# PhishDestroy threat dossier — campanyasoft.com
================================================================

Fetched:   2026-05-05 13:07:23 UTC
Canonical: https://phishdestroy.io/domain/campanyasoft.com/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 97/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      9/95 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, alphaMountain.ai, CRDF, Forcepoint ThreatSeeker, Fortinet, Lionic, Seclookup, Sophos, Webroot
URLQuery:        3 detections
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      31.58.87.132 (US, Fremont)
ASN:             AS56971 AS56971 Cloud
Hosting org:     Cloud Backbone Inc
Registrar:       NICENIC INTERNATIONAL GROUP CO., LIMITED

!!! REGISTRAR INTEGRITY ALERT — NiceNIC !!!
NiceNIC International: over 90% of its registered domains are associated with
illegal content; documented systematic abuse-report non-response. Primary sources:
  https://phishdestroy.io/nicenic-real
  https://phishdestroy.io/nicenic-verdict

Nameservers:     ns3.my-ndns.com, ns4.my-ndns.com
Registered:      2025-08-11
Page title:      服务器出现错误
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     hyshop.hanyue.xyz
Expires:    2041-03-20
Status:     INVALID chain
Fingerprint: 965b3eb242710a10d6a9694f54e183b72a76ec5ecc08c0ea8af75cdd30a917e9

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2025-08-11 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-05 13:00:15 UTC (by PhishDestroy tracker)
First reported:    2026-05-05 10:01:28 UTC (abuse notice filed)
Last verified:     2026-05-05 15:17:40 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019df793-d225-71f8-b76b-add19f759c11/
URLQuery:         https://urlquery.net/report/2b5d867a-bd1e-47e6-8f5e-7146dd233f1e
Wayback Machine:  https://web.archive.org/web/*/campanyasoft.com
crt.sh CT logs:   https://crt.sh/?q=%25.campanyasoft.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=campanyasoft.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/campanyasoft.com
URLhaus:          https://urlhaus.abuse.ch/host/campanyasoft.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-05 13:01:25 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies campanyasoft.com as an active fraudulent software distribution website posing elevated phishing risks. This domain is currently categorized under generic phishing threats and remains unresolved, indicating active malicious operations targeting unsuspecting users seeking software downloads. The threat involves impersonation of legitimate software brands to distribute malicious payloads, potentially compromising user systems or stealing sensitive information.  

This domain was flagged by 9 of 95 VirusTotal security vendors, indicating significant malicious activity. Registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, campanyasoft.com resolves to IP address 31.58.87.132 and has been blocked by Maltrail. The domain’s SSL certificate is associated with hyshop.hanyue.xyz, and it appears on 1 security blocklist. Created on August 11, 2025, this recently registered domain exhibits high-risk characteristics due to its combination of low trust scores, recent creation date, and multiple detection vectors.  

Users are strongly advised to avoid accessing campanyasoft.com or downloading any files from the site. If accidental exposure occurs, disconnect from the internet, scan for malware using updated antivirus tools, and report the domain to cybersecurity platforms for further investigation. Organizations should consider blocking the domain and associated IP address at the network level to prevent further exploitation.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260505-A981D1
TLS cert SHA-256:      965b3eb242710a10d6a9694f54e183b72a76ec5ecc08c0ea8af75cdd30a917e9

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/campanyasoft.com/
JSON API:          https://api.destroy.tools/v1/check?domain=campanyasoft.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 146,008 domains (61,917 alive under monitoring, 83,630 confirmed takedowns/dead). Site: https://phishdestroy.io