# PhishDestroy threat dossier — hally.ws
================================================================

Fetched:   2026-06-30 09:00:02 UTC
Canonical: https://phishdestroy.io/domain/hally.ws/

## VERDICT
----------------------------------------------------------------
ACTIVE — previously flagged dead but abuse reports still being filed (likely resurrected or never truly dead)
Composite threat score: 92/100 (PhishDestroy scoring — see methodology below)
Scam classification: Credential Phishing

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      8/91 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Certego, CRDF, G-Data, Gridinsoft, SOCRadar
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      109.120.156.136 (SE, Stockholm)
ASN:             AS210644 AEZA GROUP LLC
Hosting org:     Aeza International LTD
Registrar:       REGISTRAR_NOT_FOUND
Nameservers:     kira.ns.cloudflare.com, rocco.ns.cloudflare.com
Registered:      2026-05-01
Page title:      Hidesploits — Next Generation Script

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-07-29
Status:     INVALID chain
Fingerprint: 0c480332e165464a5d3dc67bdd1b3ed79a656b6b5a51fea252f4acab086c3b64
Subject Alternative Names (related infrastructure — often same operator):
  - www.hally.ws

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: REPORTS FILED AND IGNORED — REGISTRAR_NOT_FOUND did not act on these notifications.
        Domain was flagged dead on 2026-05-12 00:06:45 UTC but a fresh report was filed on
        2026-05-13 00:57:48 UTC — it is back or never truly suspended.
Reports filed:   1 independent abuse notifications
First report:    2026-05-13 00:57:48 UTC
Days since first notice: 48 — no registrar action, domain remains online
ICANN Compliance CC'd on at least one escalation — non-response is on record.
Methodology: follow-up reports are sent ONLY when a victim re-submitted a re-report
via our public form, our monitoring detected the domain resurfacing in SEO/feeds,
OR our live-checker confirmed the domain is still technically active and fraudulent.
Each report contains: VT verdict, URLScan snapshot, WHOIS, SSL metadata, IP/hosting
chain, impersonated-brand evidence, drainer/kit classification, screenshots, and a
cryptographic hash of the forensic PDF. ICANN RAA Sec. 3.18 applies.
Per-report timeline: https://phishdestroy.io/domain/hally.ws/#coordinated-suppression

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-05-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-01 21:56:51 UTC (by PhishDestroy tracker)
Earliest abuse rec: 2026-05-01 18:57:34 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name
Last verified:     2026-06-30 08:20:34 UTC
Flagged dead:      2026-06-06 17:32:42 UTC (SUPERSEDED — fresh report filed after this date, see ABUSE-REPORT HISTORY)
Current status:    ACTIVE (flagged dead but resurrected — registrar did not act on fresh reports)

Note: one or more events above predate the WHOIS creation date. This typically means
the same domain name was previously registered, detected, dropped, and then re-registered
by a new party. PhishDestroy preserves the full historical record for operator-attribution
research even when the underlying infrastructure changes hands.

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019de4e4-463a-76e7-8b68-509b9b77fcbd/
URLQuery:         https://urlquery.net/report/1c847bfb-4071-4ccd-bba6-8502843fc74c
Wayback Machine:  https://web.archive.org/web/*/hally.ws
crt.sh CT logs:   https://crt.sh/?q=%25.hally.ws
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=hally.ws
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/hally.ws
URLhaus:          https://urlhaus.abuse.ch/host/hally.ws/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-26 06:20:58 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain hally.ws presents an elevated risk of credential theft. Analysis of the domain reveals it was used to host a phishing page titled 'Hidesploits — Next Generation Script.' This page was designed to trick users into providing sensitive information, such as login credentials, which could then be used for unauthorized access or other malicious activities.

VirusTotal reports that 8 out of 95 security vendors have flagged hally.ws as malicious. The domain resolves to the IP address 109.120.156.136 and is currently offline. It appears on two security blocklists, specifically PhishDestroy and OISD. The domain's technologies include YouTube, React, and Nginx, which are commonly used in legitimate websites but can also be leveraged for phishing purposes. ScamAdviser provides a trust score of 26 out of 100, indicating a low level of trust, while Gridinsoft's trust score is 0 out of 100, suggesting the domain is highly suspicious. The registrar information and creation date are not provided, which can often be a red flag for phishing domains.

To mitigate the risk associated with hally.ws, users are advised to avoid clicking on any links or providing personal information on any page that appears to be hosted at this domain. Network administrators should update their DNS blocklists to include 109.120.156.136 and hally.ws to prevent access. Additionally, organizations should conduct regular security awareness training to educate employees about the signs of phishing attacks and the importance of verifying the legitimacy of websites before interacting with them.

[Updates since narrative was generated:]
  - WHOIS creation date: 2026-05-01
  - Public blocklists: now listed on 1 feed

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260501-8C4A2E
Favicon MD5:       c41988fff5849a4e31f4448e72365046
TLS cert SHA-256:      0c480332e165464a5d3dc67bdd1b3ed79a656b6b5a51fea252f4acab086c3b64

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/hally.ws/
JSON API:          https://api.destroy.tools/v1/check?domain=hally.ws
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 172,677 domains (13,093 alive under monitoring, 158,994 confirmed takedowns/dead). Site: https://phishdestroy.io