# PhishDestroy threat dossier — 8g93p.stick.ws ================================================================ Fetched: 2026-07-03 20:32:15 UTC Canonical: https://phishdestroy.io/domain/8g93p.stick.ws/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 83/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: GoDaddy.com Nameservers: deb.ns.cloudflare.com, guss.ns.cloudflare.com Registered: 2020-09-17 Expires: 2026-09-17 Page title: Консультация-V HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-09-13 Status: INVALID chain Fingerprint: 73cb58382284dac38a14bfcc00d1e0444415fcef9d404f23e6c7e82e7277c017 Subject Alternative Names (related infrastructure — often same operator): - stick.ws ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2020-09-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-03 08:25:56 UTC (by PhishDestroy tracker) First reported: 2026-07-03 06:27:15 UTC (abuse notice filed) Last verified: 2026-07-03 22:15:13 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f26a6-89af-7594-89f3-de310ac35687/ URLQuery: https://urlquery.net/report/650546aa-cd52-4260-a07d-93832ca4ef61 Wayback Machine: https://web.archive.org/web/*/8g93p.stick.ws crt.sh CT logs: https://crt.sh/?q=%25.8g93p.stick.ws Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=8g93p.stick.ws AlienVault OTX: https://otx.alienvault.com/indicator/domain/8g93p.stick.ws URLhaus: https://urlhaus.abuse.ch/host/8g93p.stick.ws/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-03 08:36:31 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, 8g93p.stick.ws, is flagged as a generic phishing infrastructure targeting Russian-speaking users, as indicated by the page title 'Консультация-V'. Analysis suggests the site is designed to mimic a legitimate consultation or login portal, though no specific brand impersonation or drainer kit has been confirmed at this stage. The lack of detected malicious payloads in initial scans does not rule out credential harvesting or social engineering tactics commonly associated with such pages. Infrastructure analysis reveals the domain was registered on September 17, 2020, through GoDaddy.com and currently resolves to the IP address 188.114.96.3. As of the latest assessment, the domain has a VirusTotal detection score of 0/95, indicating no antivirus engines have flagged it as malicious. The SSL certificate is issued by Google Trust Services, and the site employs multiple tracking technologies, including Google Tag Manager, Google Analytics, and Facebook Pixel. Additional security headers such as HSTS and Cloudflare protections are present, which may complicate detection efforts. No Google Safe Browsing (GSB) flags or blocklist entries have been recorded for this domain. The domain remains active and under investigation, with no takedown actions observed as of this report. The combination of long-standing registration, zero detections, and legitimate-seeming infrastructure increases the risk of successful phishing attempts. Users are advised to verify the authenticity of any login prompts before entering credentials, particularly if redirected from unsolicited communications. Organizations should monitor for connections to 188.114.96.3 and consider blocking the domain at the network level pending further analysis. The absence of detections does not guarantee safety, and continued vigilance is recommended. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260703-282BF6 Favicon MD5: c5dc961b55cfd1df1c358643ac50207a TLS cert SHA-256: 73cb58382284dac38a14bfcc00d1e0444415fcef9d404f23e6c7e82e7277c017 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/8g93p.stick.ws/ JSON API: https://api.destroy.tools/v1/check?domain=8g93p.stick.ws Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,411 domains (13,161 alive under monitoring, 160,432 confirmed takedowns/dead). Site: https://phishdestroy.io