# PhishDestroy threat dossier — alufast.com.br ================================================================ Fetched: 2026-07-07 02:25:38 UTC Canonical: https://phishdestroy.io/domain/alufast.com.br/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 65/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, G-Data AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 186.209.113.105 (BR, Brooklin) ASN: AS53107 EVEO S.A. Hosting org: Eveo S.A Registrar: REGISTRAR_NOT_FOUND Nameservers: ns1.gtiinformatica.com.br, ns1.valueserver.com.br, ns2.gtiinformatica.com.br, ns2.valueserver.com.br, ns3.gtiinformatica.com.br, ns3.valueserver.com.br, ns4.gtiinformatica.com.br, ns4.valueserver.com.br Registered: 2014-11-26 Expires: 2026-11-26 Page title: 404 Not Found HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-08-23 Status: INVALID chain Fingerprint: d742a50215543e404d6acffd76222d00b9d85c445e12093b3e4ec453629ecb2c ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2014-11-26 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-07 02:11:48 UTC (by PhishDestroy tracker) Last verified: 2026-07-07 04:25:14 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f39f5-90ab-7797-9a1d-191cba4a5c9b/ Wayback Machine: https://web.archive.org/web/*/alufast.com.br crt.sh CT logs: https://crt.sh/?q=%25.alufast.com.br Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=alufast.com.br AlienVault OTX: https://otx.alienvault.com/indicator/domain/alufast.com.br URLhaus: https://urlhaus.abuse.ch/host/alufast.com.br/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-07 02:15:40 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, alufast.com.br, is actively engaged in credential theft operations targeting unsuspecting users. Analysis indicates the site is designed to harvest login credentials, financial information, or other sensitive data under false pretenses. Users who interact with this domain risk unauthorized access to their accounts, financial loss, or identity theft. The site does not host legitimate content and is not affiliated with any recognized brand or service, despite attempts to appear credible. Infrastructure analysis reveals multiple red flags confirming malicious intent. The domain was registered on November 26, 2014, and remains active under a Let's Encrypt SSL certificate, which is commonly abused by threat actors to create a false sense of security. It resolves to the IP address 186.209.113.105, and VirusTotal reports that 5 out of 95 security vendors have flagged this domain as malicious. The page title, '404 Not Found,' suggests the site may be in a transitional state or deliberately obfuscating its true purpose to evade detection. If you or someone in your organization has visited alufast.com.br or entered credentials on this site, immediate action is required. First, disconnect the affected device from the network to prevent potential lateral movement or data exfiltration. Reset all passwords associated with the compromised accounts, prioritizing email, financial, and administrative credentials. Enable multi-factor authentication (MFA) on all critical accounts to mitigate further risk. Monitor accounts for unauthorized activity, such as logins from unfamiliar locations or devices, and review financial statements for suspicious transactions. Report the incident to your organization's security team or a trusted cybersecurity professional for further analysis and remediation. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: d742a50215543e404d6acffd76222d00b9d85c445e12093b3e4ec453629ecb2c ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/alufast.com.br/ JSON API: https://api.destroy.tools/v1/check?domain=alufast.com.br Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 175,644 domains (12,655 alive under monitoring, 162,048 confirmed takedowns/dead). Site: https://phishdestroy.io