# at-kra37.cc — MALICIOUS

> at-kra37.cc is a credential theft phishing domain with 14/95 VirusTotal detections, active since January 23, 2025.

## Summary
at-kra37.cc is an active phishing domain identified as a credential theft site, posing an elevated risk to unsuspecting users. Disseminated through deceptive channels, this domain lures victims into submitting sensitive login credentials via a spoofed interface, enabling immediate exfiltration by threat actors. The domain has been flagged by 14 out of 95 VirusTotal security vendors, indicating partial but not universal detection by cybersecurity tools. Resolving to IP 188.114.97.3, this infrastructure is linked to recent domain registration on January 23, 2025, using NICENIC INTERNATIONAL GROUP CO., LIMITED as the registrar. Despite leveraging a Google Trust Services SSL certificate, which may falsely enhance perceived legitimacy, the domain's recent creation and high-risk categorization render it suspicious.  This domain was flagged by 14/95 VirusTotal security vendors, meaning only a minority of automated defenses have recognized its malicious nature at this time. Registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, it has been active for just over three months, which is a typical window for low-sophistication phishing campaigns seeking to evade prolonged scrutiny. Its assignment to IP 188.114.97.3 places it within a known hosting range often associated with fraudulent activities, though attribution to specific malicious campaigns remains under analysis. The use of a Google Trust Services SSL certificate is a common tactic among threat actors to bypass browser warnings and deceive users into believing the site is secure. This deceptive layering of trust indicators underscores the importance of cross-verifying domain authenticity independent of SSL indicators alone.  To mitigate credential theft risks associated with at-kra37.cc, organizations and individuals are advised to scrutinize domain names for non-standard characters or misspellings, particularly when accessing login portals. All login attempts should occur directly via verified, company-hosted domains or through official application pathways, never via external links. Implementing multi-factor authentication (MFA) provides a critical secondary defense, limiting unauthorized access even if credentials are compromised. Security teams should inspect network traffic for connections to 188.114.97.3 and update firewall rules or blocklists based on verified threat intelligence feeds. Suspicious domains should be reported to domain registrars and cybersecurity organizations to support early detection and disruption of threat actor operations.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-01-23 21:00:42
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 14 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/6e222978-d655-49db-bdce-7ff328d8ed4a
- PhishDestroy: https://phishdestroy.io/domain/at-kra37.cc/
- LLM endpoint: https://phishdestroy.io/domain/at-kra37.cc/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/at-kra37.cc/
Last updated: 2026-03-26