# at-kra45.cc — MALICIOUS

> PhishDestroy identifies at-kra45.cc as an active PayPal credential-harvesting drainer. VirusTotal flags 7/95 vendors. Check the full report.

## Summary
PhishDestroy identifies the domain at-kra45.cc as an active PayPal credential-harvesting drainer kit. The domain was created on September 17, 2025, and resolves to IP 188.114.96.3. Registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, it leverages a Google Trust Services SSL certificate to appear legitimate while targeting unsuspecting users with PayPal-themed lures. The drainer kit is designed to harvest login credentials and session tokens, posing a significant risk to victims' financial and personal data.  This domain was flagged by 7 out of 95 security vendors on VirusTotal, indicating elevated risk. The registrar, NICENIC INTERNATIONAL GROUP CO., LIMITED, is known for hosting malicious infrastructure, while the Google Trust Services SSL certificate adds a false sense of security. The domain was created on September 17, 2025, and currently remains active. Given its recent creation and the presence of a legitimate SSL certificate, users may unknowingly fall victim to this threat. Immediate action is required to mitigate further exposure.  The current status of at-kra45.cc is active, with no immediate signs of takedown. PhishDestroy advises users to avoid interacting with this domain and to report any suspicious activity. Organizations should block the domain at the network level and update their threat intelligence feeds. Remaining risk is elevated due to the domain's recent creation and the use of a legitimate SSL certificate, which can deceive both users and automated security tools. Continuous monitoring and proactive threat hunting are recommended to prevent further exploitation.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-09-17 17:48:49
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 7 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/d2bd74de-06a7-4e3f-af3a-9d1e6e30dc22
- PhishDestroy: https://phishdestroy.io/domain/at-kra45.cc/
- LLM endpoint: https://phishdestroy.io/domain/at-kra45.cc/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/at-kra45.cc/
Last updated: 2026-03-26