# dfams.top — SUSPICIOUS

> PhishDestroy warns of dfams.top: a newly registered (April 05, 2026) invoice scam site with 0/95 VirusTotal detections now pushing malicious PDFs to steal.

## Summary
PhishDestroy identifies dfams.top as an active invoice phishing domain designed to deceive users into downloading malicious PDF attachments or entering sensitive data under the guise of invoice-related services. This domain was flagged by security researchers after suspicious email campaigns began circulating under seed 5115f2. The operation leverages urgency and trust in billing communications to bypass basic scrutiny, making it particularly dangerous for small and medium-sized businesses that frequently process invoices.  This domain was registered on April 05, 2026, through NICENIC INTERNATIONAL GROUP CO., LIMITED, and currently resolves to IP address 188.114.96.3. It utilizes a valid Let's Encrypt SSL certificate to appear legitimate and remains undetected by 0 out of 95 VirusTotal security engines as of the latest analysis. The combination of recent domain age, low detection rate, and suspicious infrastructure places organizations and individuals at heightened risk of credential theft or malware delivery.  Users who visited dfams.top or received suspicious invoices from this domain should immediately disconnect from the internet if any downloads or data entry occurred. Scan all devices with updated antivirus software and review recent financial transactions for unauthorized activity. Report the domain to your email provider and consider blocking 188.114.96.3 at the network level. If credentials were entered, change passwords immediately and enable multi-factor authentication where available. This advisory will be updated as new intelligence emerges under seed 5115f2.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-04-05 01:44:38
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/dfams.top
- PhishDestroy: https://phishdestroy.io/domain/dfams.top/
- LLM endpoint: https://phishdestroy.io/domain/dfams.top/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/dfams.top/
Last updated: 2026-04-07