# PhishDestroy threat dossier — getpengu.link ================================================================ Fetched: 2026-07-07 15:24:40 UTC Canonical: https://phishdestroy.io/domain/getpengu.link/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Targeted brand: Google Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, Kaspersky, Netcraft, Sophos, Webroot Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 64.239.123.65 (US, Walnut) ASN: AS16509 Amazon.com, Inc. Hosting org: Vercel, Inc Registrar: Global Domain Group LLC Nameservers: ns1.vercel-dns.com, ns2.vercel-dns.com Registered: 2026-07-06 Expires: 2027-07-06 Page title: Google HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-07 13:39:57 UTC (by PhishDestroy tracker) Last verified: 2026-07-07 16:25:20 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3c5f-4091-753d-9821-9e9714e3cb45/ Wayback Machine: https://web.archive.org/web/*/getpengu.link crt.sh CT logs: https://crt.sh/?q=%25.getpengu.link Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=getpengu.link AlienVault OTX: https://otx.alienvault.com/indicator/domain/getpengu.link URLhaus: https://urlhaus.abuse.ch/host/getpengu.link/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-07 13:45:51 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, getpengu.link, is flagged as an active brand impersonation threat designed to deceive users by mimicking Google's legitimate interface. The site presents itself as an official Google page, complete with the company's branding and page title, to trick visitors into divulging sensitive information or interacting with malicious content. Such impersonation tactics are commonly used to facilitate credential theft, unauthorized account access, or the distribution of malware under the guise of a trusted service. Analysis indicates that getpengu.link is registered through Global Domain Group LLC and was created on July 06, 2026, a future date that suggests potential domain spoofing or incorrect registration data. The domain resolves to the IP address 64.239.123.65 and is currently detected by 9 out of 95 security vendors on VirusTotal, a relatively low detection rate that may indicate evasion techniques or recent deployment. The site employs technologies such as Google Web Server, HSTS, and HTTP/3, alongside a Let's Encrypt SSL certificate, which are often leveraged to appear legitimate and bypass initial security filters. Users who have visited getpengu.link should take immediate action to mitigate potential risks. First, avoid entering any credentials or personal information on the site. If any login details were submitted, change passwords for Google accounts and any other services where the same credentials may have been reused. Run a full system scan using updated security software to detect and remove any potential malware. Additionally, monitor accounts for unauthorized activity and enable multi-factor authentication where possible. Organizations should consider blocking the domain and its associated IP address (64.239.123.65) at the network level to prevent further exposure. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/getpengu.link/ JSON API: https://api.destroy.tools/v1/check?domain=getpengu.link Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 175,813 domains (12,767 alive under monitoring, 162,081 confirmed takedowns/dead). Site: https://phishdestroy.io