DANGEROUS

Critical risk detected

Exoscale storage subdomain abused to host Lumma Stealer payloads and fake CAPTCHA loaders. Our security review flagged this site as high-risk. Don't enter personal information, deposit money, or download files.

Security Review

Is sos-ch-dk-2.exo.io legit or a scam?

Our verdict:Dangerous· 25/100

Exoscale storage subdomain abused to host Lumma Stealer payloads and fake CAPTCHA loaders.

sos-ch-dk-2.exo.ioScanned 1h ago
0
Trust score
DANGEROUS
Score breakdown
Heuristics 90·MT 20
Category tags
malware#malware85% MT confidence
Positive signals (4)
Antivirus clearNot on major blacklistsEncrypted connectionClean server reputation

These checks passed — but they don't clear the site. A clean antivirus result, valid SSL, and a calm server only mean it isn't hosting malware; they say nothing about whether the business is real. This verdict is based on the site's conduct and content, not a malware detection.

View density

Analysis Summary

Threat Intelligence
0/92
All engines report clean
Domain Age
Registration date unknown
Intelligence
Dangerous
High likelihood · 85% confidence

Website Preview

Live view unavailable

The site returned a server error when we tried to load it in our sandbox, so there was no page to capture. A working business almost always renders — treat this site as unverified.

sos-ch-dk-2.exo.io

We attempt a live render of every scanned site in a safe sandbox. This one couldn’t be reached — the failure itself is a signal, noted in the analysis below.

Visual analysis

We capture a fresh screenshot of the live page and ask a vision model to look for scam visual patterns — fake trust badges, countdown timers, overlay pop-ups, and visual clones of legitimate brands.

50
/ 100
High visual risk

Visual red flags detected in the screenshot

We could not load a live view of this site; the capture returned a server error.

Visual risk50/100

What our vision model saw

1 signal

Live capture returned a server/proxy error — the page could not be rendered

Intelligence

Advanced threat intelligence
Analysis
High scam likelihoodengineMT · Guardiantrust20/100
MT AgentLive web researchVisual inspection
0%
Confidence
The domain belongs to Exoscale's legitimate Swiss object storage service, yet three independent threat reports document active use for malware delivery. ThreatFox, CISecurity, and Guardio Security each flag specific paths on this subdomain as Lumma Stealer IOCs. The page itself returned a server error during capture, which is consistent with short-lived malware hosting that appears and disappears quickly. While the parent company maintains proper abuse reporting channels, the concrete evidence of malware distribution outweighs the clean hosting reputation. No business complaints exist, but the malware findings alone justify blocking access.
Full dossier
Analysis complete

Page Content

The live capture returned a server/proxy error, preventing any visual rendering of the page. This outcome aligns with malware distribution endpoints that serve payloads only to targeted visitors or for brief windows.

Infrastructure

The subdomain resolves to IP 194.182.165.210 with a clean abuse score of 0/100 and no prior abuse reports. SSL certificate is valid from Gandi SAS and expires in 122 days. No redirects occurred during the scan.

Domain History

The domain is a subdomain of exo.io, operated by Akenes SA, a Swiss company founded in 2011 and part of the A1 Telekom Austria Group. Exoscale launched its SOS object storage service in 2018, making this a long-established legitimate infrastructure provider.

Web Reputation

Three separate threat intelligence sources document malware activity: ThreatFox lists the path /onr/play.html as a Lumma Stealer IOC; CISecurity reports the domain in active Lumma Stealer campaigns; Guardio Security documented multiple paths used for fake CAPTCHA loaders delivering infostealers. One aggregator rated the subdomain as safe, likely because it belongs to a known hosting provider.

What this means for you

Do not visit this subdomain or any paths beneath it. The hosting provider is legitimate, but attackers are actively abusing the storage service to distribute malware. If you already visited, run a full antivirus scan and monitor for unusual activity.

