# arcusfi.co — SUSPICIOUS > arcusfi.co, a recently registered domain (0/95 VT detections), poses as a fake brand portal to harvest credentials. Avoid entering any data. Block now. ## Summary arcusfi.co is a recently registered domain identified by PhishDestroy as a credential harvesting site mimicking a legitimate business portal. The domain is currently active and under active analysis as of the seed 5a16e6 investigation cycle. This advisory highlights the domain’s phishing risk, technical indicators, and recommended mitigation steps to prevent potential compromise. PhishDestroy classifies arcusfi.co as a generic phishing domain with a current risk status of under_investigation. The domain is designed to impersonate a corporate or business portal, tricking users into entering sensitive credentials under false pretenses. Initial telemetry confirms the domain remains unflagged by security vendors, with 0 detections out of 95 VirusTotal scans analyzed as of the time of writing. The domain was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED and resolves to IP address 172.67.161.120 via a Let’s Encrypt SSL certificate issued for encryption. Notably, arcusfi.co was created on March 18, 2026, indicating a very recent registration footprint consistent with opportunistic malicious domain campaigns. The domain has not yet appeared on major threat intelligence blocklists or reputation databases, which may change as additional telemetry accumulates. The active status of arcusfi.co demands immediate attention from security teams and end users alike. While the domain currently evades detection due to its novelty and low file artifact presence, its technical configuration—including the use of a legitimate SSL certificate—suggests an attempt to establish trust with potential victims. The registrar, NICENIC INTERNATIONAL, has been associated with high volumes of rapidly registered domains, some of which have later been leveraged in phishing or scam operations. Given the domain’s recent creation and absence from blocklists, proactive blocking is strongly recommended at the network perimeter to prevent access. Organizations should also monitor internal DNS queries for arcusfi.co and inspect outbound SSL/TLS connections to 172.67.161.120 for signs of data exfiltration. Users should be notified of the threat and advised against interacting with the domain, especially any login or input forms it may present. Continuous monitoring and updating of threat intelligence feeds will be crucial to tracking the evolution of this campaign, including potential shifts in hosting, infrastructure, or payload delivery vectors. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-18 22:52:05 - Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED - IP: 172.67.161.120 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/4f401d2d-8759-4fc3-a867-321434d5e8ee - PhishDestroy: https://phishdestroy.io/domain/arcusfi.co/ - LLM endpoint: https://phishdestroy.io/domain/arcusfi.co/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/arcusfi.co/ Last updated: 2026-03-23