# PhishDestroy threat dossier — filebashupload.pages.dev ================================================================ Fetched: 2026-07-07 15:22:28 UTC Canonical: https://phishdestroy.io/domain/filebashupload.pages.dev/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 68/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 12/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CyRadar, ESET, Emsisoft, Fortinet, G-Data, Lionic, Netcraft, Sophos, Webroot Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.66.44.101 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Cloudflare, Inc. Nameservers: chloe.ns.cloudflare.com, colin.ns.cloudflare.com HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-09-20 Status: INVALID chain Fingerprint: 00adb285d309bd50bba71ed4b6a2e4e9ffbea9113f376d357c82e1af09758daa ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-07 14:17:21 UTC (by PhishDestroy tracker) Last verified: 2026-07-07 16:25:18 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3c81-a684-773d-9d45-2fe1a8cb3bbd/ Wayback Machine: https://web.archive.org/web/*/filebashupload.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.filebashupload.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=filebashupload.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/filebashupload.pages.dev URLhaus: https://urlhaus.abuse.ch/host/filebashupload.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-07 14:55:34 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, filebashupload.pages.dev, is an active phishing site designed to steal user credentials and sensitive information. Visitors may encounter fake login forms, document upload prompts, or other deceptive interfaces mimicking legitimate services. The site is engineered to capture usernames, passwords, and personal data, which can then be exploited for unauthorized access, financial fraud, or identity theft. Given its current operational status, users should exercise extreme caution to avoid falling victim to this threat. Analysis indicates that filebashupload.pages.dev is flagged by 12 out of 95 security vendors on VirusTotal, confirming its malicious nature. The domain is registered through Cloudflare, Inc., and utilizes infrastructure associated with Cloudflare Pages, a platform often leveraged for rapid deployment of phishing sites. The SSL certificate is issued by Google Trust Services, which, while legitimate, is frequently abused by threat actors to lend credibility to fraudulent domains. The site resolves to the IP address 172.66.44.101 and employs technologies such as HSTS and HTTP/3, which are commonly used to enhance security but are also adopted by attackers to evade detection and improve site performance. If you have visited filebashupload.pages.dev, immediate action is required to mitigate potential risks. First, cease all interaction with the site and do not enter any credentials or personal information. If you have already submitted login details, change the passwords for all affected accounts immediately, prioritizing email, financial, and work-related services. Enable multi-factor authentication where possible to add an additional layer of security. Monitor your accounts for suspicious activity, such as unauthorized logins or transactions, and report any anomalies to the respective service providers. Additionally, consider running a full scan of your device using up-to-date security software to detect and remove any malware that may have been installed. Finally, report the domain to relevant authorities or security organizations to aid in takedown efforts and protect other potential victims. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: 00adb285d309bd50bba71ed4b6a2e4e9ffbea9113f376d357c82e1af09758daa ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/filebashupload.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=filebashupload.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 175,813 domains (12,767 alive under monitoring, 162,081 confirmed takedowns/dead). Site: https://phishdestroy.io