continues to serve the phishing content, posing an ongoing risk to users who may mistake it for a legitimate cPanel login page. PhishDestroy recommends immediate blocking of the domain via DNS or network-level filtering and advises users to verify destination URLs via official cPanel channels before entering credentials. While the risk is currently assessed as active but contained, the campaign’s reliance on Cloudflare’s anonymizing infrastructure and the lack of detections elevate the urgency for proactive countermeasures. Users should treat any interaction with this domain as high-risk and assume credentials entered may have been compromised.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/0e80ed2a-7ccc-42df-b146-312100168cca
- PhishDestroy: https://phishdestroy.io/domain/synhcpanel.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/synhcpanel.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/synhcpanel.pages.dev/
Last updated: 2026-03-22