# app.sunwsap.ink — SUSPICIOUS > PhishDestroy identifies app.sunwsap.ink as a live malware-dropper site mimicking SAP, created March 26, 2026 and hosted on 188.114.97. ## Summary PhishDestroy identifies app.sunwsap.ink as an active malware-dropper posing as a legitimate SAP login portal to harvest corporate credentials and deliver malicious payloads. The domain leverages a Let’s Encrypt SSL certificate to appear trustworthy while hosting content designed to trick SAP users into entering their work credentials. Threat actors commonly use such impersonation to gain initial access to enterprise networks, then pivot to data theft or ransomware deployment. This campaign specifically targets SAP users through deceptive URLs, aiming to capture valid credentials that provide direct entry into business-critical systems. This domain was flagged through PhishDestroy’s automated pipeline, which detected the impersonation of a major enterprise application. Intelligence shows the domain was registered on March 26, 2026, only days ago, through NICENIC INTERNATIONAL GROUP CO., LIMITED. It resolves to IP address 188.114.97.3 and currently shows 0 detections on VirusTotal (95 engines scanned as of latest check). The lack of detection suggests this campaign is either very new or using evasion techniques to bypass initial filters. The combination of recent registration, low detection rate, and spoofed SAP branding indicates a high-risk, likely targeted operation. If you visited app.sunwsap.ink, immediately close the browser tab and disconnect from any corporate network or VPN. Do not enter any credentials or download files. Scan your device with updated antivirus software, especially if you used work credentials. Report the incident to your IT or security team and provide the full URL. If you entered SAP credentials, change your password immediately via the official SAP portal and enable multi-factor authentication. Monitor for unusual login attempts or system access. This domain is under active investigation, but proactive action can prevent credential compromise and potential lateral movement in your organization. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-26 17:01:05 - Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED - IP: 188.114.97.3 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/app.sunwsap.ink - PhishDestroy: https://phishdestroy.io/domain/app.sunwsap.ink/ - LLM endpoint: https://phishdestroy.io/domain/app.sunwsap.ink/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/app.sunwsap.ink/ Last updated: 2026-04-05