# PhishDestroy threat dossier — dhlfiles.edgeone.cool ================================================================ Fetched: 2026-07-14 14:31:03 UTC Canonical: https://phishdestroy.io/domain/dhlfiles.edgeone.cool/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 71/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/91 security vendors flagged this domain Flagging vendors: Abusix, BitDefender, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, LevelBlue, Lionic, Netcraft, Sophos, VIPRE, Webroot URLQuery: 2 detections Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 43.174.247.29 (SG, Singapore) ASN: AS139341 ACE Hosting org: ACE Registrar: DNSPod, Inc. Nameservers: NS_NOT_FOUND ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: DigiCert, Inc. / DigiCert Secure Site OV G2 TLS CN RSA4096 SHA256 2022 CA1 Expires: 2026-11-19 Status: INVALID chain Fingerprint: 76697d2b07379ceac288cb5a00e07094fa1de03556a2a0841a9bcf791157076b Subject Alternative Names (related infrastructure — often same operator): - edgeone.cool ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-14 14:19:31 UTC (by PhishDestroy tracker) First reported: 2026-07-14 13:01:49 UTC (abuse notice filed) Last verified: 2026-07-14 16:30:30 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f6090-6e55-75ef-b6d2-ccb02e909697/ URLQuery: https://urlquery.net/report/15a56dd2-9225-4c88-ab1f-1eb69ff002d0 Wayback Machine: https://web.archive.org/web/*/dhlfiles.edgeone.cool crt.sh CT logs: https://crt.sh/?q=%25.dhlfiles.edgeone.cool Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=dhlfiles.edgeone.cool AlienVault OTX: https://otx.alienvault.com/indicator/domain/dhlfiles.edgeone.cool URLhaus: https://urlhaus.abuse.ch/host/dhlfiles.edgeone.cool/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-14 14:20:21 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain dhlfiles.edgeone.cool is currently classified as a high‑risk delivery_scam and remains active as of 14 July 2026. DNS resolution returns the IPv4 address 43.174.247.29, while the authoritative nameserver query fails (NS_NOT_FOUND), indicating a possible attempt to obscure hosting details. VirusTotal analysis shows that 14 of 91 security vendors have flagged the domain, providing modest corroboration of malicious intent. No additional intelligence such as hosting ASN, geographic location, or page content has been released, so the exact payload or victim‑interaction mechanisms are unconfirmed. Analysts infer that the domain is likely employed to impersonate DHL delivery communications, a common vector for credential‑stealing or payment‑fraud schemes. Defenders should block the domain at network perimeters, add the IP address to threat‑feed watchlists, and monitor DNS queries for related look‑alike domains. Continuous re‑scanning on multi‑engine platforms is advised to capture any escalation in detection counts, and any observed traffic should be logged for forensic correlation with potential victim reports. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260714-AFC700 TLS cert SHA-256: 76697d2b07379ceac288cb5a00e07094fa1de03556a2a0841a9bcf791157076b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/dhlfiles.edgeone.cool/ JSON API: https://api.destroy.tools/v1/check?domain=dhlfiles.edgeone.cool Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,567 domains (50,206 alive under monitoring, 128,361 confirmed takedowns/dead). Site: https://phishdestroy.io