[False Negative]: add 15 phishing domains (exoduswallet[.]at, setup-ledger[.]live, ...)

[ninjacatcher]

Executive Summary

This report documents 15 domain(s) that have been identified as part of active phishing operations. These domains exhibit characteristics consistent with malicious infrastructure and pose an immediate security risk to internet users.

The following 15 domain(s) have been analyzed and confirmed as participating in phishing campaign(s):

exoduswallet.at
setup-ledger.live
official-ledger-app.live
ai-atomic.org
htex-panel.at
simpleswap.ac
simpleswap.to
simpleswap.at
www.www.exoduswallet.at
www.exoduswallet.at
rarible.io-nft.guru
simpleswap.ltd
simpleswap.online
rarible.nft-markets.org
pddeploy.com

Threat Analysis

Phishing Attack Details

These domains are part of a phishing campaign targeting сompanies and cryptocurrency holders/investors.
The attackers use fake login pages and tampered software to steal seeds/keys.

Technical Details

• Use Cloudflare (maybe Pro or Business) accounts.
• Cloaked, if the request does not comply with the rules, redirect to a non-existent subdomain "www.www." (in most cases)

Detections

• exoduswallet.at - 0 detections - https://www.virustotal.com/gui/domain/exoduswallet.at/detection
• setup-ledger.live - 6 detections - https://www.virustotal.com/gui/domain/setup-ledger.live/detection
• official-ledger-app.live - 1 detections - https://www.virustotal.com/gui/domain/official-ledger-app.live/detection
• ai-atomic.org - 10 detections - https://www.virustotal.com/gui/domain/ai-atomic.org/detection
• htex-panel.at - 9 detections - https://www.virustotal.com/gui/domain/htex-panel.at/detection
• simpleswap.ac - 14 detections - https://www.virustotal.com/gui/domain/simpleswap.ac/detection
• simpleswap.to - 12 detections - https://www.virustotal.com/gui/domain/simpleswap.to/detection
• simpleswap.at - 11 detections - https://www.virustotal.com/gui/domain/simpleswap.at/detection
• www.www.exoduswallet.at - 0 detections - https://www.virustotal.com/gui/domain/www.www.exoduswallet.at/detection
• www.exoduswallet.at - 0 detections - https://www.virustotal.com/gui/domain/www.exoduswallet.at/detection
• rarible.io-nft.guru - 0 detections - https://www.virustotal.com/gui/domain/rarible.io-nft.guru/detection
• simpleswap.ltd - 11 detections - https://www.virustotal.com/gui/domain/simpleswap.ltd/detection
• simpleswap.online - 13 detections - https://www.virustotal.com/gui/domain/simpleswap.online/detection
• rarible.nft-markets.org - 0 detections - https://www.virustotal.com/gui/domain/rarible.nft-markets.org/detection
• pddeploy.com - 4 detections - https://www.virustotal.com/gui/domain/pddeploy.com/detection

Targeted Brands

• exoduswallet.at - Exodus (exodus.com)
• setup-ledger.live - Ledger (ledger.com)
• official-ledger-app.live - Ledger (ledger.com)
• ai-atomic.org - Atomic Wallet (atomicwallet.io)
• htex-panel.at - HTX
• simpleswap.ac - SimpleSwap (simpleswap.io)
• simpleswap.to - SimpleSwap (simpleswap.io)
• simpleswap.at - SimpleSwap (simpleswap.io)
• www.exoduswallet.at - Exodus (exodus.com)
• rarible.io-nft.guru - Rarible
• simpleswap.ltd - SimpleSwap (simpleswap.io)
• simpleswap.online - SimpleSwap (simpleswap.io)
• rarible.nft-markets.org - Rarible
• pddeploy.com - PNC Bank (PINACLE® Corporate Online Banking)

Temporal Information

• Date of Identification and Submission: 2025-10-03 19:15 UTC
• Estimated Campaign Activity Start: Approximately 7-14 days prior to detection

Screenshots

(If screenshots are not displayed, see the scans pages)

Screenshots

Scans

• exoduswallet.at - https://urlscan.io/result/0199ab74-d73a-77f6-82f3-39062ff25c76/
• setup-ledger.live - https://urlscan.io/result/0199ab74-e8d7-7116-a1f9-1c25e3fb510f/
• official-ledger-app.live - https://urlscan.io/result/0199ab74-fad0-77fe-ba57-38792b2bce1a/
• ai-atomic.org - https://urlscan.io/result/0199ab75-ec03-70fd-bca0-3df795c412f3/
• htex-panel.at - https://urlscan.io/result/0199ab76-0409-7219-8eae-89f7aefa1783/
• simpleswap.ac - https://urlscan.io/result/0199ab76-0924-7444-8c1c-8e23dee8fda6/
• simpleswap.to - https://urlscan.io/result/0199ab76-13cc-70df-b341-a570958023b1/
• simpleswap.at - https://urlscan.io/result/0199ab77-0324-76ba-bf29-d2ab6af20eb2/
• www.www.exoduswallet.at - https://urlscan.io/result/0199ab74-d73a-77f6-82f3-39062ff25c76/
• www.exoduswallet.at - https://urlscan.io/result/0199ab74-d73a-77f6-82f3-39062ff25c76/
• rarible.io-nft.guru - https://urlscan.io/result/0199ab74-e3b8-7098-b343-c3f18ab53e00/
• simpleswap.ltd - https://urlscan.io/result/0199ab76-13cc-70df-b341-a570958023b1/
• simpleswap.online - https://urlscan.io/result/0199ab77-0324-76ba-bf29-d2ab6af20eb2/
• rarible.nft-markets.org - https://urlscan.io/result/0199ab74-e3b8-7098-b343-c3f18ab53e00/
• pddeploy.com - https://urlscan.io/result/0199ab74-f4f6-7039-b5c6-2e83be668575/