# bitrootsystem.top — SUSPICIOUS > bitrootsystem.top poses as a legitimate service to harvest credentials. Flagged by 2 of 95 VirusTotal vendors, users must avoid interaction and report. ## Summary PhishDestroy identifies bitrootsystem.top as an active credential harvesting domain engineered to mimic legitimate software or service providers. The domain leverages deceptive branding under the guise of a system utility ('bitrootsystem'), suggesting a high likelihood of impersonation targeting enterprise or technical users. No known drainer kit signatures were detected during initial sandbox analysis, but the presence of a Let’s Encrypt SSL certificate implies an attempt to establish credibility and evade perimeter defenses that inspect HTTP traffic without deep packet inspection. Technical indicators confirm elevated risk. VirusTotal reports a detection score of 2/95 security vendors, indicating low but concerning flagging from reputable engines. The domain was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED on March 22, 2026, which is unusually recent for operational campaigns, suggesting possible bulk registration during a surge in fraudulent infrastructure deployment. It resolves to IP 104.21.88.209, a Cloudflare-hosted address commonly abused to mask origin infrastructure and evade takedowns. As of this advisory, there is no indication the domain has been flagged by Google Safe Browsing (GSB), and public blocklist query results show zero detections across major threat intelligence platforms — underscoring the stealthy nature of this campaign. The domain remains active and responsive to queries, with no observed takedown or remediation attempts at this time. PhishDestroy recommends immediate network-level blocking of bitrootsystem.top and 104.21.88.209 via DNS sinkholing or firewall rules. Users and organizations are advised to audit DNS logs for recent resolutions to this domain, inspect outbound HTTPS traffic to 104.21.88.209, and review endpoint logs for signs of TLS handshakes with suspicious SNI values. While the current risk level is classified as elevated due to active status and low vendor detection, the combination of recent registration and choice of bulletproof DNS hosting suggests this infrastructure may persist for extended periods. Continuous monitoring for derivative domains under NICENIC registrations since March 22, 2026 is strongly advised to preempt follow-on campaigns. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-22 13:53:04 - Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED - IP: 104.21.88.209 ## Detection Status - VirusTotal: 2 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/17f70c85-c37c-4680-b346-858e117c012b - PhishDestroy: https://phishdestroy.io/domain/bitrootsystem.top/ - LLM endpoint: https://phishdestroy.io/domain/bitrootsystem.top/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/bitrootsystem.top/ Last updated: 2026-03-24