Is nrel.gov safe?

encoded payload

suspicious base64-like blobs detected in page content

cloaking

Page loads content in transparent or zero-size iframe overlay

brand impersonation

The site at nrel.gov presents itself as 'National Laboratory of the Rockies (NLR)' — a fictitious entity impersonating NREL (National Renewable Energy Laboratory), a real U.S. Department of Energy national laboratory. The page title reads 'Home | NLR', the logo alt text is 'National Laboratory of the Rockies', and all branding uses 'NLR' instead of 'NREL'. The real NREL is located at nrel.gov, making this a direct domain-level impersonation of a federal government research institution. (location: page.html:2, page.html:236-237, page.html:624, page.html:879)

brand impersonation

The footer claims the site is 'a national laboratory of the U.S. Department of Energy, Office of Critical Minerals and Energy Innovation, operated under Contract No. DE-AC36-08GO28308' — falsely attributing a real DOE contract number to a fictitious 'National Laboratory of the Rockies'. Contract DE-AC36-08GO28308 is the actual NREL operating contract, being misappropriated here to lend false legitimacy. (location: page.html:879)

brand impersonation

Social media links in the footer reference real NREL accounts: Instagram links to '@nationalrenewableenergylab', YouTube to '@nationallaboratoryoftherockies', and Threads to '@nationalrenewableenergylab'. This mixes real NREL social handles with fake NLR branding to create a veneer of legitimacy. (location: page.html:834-838)

brand impersonation

The footer contains a link to 'https://developer.nrel.gov/' (Developers) and 'https://thesource.nrel.gov/' (Employees) — real NREL subdomains — embedded within the impersonation site, blurring the boundary between the fake NLR site and the real NREL infrastructure. (location: page.html:857)

brand impersonation

News article links point to 'https://www.nlr.gov/...' while the scanned domain is nrel.gov. The site operates on nrel.gov but references www.nlr.gov as its canonical domain for news articles, indicating the impersonation infrastructure spans at least two domains (nrel.gov and nlr.gov). (location: page.html:697-710)

brand impersonation

Publication document links point to 'https://docs.nlr.gov/docs/...' for technical reports, mimicking the real NREL docs repository at docs.nrel.gov. These links lead to a parallel fake document infrastructure under nlr.gov. (location: page.html:727)

social engineering

The site presents fabricated government research content (geothermal market reports, cybersecurity partnerships, DOE contract attribution) with realistic dates (2026) and professional design to deceive users into trusting it as an authoritative U.S. government energy research source. This is a sophisticated social engineering operation targeting users seeking legitimate NREL resources. (location: page.html:612-614, page.html:727, page.html:879)

phishing

The site hosts a 'Subscribe to NLR' link and a newsletter subscription page (/news/subscribe), as well as a 'Contact Us' form (/webmaster). These could be used to harvest user email addresses and personal information under the false pretense of subscribing to a legitimate U.S. government laboratory newsletter. (location: page.html:831, page.html:492-494)

phishing

The site contains a 'Careers' section with job postings (/careers/find-job) and a hiring process page on a domain impersonating a federal laboratory. Job applicants could be deceived into submitting resumes, personal information, and employment history to this fraudulent entity. (location: page.html:521-560)

malicious redirect

The search form posts to 'https://search4.nlr.gov/texis/search/?pr=metanlr&query={query}' — an external nlr.gov subdomain. Users performing searches on what they believe is nrel.gov are redirected to nlr.gov infrastructure, reinforcing the cross-domain impersonation and potentially exposing search queries to the threat actor. (location: page.html:250)