Attacker-controlled domain hosting the fake rate confirmation phishing portal and all staged payloads (ElevatorShellCode.exe, stage.ps1, update.exe, patch.exe, decoy PDF)