# helder-invexa.com — SUSPICIOUS

> helder-invexa.com is a recently created domain (Nov 17, 2025) hosting a generic phishing page. Savvy users should avoid interaction, as it resolves to 91.236.

## Summary
PhishDestroy identifies helder-invexa.com as a freshly minted phishing domain deployed within the last 48 hours. The site masquerades as a generic invoice or payment portal, leveraging a recently registered domain to evade detection. No specific brand impersonation or drainer kit fingerprint has been confirmed at this stage, suggesting an opportunistic campaign rather than a targeted operation. The domain’s purpose appears aligned with credential harvesting or payment redirection, evidenced by its rapid creation and minimal infrastructure footprint. Given the absence of prior reputation data, vigilance is advised until further behavioral analysis is complete.  The domain was registered through NETIM on November 17, 2025, and immediately resolved to the IP address 91.236.116.172. At the time of analysis, VirusTotal reported zero detections (0/95 engines), while the SSL certificate issued by Let’s Encrypt provided a veneer of legitimacy. Google Safe Browsing (GSB) has not yet blacklisted the domain, and public blocklists show no current entries. The domain’s age (0 days) and clean SSL history contribute to its low initial detection rate, underscoring the need for proactive blocking strategies. Network defenders should flag this IP and domain pair immediately to prevent initial access or exfiltration attempts.  This domain remains in an active but under-investigation status, with no confirmed campaigns or victims reported as of this advisory. Immediate containment actions include adding helder-invexa.com and 91.236.116.172 to DNS sinkholes, firewall rules, and proxy denylists. SOC teams are advised to monitor for outbound connections to this IP, particularly HTTP POST requests to /login or /submit endpoints. The residual risk remains MODERATE due to the domain’s potential for rapid reputation escalation or rapid pivoting to other malicious activities. Users should treat any unsolicited invoices or payment prompts from this domain with extreme caution and report incidents to their security teams for further forensic triage.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-11-17 21:45:52
- Registrar: NETIM
- IP: 91.236.116.172

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/a71466ee-7fc6-4a9f-bfa4-2a2a8c7b42c0
- PhishDestroy: https://phishdestroy.io/domain/helder-invexa.com/
- LLM endpoint: https://phishdestroy.io/domain/helder-invexa.com/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/helder-invexa.com/
Last updated: 2026-03-23