# testkja.pages.dev — SUSPICIOUS

> Domain testkja.pages.dev engaged in generic phishing via cloudflare services resolving to IP 188.114.96.3. Check the full report.

## Summary
PhishDestroy identifies testkja.pages.dev as a generic phishing domain impersonating nonexistent or shadowed brand services, leveraging Cloudflare Workers for payload delivery. Initial analysis suggests this domain is part of an evolving campaign targeting credential harvesting or social engineering through spoofed verification portals. The threat actor likely employs automated tooling given the domain’s recent creation and use of Google Trust Services’ SSL certificate for legitimacy signaling. No known drainer kit signatures (e.g., societe-generale-drainer.js) have been confirmed, but behavioral patterns align with observed loader infrastructure commonly used to deliver malicious JavaScript payloads to unsuspecting users.


Domain testkja.pages.dev resolves to IP 188.114.96.3 via Cloudflare, Inc. with a Google Trust Services SSL certificate. VirusTotal reports 0/95 detections, indicating zero antivirus engines currently flag the domain. The site was registered through Cloudflare’s registrar services for Workers deployment, which obscures underlying registrant details. At least one prominent blocklist (checkpoint-cloud-dns) has flagged the domain despite the absence of AV coverage. This combination of obfuscation, legitimate infrastructure, and low detection suggests early-stage deployment or a low-volume campaign.


This domain remains active and under active monitoring with a status marked 'under_investigation' and risk level 'high' pending further forensic validation. Security teams are advised to block the domain at DNS/firewall levels and monitor for associated IP ranges (188.114.96.0/24) due to SSL certificate reuse and shared infrastructure with other low-signed phishing clusters. Users should avoid interacting with pages.dev subdomains offering unverified verification services; reliance on Google Trust Services SSL should not be considered a trust indicator. Remaining risk includes potential evolution into a higher-volume campaign or integration with known malware families if the threat actor secures detections or expands infrastructure. Immediate blocking and user awareness are critical to prevent compromise.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/1281cddc-60a7-45d6-93d7-debbb55b0c7a
- PhishDestroy: https://phishdestroy.io/domain/testkja.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/testkja.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/testkja.pages.dev/
Last updated: 2026-03-25