I don't have screenshots for this one, but it has the same common indicator, uses Nuxt.js just like the others listed, and has the same pattern of HTTP requests.
Related external source
Screenshot
Click to expand
![image](https://github.com/user-attachments/assets/18f507fc-f616-42e5-95bf-20bcaef11eb4)
![image](https://github.com/user-attachments/assets/f8685f44-1850-476d-8c6e-861908d05aae)
![image](https://github.com/user-attachments/assets/ade43091-739c-426e-9d87-0748b3f7a28c)
add draschool[.]org to wildcard list
Phishing Domain/URL/IP(s):
Impersonated domain
Describe the issue
This domain is now hosting the phishing kit that previously at craigbrimm[.]com(#480), albapietra[.]com[.]br(https://github.com/mitchellkrogza/phishing/pull/479), yanisac[.]com(https://github.com/mitchellkrogza/phishing/pull/478), sbic[.]com[.]br (https://github.com/mitchellkrogza/phishing/pull/477), squad[.]cl(https://github.com/mitchellkrogza/phishing/pull/473), benyex[.]cl (https://github.com/mitchellkrogza/phishing/pull/468), lebomashilo[.]co[.]za (https://github.com/mitchellkrogza/phishing/pull/462), havenhills[.]za[.]com (https://github.com/mitchellkrogza/phishing/pull/459), intrinsicisle[.]za[.]com (https://github.com/mitchellkrogza/phishing/pull/452), reluzformaturas[.]com[.]br (https://github.com/mitchellkrogza/phishing/pull/435), abcmueblesbogota[.]com (https://github.com/mitchellkrogza/phishing/pull/432), ergoterapiacaribu[.]ch (https://github.com/mitchellkrogza/phishing/pull/426), ijconnects[.]com (https://github.com/mitchellkrogza/phishing/pull/421), cbcaps[.]shop (https://github.com/mitchellkrogza/phishing/pull/417), bersowir[.]org (https://github.com/mitchellkrogza/phishing/pull/416), brunotasso[.]com[.]br (https://github.com/mitchellkrogza/phishing/pull/413), wisbechguide[.]uk (https://github.com/mitchellkrogza/phishing/pull/408), pescacancun[.]com (https://github.com/mitchellkrogza/phishing/pull/406), bkengineersindia[.]com (https://github.com/mitchellkrogza/phishing/pull/405), englishplusmore[.]com (https://github.com/mitchellkrogza/phishing/pull/404), carnesboinobre[.]com[.]br (https://github.com/mitchellkrogza/phishing/pull/398), technowide[.]com[.]tr (https://github.com/mitchellkrogza/phishing/pull/396), jestertunes[.]com (https://github.com/mitchellkrogza/phishing/pull/393), safecartusa[.]com (https://github.com/mitchellkrogza/phishing/pull/391), foreverfarley[.]com (https://github.com/mitchellkrogza/phishing/pull/387), azezieldraconous[.]com (https://github.com/mitchellkrogza/phishing/pull/381), westernautomobileassembly[.]com (https://github.com/mitchellkrogza/phishing/pull/376) , littleswanaircon[.]com[.]sg (https://github.com/mitchellkrogza/phishing/pull/372), iwan2travel[.]com (https://github.com/mitchellkrogza/phishing/pull/370), applesforfred[.]com (https://github.com/mitchellkrogza/phishing/pull/369), theaerie[.]ca (https://github.com/mitchellkrogza/phishing/pull/367), nico[.]sa (https://github.com/mitchellkrogza/phishing/pull/366), ajstelecom[.]com[.]mx (https://github.com/mitchellkrogza/phishing/pull/362), and many others.
I don't have screenshots for this one, but it has the same common indicator, uses Nuxt.js just like the others listed, and has the same pattern of HTTP requests.
Related external source
Screenshot
Click to expand
![image](https://github.com/user-attachments/assets/18f507fc-f616-42e5-95bf-20bcaef11eb4) ![image](https://github.com/user-attachments/assets/f8685f44-1850-476d-8c6e-861908d05aae) ![image](https://github.com/user-attachments/assets/ade43091-739c-426e-9d87-0748b3f7a28c)