Risk Factors
3
  • Three independent threat reports link the domain to Lumma Stealer distribution.
  • Specific paths documented as fake CAPTCHA loaders delivering infostealers.
  • Malware hosting on legitimate storage services often uses short-lived URLs that evade detection.
Positive Signals
3
  • Parent domain belongs to established Swiss cloud provider founded in 2011.
  • Hosting IP shows zero abuse reports and clean reputation scores.
  • Valid SSL certificate from recognized issuer.
AI Recommendation
Block this subdomain entirely. If you visited any paths, scan your device and avoid clicking links from unknown sources that lead to exo.io storage endpoints.
Next-gen fraud intelligence
Evidence-backedCross-checked

Web Research Findings

Our live research agent queries scam-report databases, consumer-review sites, news coverage, and general web search for sos-ch-dk-2.exo.io, then cross-checks business-registration records and look-alike domain patterns. Everything below is pulled from what it actually found.

Business registration
Active · Switzerland
Site traces back to an actively registered business.
Clone check
Not a clone
No well-known site's layout or branding detected here.
Typosquat check
No look-alike match
The domain doesn't resemble any well-known brand's spelling.
Web mentions
3 scam reports · 1 positive
Key findings
7 headline facts from open-web research
  • sos-ch-dk-2.exo.io is an official Exoscale Object Storage (S3-compatible SOS) endpoint in Zurich region, announced 2018
  • Exoscale operated by Akenes SA (CHE-423.524.322), Swiss company founded 2011, part of A1 Telekom Austria Group
  • Multiple malware IOCs list paths on this domain for Lumma Stealer campaigns and fake CAPTCHA loaders (2025 reports)
  • Phishing-Database GitHub issue #1027 flags *.exo.io subdomains as false positives for phishing detection
  • ScamAdviser rates the specific subdomain as legit/safe; Gridinsoft also reports generally safe
  • Exoscale maintains abuse@exoscale.com reporting and public bug bounty program
  • Domain used for legitimate storage by various services; some DNS resolution incidents noted in 2025
Scam reports (3)
Direct quotes from public scam databases, forums, and news.
  • ThreatFoxopen

    "Lumma Stealer IOC: https://sos-ch-dk-2.exo.io/onr/play.html (url)"

  • CISecurityopen

    "sos-ch-dk-2[.]exo[.]io ... malware like Lumma Stealer"

  • Medium (Guardio Security)open

    "sos-ch-dk-2.exo[.]io /ataniya/bigot/ ... sos-ch-dk-2.exo[.]io /bucketofbits/modi-cloudflare-update-new.html"

Positive reviews (1)
Quotes indicating the site is legitimate.
  • ScamAdviseropen

    "In summary, we think sos-ch-dk-2.exo.io is legit and safe for consumers to access."

Business registration
Status: active · Switzerland

Akenes SA, private company founded 2011, headquartered Lausanne, Reg/VAT CHE-423.524.322; Exoscale is its trademark

Research summary
Narrative write-up from our AI analyst, grounded on the facts above

Threat intelligence sources identified three malware reports linking sos-ch-dk-2.exo.io to Lumma Stealer campaigns and fake CAPTCHA loaders. CISecurity published details of active campaigns using this domain. Guardio Security documented multiple infection paths on the subdomain. One review aggregator rated the subdomain as safe, citing its connection to the established Exoscale service.

Threat Detection

Antivirus Engines

Clean pass · verified
Clean across 92 engines

We cross-check every URL against our antivirus network of 92 malware and blacklist engines. None of them flagged this URL in the last scan.

0Malicious0Suspicious60Harmless92Engines
Clean
Kaspersky
Clean
Bitdefender
Clean
Microsoft
Not in pass
ESET-NOD32
Not in pass
Avira
Not in pass
Sophos
Clean
Fortinet
Clean
Google Safebrowsing
Clean
Emsisoft
Clean

No engine detections. The URL passed every antivirus and blacklist engine we queried in this scan. Stay vigilant — AV coverage is only one signal among many.

