# enus-user.ghost.io — MALICIOUS

> PhishDestroy identifies enus-user.ghost.io as an active generic phishing domain hosting a credential-stealing drainer kit.

## Summary
PhishDestroy analyzed enus-user.ghost.io and confirmed it as an active generic phishing domain designed to harvest user credentials and sensitive data through a malicious drainer kit. The domain does not impersonate a specific brand but instead uses a generic subdomain structure to appear legitimate at first glance. While the domain leverages the ghost.io platform, the payload is not native to the service, indicating an abuse of the hosting environment for malicious purposes. The threat actor behind this domain likely employs social engineering tactics, such as fake login prompts or fake update notifications, to trick users into submitting their credentials or financial information directly into the attacker’s hands.  This domain resolves to IP 151.101.3.7 and was registered through 1API GmbH. The domain was created on October 1, 2011, and currently holds a VirusTotal detection score of 11/95 security vendors. It is flagged as malicious by one security blocklist and is also identified as unsafe by the Google Safe Browsing (GSB) service. The presence of a Let’s Encrypt SSL certificate suggests the threat actor is attempting to establish trust through HTTPS, a common tactic to evade browser warnings and increase the likelihood of successful credential theft. The combination of an outdated domain, low VT detection rate, and GSB block status indicates this domain has been active in malicious operations for an extended period with intermittent evasion of detection systems.  As of the latest assessment, enus-user.ghost.io remains active and poses an elevated risk to users who interact with it. PhishDestroy recommends immediate avoidance of this domain and any associated links or communications. Users who have recently entered credentials on this site should change their passwords immediately and monitor accounts for suspicious activity. The continued operation of this domain despite its detection history highlights the need for users to remain vigilant and rely on updated security tools to block access to malicious infrastructure.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2011-10-01 23:06:09
- Registrar: 1API GmbH
- IP: 151.101.3.7

## Detection Status
- VirusTotal: 11 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/88522047-e64b-49bf-b770-0706d3971f14
- PhishDestroy: https://phishdestroy.io/domain/enus-user.ghost.io/
- LLM endpoint: https://phishdestroy.io/domain/enus-user.ghost.io/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/enus-user.ghost.io/
Last updated: 2026-03-23