# zoratwo.pages.dev — SUSPICIOUS

> zoratwo.pages.dev is a generic phishing domain hosted on Cloudflare's Pages platform. This domain poses a generic phishing threat with 0/95 detections on.

## Summary
PhishDestroy identifies zoratwo.pages.dev as an active generic phishing domain under investigation. This domain is likely designed to impersonate legitimate services or brands to deceive users into divulging sensitive information. No specific drainer kit or brand impersonation has been confirmed at this stage, but the generic nature of the threat suggests broad, opportunistic targeting rather than a highly tailored campaign. The domain leverages Cloudflare Pages for hosting, which provides a veneer of legitimacy due to Cloudflare's widespread use in legitimate web services, but this does not inherently validate the domain's intent or safety.


Technical analysis reveals concerning indicators: VirusTotal currently flags the domain with 0/95 detections, indicating it has not yet been widely recognized as malicious by security vendors. The domain is registered through Cloudflare, Inc., and resolves to IP address 172.66.44.131. The SSL certificate is issued by Google Trust Services, which, while trusted, does not guarantee the domain's legitimacy. As of this report, the domain's creation date or additional historical data (e.g., WHOIS records) has not been fully validated, and its presence on Google Safe Browsing (GSB) lists or other blocklists remains unverified. The lack of detections on VirusTotal is particularly noteworthy given the domain's active status and the generic phishing threat it poses, suggesting either a very recent deployment or evasion tactics by the threat actor.


The current status of zoratwo.pages.dev is classified as active, with a risk level marked as under_investigation. Given the absence of detections on VirusTotal and the lack of confirmed blocklist inclusions, the immediate risk is assessed as moderate but warrants caution due to its active status and the nature of the threat. Security researchers and users are advised to avoid interacting with this domain and to report any observed malicious activity to relevant authorities or threat intelligence platforms. Cloudflare has been notified of the domain's potential malicious activity, and further analysis is ongoing to determine its exact purpose and origin. Remaining risk includes the domain's potential to evolve into a more sophisticated phishing campaign, including brand impersonation or the deployment of drainer kits, which could escalate the threat level. Users are encouraged to verify website legitimacy through independent means and to employ real-time threat intelligence tools to mitigate exposure to this and similar domains.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.44.131

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/a575eaab-d46a-485f-99c9-fd6b0684cccc
- PhishDestroy: https://phishdestroy.io/domain/zoratwo.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/zoratwo.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/zoratwo.pages.dev/
Last updated: 2026-04-01