# PhishDestroy threat dossier — centralvipnu.online ================================================================ Fetched: 2026-07-04 17:12:31 UTC Canonical: https://phishdestroy.io/domain/centralvipnu.online/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 84/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 13/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, G-Data, Gridinsoft, Kaspersky, LevelBlue, OpenPhish, SOCRadar, Sophos Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 69.49.241.79 (BR, Vinhedo) Hosting org: AS31898 Oracle Corporation Registrar: NicNames, Inc Nameservers: ns10.uadns.com, ns11.uadns.com, ns12.uadns.com Registered: 2026-06-25 Expires: 2027-06-25 HTTP response: 406 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-02 15:17:15 UTC (by PhishDestroy tracker) Last verified: 2026-07-04 16:20:36 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f22f8-9bcb-714c-bde4-e86101d9c48f/ Wayback Machine: https://web.archive.org/web/*/centralvipnu.online crt.sh CT logs: https://crt.sh/?q=%25.centralvipnu.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=centralvipnu.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/centralvipnu.online URLhaus: https://urlhaus.abuse.ch/host/centralvipnu.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-02 16:16:28 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain centralvipnu.online is associated with a credential theft threat type. Active since June 25, 2026, this domain exhibits characteristics typical of phishing campaigns aimed at extracting sensitive user information. There is no specific brand affiliation identified within the threat landscape, indicating a broader targeting strategy rather than a focused brand impersonation. The analysis does not reveal any specific drainer kit at this time, but the overall structure suggests a capability for credential harvesting. Technical indicators for centralvipnu.online include a VirusTotal (VT) detection score of 13 out of 95 security vendors, highlighting a significant level of concern within the cybersecurity community. The domain is registered through NicNames, Inc, and resolves to the IP address 69.49.241.79. The domain currently holds an active status and has not been flagged for any Google Safe Browsing (GSB) issues. However, it is crucial to note that the domain has not been recorded on major blocklists, which may indicate a gap in coverage for monitoring services. The current status of centralvipnu.online is active, indicating ongoing risk to users who may inadvertently interact with its content. Mitigation efforts are advised, including increased vigilance among users regarding unsolicited communications that might lead to this domain. Organizations should educate employees to recognize phishing attempts and recommend the use of multi-factor authentication to safeguard against potential credential breaches. Continuous monitoring of this domain and its associated IP address is recommended to track any changes in its threat profile. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/centralvipnu.online/ JSON API: https://api.destroy.tools/v1/check?domain=centralvipnu.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,666 domains (12,655 alive under monitoring, 161,167 confirmed takedowns/dead). Site: https://phishdestroy.io