# PhishDestroy threat dossier — bless.zanggu.net
================================================================

Fetched:   2026-05-01 17:04:14 UTC
Canonical: https://phishdestroy.io/domain/bless.zanggu.net/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 93/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      5/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, alphaMountain.ai, Fortinet, Gridinsoft, URLQuery
URLQuery:        4 detections
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      45.140.205.214 (CH, Bern)
ASN:             AS215540 GLOBAL CONNECTIVITY SOLUTIONS LLP
Hosting org:     Global Connectivity Solutions LLP
Registrar:       Gname.com Pte. Ltd.
Nameservers:     watson.ns.cloudflare.com, zariyah.ns.cloudflare.com
Registered:      2014-05-06
Page title:      Bless Token â Ecosystem Allocation
HTTP response:   525

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-07-12
Status:     INVALID chain
Fingerprint: fa36c492be1af7ed896ed09e511c728fea22215a3e8db3fc8fde4dd54eac14f2
Subject Alternative Names (related infrastructure — often same operator):
  - zanggu.net

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2014-05-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-25 06:05:44 UTC (by PhishDestroy tracker)
First reported:    2026-04-25 03:06:19 UTC (abuse notice filed)
Last verified:     2026-05-01 17:55:06 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dc298-62d8-7749-91c6-40240c4a102e/
URLQuery:         https://urlquery.net/report/b435182c-8f69-4b68-a604-6e0cf3fd1a9e
Wayback Machine:  https://web.archive.org/web/*/bless.zanggu.net
crt.sh CT logs:   https://crt.sh/?q=%25.bless.zanggu.net
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=bless.zanggu.net
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/bless.zanggu.net
URLhaus:          https://urlhaus.abuse.ch/host/bless.zanggu.net/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-25 06:06:37 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies bless.zanggu.net as an active crypto drainer posing as Bless Token’s ecosystem allocation page. The domain mimics legitimate crypto project branding to trick users into connecting wallets and approving malicious transactions. No specific drainer kit was detected in the payload, but the page structure closely mirrors known crypto-draining tactics involving fake token allocations and ecosystem overviews. Registrant details are obscured through Gname.com Pte. Ltd., a registrar frequently used for anonymity in fraudulent domains.

Technical indicators confirm elevated risk: VirusTotal reports 0/95 detections, indicating undetected malicious activity at time of scan. The domain resolves to IP 45.140.205.214 and uses a Let’s Encrypt SSL certificate to appear legitimate. Registered on May 06, 2014, it predates current operations, suggesting long-term infrastructure repurposing. Google Safe Browsing (GSB) status is unconfirmed, and the domain remains unlisted on major blocklists, increasing exposure to unsuspecting users.

The domain remains active and is currently serving a spoofed Bless Token page titled 'Bless Token — Ecosystem Allocation'. Immediate action is advised: flag the domain, avoid interaction, and report to security teams. While the immediate risk is high due to undetected status and active serving, proactive blocking is essential to prevent wallet drain incidents. Remaining risk includes continued operation and potential expansion into broader brand impersonation campaigns.

[Updates since narrative was generated:]
  - VirusTotal detections: now 5/94 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260425-48E7DD
Favicon MD5:       2cc41790ef81b3ad77d17412bd7697b9
TLS cert SHA-256:      fa36c492be1af7ed896ed09e511c728fea22215a3e8db3fc8fde4dd54eac14f2

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/bless.zanggu.net/
JSON API:          https://api.destroy.tools/v1/check?domain=bless.zanggu.net
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io