# PhishDestroy threat dossier — apcollege-edu.com ================================================================ Fetched: 2026-07-01 13:58:29 UTC Canonical: https://phishdestroy.io/domain/apcollege-edu.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 80/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 163.61.188.7 (US, Staten Island) ASN: AS153568 NEW DHAKA HARDWARE Hosting org: MIT Registrar: TuringSign Inc. d/b/a Cosmotown Nameservers: dns1.lytehosting.com, dns2.lytehosting.com, dns3.lytehosting.com, dns4.lytehosting.com Registered: 2025-09-15 Expires: 2026-09-15 Page title: APCU Portal | Student Dashboard ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-08-20 Status: INVALID chain Fingerprint: 0537565aabe819837d52cf3c321f21324c12a4b47e23f00b31753b22350d8d79 Subject Alternative Names (related infrastructure — often same operator): - advancedpclhms-edu.com - www.advancedpclhms-edu.com.advancedpcedutt-edu.com - www.apcollege-edu.com.advancedpcedutt-edu.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-09-15 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-01 04:06:17 UTC (by PhishDestroy tracker) First reported: 2026-07-01 02:10:58 UTC (abuse notice filed) Last verified: 2026-07-01 15:45:32 UTC Neutralised: 2026-07-01 12:02:52 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1b6c-88db-76af-a360-a540ebbb7646/ URLQuery: https://urlquery.net/report/17a5bfa8-16b2-4845-9b72-dff58e50e251 Wayback Machine: https://web.archive.org/web/*/apcollege-edu.com crt.sh CT logs: https://crt.sh/?q=%25.apcollege-edu.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=apcollege-edu.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/apcollege-edu.com URLhaus: https://urlhaus.abuse.ch/host/apcollege-edu.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-01 04:36:14 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as an active credential phishing portal designed to impersonate academic institution login pages. Analysis indicates the threat type is highly targeted, focusing on students and faculty members under the guise of an "APCU Portal | Student Dashboard." The infrastructure exhibits characteristics consistent with credential harvesting campaigns, where victims are prompted to enter sensitive login credentials, which are then exfiltrated to attacker-controlled servers. Infrastructure analysis reveals the domain apcollege-edu.com was registered on September 15, 2025, through TuringSign Inc. d/b/a Cosmotown. It resolves to the IP address 163.61.188.7 and currently holds a VirusTotal detection score of 0/95, indicating no antivirus engines have flagged it as malicious at the time of assessment. The SSL certificate is issued by Let's Encrypt, a common tactic to lend false legitimacy to phishing sites. Despite its clean detection profile, the domain appears in two AlienVault OTX threat intelligence pulses, suggesting prior identification in security communities. Gridinsoft assigns a trust score of 0/100, further corroborating its malicious nature. Mitigation steps for this specific threat type include immediate domain blacklisting at the network perimeter and endpoint levels. Organizations should deploy email filtering rules to block messages containing the domain or its associated IP address. Users should be educated on recognizing phishing indicators, such as mismatched URLs, urgent login requests, and unofficial domain registrars. Security teams are advised to monitor for credential reuse attempts following exposure to this portal, as harvested credentials are likely to be leveraged in subsequent attacks. Network traffic to 163.61.188.7 should be investigated for additional compromised accounts. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260701-8210AF Favicon MD5: cea0afae5f2d922127737f7aeb929202 TLS cert SHA-256: 0537565aabe819837d52cf3c321f21324c12a4b47e23f00b31753b22350d8d79 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/apcollege-edu.com/ JSON API: https://api.destroy.tools/v1/check?domain=apcollege-edu.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,494 domains (13,312 alive under monitoring, 159,499 confirmed takedowns/dead). Site: https://phishdestroy.io