# PhishDestroy threat dossier — globuse-capital.org ================================================================ Fetched: 2026-07-01 22:08:19 UTC Canonical: https://phishdestroy.io/domain/globuse-capital.org/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 6/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, CRDF, Fortinet, Gridinsoft, SOCRadar, VIPRE AlienVault OTX: 4 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 163.61.188.2 (US, Staten Island) ASN: AS153568 NEW DHAKA HARDWARE Hosting org: MIT Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: ["dns2.lytehosting.com", "dns1.lytehosting.com", "dns3.lytehosting.com", "dns4.lytehosting.com"] Registered: 2026-06-07 Expires: 2027-06-03 Page title: Home - Globus E-Capital Banking ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-02 Status: INVALID chain Fingerprint: 34c2b6a7353a9b36149a7d1e14405ca22866ab7127fbb91cf34000f52623fa11 Subject Alternative Names (related infrastructure — often same operator): - globuse-capital.org.globuse-capital.icu - www.globuse-capital.org.globuse-capital.icu ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-07 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-08 14:45:36 UTC (by PhishDestroy tracker) First reported: 2026-06-07 11:24:32 UTC (abuse notice filed) Last verified: 2026-07-01 20:20:36 UTC Neutralised: 2026-06-15 00:51:13 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 02:02:07 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, globuse-capital.org, is identified as a phishing infrastructure impersonating Globus E-Capital Banking, a financial services entity. Analysis of the page title, 'Home - Globus E-Capital Banking,' confirms the intent to deceive users into believing the site is a legitimate banking portal. The threat type aligns with credential harvesting, likely targeting login credentials and sensitive financial information from unsuspecting victims. No direct evidence of a crypto drainer kit was observed, but the use of modern web technologies suggests an attempt to mimic a professional banking interface to enhance credibility. Infrastructure analysis reveals the following technical indicators: The domain resolves to the IP address 163.61.188.2 and was registered on June 07, 2026, through NameSilo, LLC. It is currently flagged by 6 out of 95 security vendors on VirusTotal, indicating a moderate level of detection. The domain appears on one security blocklist and has been referenced in four AlienVault OTX threat intelligence pulses. The SSL certificate is issued by Let's Encrypt, a common choice for both legitimate and malicious sites due to its accessibility. Technologies detected on the site include Tailwind CSS, LiteSpeed, Alpine.js, Smartsupp, jsDelivr, and HTTP/3, which are consistent with modern web development practices but do not inherently indicate malicious intent. As of the latest assessment, globuse-capital.org has been taken offline, reducing immediate risk to potential victims. However, the domain's infrastructure remains a concern due to its recent registration and association with known phishing tactics. The registrar, NameSilo, LLC, has been previously linked to domains involved in fraudulent activities, though no direct attribution is confirmed. Users who may have interacted with this domain are advised to monitor financial accounts for unauthorized activity and reset credentials for any services accessed during the exposure period. Organizations should update blocklists to include this domain and its associated IP address to prevent future access attempts. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 1010d75c8a3e25cbedc45641177f42a5 TLS cert SHA-256: 34c2b6a7353a9b36149a7d1e14405ca22866ab7127fbb91cf34000f52623fa11 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/globuse-capital.org/ JSON API: https://api.destroy.tools/v1/check?domain=globuse-capital.org Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (13,386 alive under monitoring, 159,491 confirmed takedowns/dead). Site: https://phishdestroy.io