Phishing Analysis: Unknown

Visual Capture

No screenshot available

Detection Info

https://betkat.club/admin

Detected Brand

Unknown

Country

Unknown

Confidence

100%

HTTP Status

200

Report ID

6626b81f-ccc…

Analyzed

2026-01-26 08:35

Final URL (after redirects)

https://betkat.club/admin/

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T12D516620A0101C9B23CBC9D997B8274626E1C331CE432C896AFC52FC6EF7E9165657C6
CONTENT ssdeep	48:ioYcMWupUH56sAd8psAQ3sosCSWA1qJV573n3nol3gEOTg1atSdWCqbhkvMBcpKD:i4HuiofAgVTSWkO7Xol3OTVCD4cpKXuS

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	b399cc6633998c66
VISUAL aHash	0000181824180000
VISUAL dHash	000810324c100000
VISUAL wHash	ccccfcfc03033333
VISUAL colorHash	07038000000
VISUAL cropResistant	000810324c100000

Code Analysis

Risk Score 85/100

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

assets/login.js?1710922708
assets/login.css?1710922708

📡 API Calls Detected

POST

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected multiple kit types (Credential Harvester, OTP Stealer, Banking, Personal Info) with 18 form fields for data collection.

High Obfuscation

86 obfuscation techniques detected, indicating deliberate evasion of static analysis and manual inspection.

No Legitimate Infrastructure

No associated IPs, nameservers, or JS files detected, suggesting disposable or bulletproof hosting.

Real-Time Data Exfiltration

Presence of Credential Harvester and OTP stealer kits implies real-time interception of sensitive data.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

General public

Attack Method

credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Unknown

Risk Assessment

CRITICAL - Automated credential harvesting with Unknown

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
86 obfuscation techniques

🏢 Brand Impersonation Analysis

Fake Service

Unknown (No brand impersonation detected)

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing kit employs 18 form fields to capture user credentials, including usernames, passwords, and personal information. Data is likely transmitted to a backend server controlled by the attacker for immediate exploitation or resale.

Secondary Method: OTP Interception

The OTP Stealer kit component suggests the site is designed to trick users into entering one-time passwords (OTPs), enabling attackers to bypass multi-factor authentication (MFA) and gain unauthorized access to accounts.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

betkat.club

Registered

2024-03-24 21:24:31+00:00

Registrar

NAMECHEAP INC

Status

Active (672 days old)

🦠 Malicious Files

Main File

File Size

Small JavaScript file with high obfuscation, likely containing credential harvesting logic.

📊 Attack Flow Diagram

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL CONTACT                                       │
│    - Victim receives phishing message                    │
│    - Message contains link to fake Banking site          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE SITE ACCESS                                      │
│    - Victim visits fraudulent Banking page               │
│    - Page mimics legitimate Banking portal               │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL INPUT                                      │
│    - Victim enters login credentials                     │
│    - Form appears identical to real Banking site         │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA CAPTURE                                          │
│    - Credentials collected by attacker                   │
│    - Data prepared for exfiltration                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 5. EXFILTRATION                                           │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker-controlled     │
│      destination                                         │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Total Code Size

19.5 KB

🔗 API Endpoints Detected

Other

1

🔐 Obfuscation Detected

: Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL CONTACT                                       │
│    - Victim receives phishing message                    │
│    - Message contains link to fake Banking site          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE SITE ACCESS                                      │
│    - Victim visits fraudulent Banking page               │
│    - Page mimics legitimate Banking portal               │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL INPUT                                      │
│    - Victim enters login credentials                     │
│    - Form appears identical to real Banking site         │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA CAPTURE                                          │
│    - Credentials collected by attacker                   │
│    - Data prepared for exfiltration                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 5. EXFILTRATION                                           │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker-controlled     │
│      destination                                         │
└──────────────────────────────────────────────────────────┘
```

🎯 Malicious Files Identified

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Unknown

https://cdn.gosafemode.com/screenshots/721fdbd2245b.png

Apr 03, 2026

Unknown

https://cdn.gosafemode.com/screenshots/c2167acce778.png

Mar 29, 2026