Security Scans

Blacklist Check
Not flagged on major threat lists

Checked against the major public blocklists used by browsers and security tools — no hits.

Reputation Sources

How this domain rates across independent threat-intelligence and blocklist providers.

Google Safe Browsing
Not listedCheck ↗
VirusTotal
Not listedCheck ↗
AbuseIPDB
Not listedCheck ↗

Technical Details

Domain & Encryption

Encryption Certificate
StatusValid
ProtocolTLSv1.3
IssuerGandi SAS · GandiCert
ExpiresNov 9, 2026 (122d)
Self-signedNo
Hosting & Technology
HostingExoscale Open Cloud DK2
Server locationCH

Server Reputation

Abuse Intelligence
Confidence score0%
Reports on file0
ISPExoscale Open Cloud DK2
Usage typeData Center/Web Hosting/Transit

What to do

Avoid this site

Our automated review flagged enough risk that you should treat this site as unverified.

  • Do not interact with sos-ch-dk-2.exo.io

    Do not enter credentials, deposit money, download files, or install browser extensions from this site.

  • Verify the business through independent channels

    Check the company's social profiles, registry records, and search for recent news or reviews that are not hosted on the site itself.

  • Never use irreversible payment methods

    Crypto, gift cards, wire transfers, and cash apps offer zero buyer protection. Use a credit card or PayPal if you must pay.

  • Share your experience

    If you have additional context, drop a comment below or post on the MalwareTips forum.

    Open

Final Verdict

0
Trust / 100
Final Verdict·sos-ch-dk-2.exo.io
DANGEROUS

This subdomain hosts malware distribution paths for Lumma Stealer campaigns. Multiple security reports list it as an active infection vector despite its legitimate hosting provider.

Block this subdomain entirely. If you visited any paths, scan your device and avoid clicking links from unknown sources that lead to exo.io storage endpoints.

AV engines
92
Domain age
Flagged
0
Scan another URL
Security review completemalwaretips.com/url-scan

Safety FAQ

Common questions about this site, answered directly from the scan data above — so the answers always reflect the latest verdict on this page.

  • Our automated security review flags sos-ch-dk-2.exo.io as dangerous. Multiple threat indicators were detected — treat the site as a scam until proven otherwise.
  • No — sos-ch-dk-2.exo.io scored 25/100 on our trust scale. We detected active threat indicators, so we recommend avoiding the site entirely.
  • Yes. sos-ch-dk-2.exo.io presents a valid TLSv1.3 certificate issued by Gandi SAS · GandiCert, expiring in 122 days. Note that SSL only encrypts the connection — it does not guarantee that the site itself is trustworthy.
  • No. All 92 antivirus engines in our malware network report sos-ch-dk-2.exo.io as clean.
  • No. sos-ch-dk-2.exo.io is not currently listed on the major browser blocklist feeds that modern browsers use.
  • sos-ch-dk-2.exo.io resolves to an IP operated by Exoscale Open Cloud DK2 in CH (usage type: Data Center/Web Hosting/Transit). Hosting location alone doesn't make a site good or bad, but unusual geography for a brand's claimed country is one of many signals we weigh.
  • This is a permanent record of the scan run on July 10, 2026. The verdict and evidence above reflect that scan and do not change on their own. If circumstances around sos-ch-dk-2.exo.io have changed, MalwareTips staff can run a fresh scan, which re-runs every check from scratch and publishes an updated report.
Recently scanned

Other Dangerous reports

Browse all reports
Community review

User reviews & comments(0)

Share your experience — "Lost $200 on a fake checkout" is more useful than "Scam". Your review helps others avoid traps.

Loading…
Loading comments…
This report is generated automatically by combining threat intelligence, domain signals, and an AI security analyst. It is informational, not legal advice. Always use your own judgement before sharing personal information or money online.