# PhishDestroy threat dossier — cloaked.gg ================================================================ Fetched: 2026-07-12 16:22:52 UTC Canonical: https://phishdestroy.io/domain/cloaked.gg/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 66/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 6/95 security vendors flagged this domain Flagging vendors: alphaMountain.ai, CRDF, Fortinet, Gridinsoft, Seclookup, SOCRadar AlienVault OTX: 5 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.26.14.96 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Gandi SAS (http://www.gandi.net) Nameservers: etienne.ns.cloudflare.com, frida.ns.cloudflare.com Registered: 2025-07-23 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-10-10 Status: INVALID chain Fingerprint: d371b801ca79f558f9c8a3f3883f81c7fc217af2904d8be358297eba2e60b9e2 Subject Alternative Names (related infrastructure — often same operator): - api.cloaked.gg ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-07-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 14:30:34 UTC (by PhishDestroy tracker) Last verified: 2026-07-12 18:20:25 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f564e-6a04-705a-9e84-f475285ac7aa/ Wayback Machine: https://web.archive.org/web/*/cloaked.gg crt.sh CT logs: https://crt.sh/?q=%25.cloaked.gg Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=cloaked.gg AlienVault OTX: https://otx.alienvault.com/indicator/domain/cloaked.gg URLhaus: https://urlhaus.abuse.ch/host/cloaked.gg/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:17:56 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, cloaked.gg, is currently flagged as a high-risk phishing endpoint by multiple threat intelligence sources. Analysis indicates the domain was registered on July 23, 2025, through Gandi SAS and is actively resolving to the IP address 104.26.14.96, hosted behind Cloudflare infrastructure in Canada. The domain is listed on one security blocklist and has been identified in five distinct threat intelligence pulses on AlienVault OTX, suggesting recurring malicious activity. VirusTotal reports that six out of ninety-five security vendors have flagged the domain as malicious, though the specific nature of the threat remains unverified through automated scanning alone. Infrastructure analysis reveals the use of Cloudflare nameservers (etienne.ns.cloudflare.com and frida.ns.cloudflare.com) and the implementation of HTTP/3 and HSTS, which may be leveraged to obfuscate malicious traffic or enhance the perceived legitimacy of the site. The SSL certificate is issued by Google Trust Services under the identifier WE1, a common configuration for both legitimate and malicious domains. While the domain’s registration recency and Cloudflare proxying are consistent with phishing campaigns, the exact payload or targeted brand remains unclear. No definitive evidence links this domain to a specific phishing kit or known threat actor group at this time. Defenders should treat this domain as an active threat, particularly in environments where credential harvesting or social engineering risks are elevated. Network-level blocking of 104.26.14.96 and associated domain resolutions is recommended, alongside monitoring for any outbound connections to cloaked.gg. Given the domain’s recent registration and persistent malicious classifications, further investigation into endpoint logs for signs of user interaction with this domain is advised. The lack of widespread detection across all security vendors does not diminish the risk, as phishing domains often evade automated detection during early deployment phases. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: db350783bf5142291d2f5102c7f9c77f TLS cert SHA-256: d371b801ca79f558f9c8a3f3883f81c7fc217af2904d8be358297eba2e60b9e2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/cloaked.gg/ JSON API: https://api.destroy.tools/v1/check?domain=cloaked.gg Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,800 domains (49,496 alive under monitoring, 128,230 confirmed takedowns/dead). Site: https://phishdestroy.io