# PhishDestroy threat dossier — icuwtzw.cloudaccess.host
================================================================

Fetched:   2026-05-20 10:09:03 UTC
Canonical: https://phishdestroy.io/domain/icuwtzw.cloudaccess.host/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 79/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      18/95 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CRDF, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Google Safebrowsing, Kaspersky, Lionic, Netcraft, OpenPhish, Sophos, VIPRE, Webroot
Public blocklists: listed on 1 independent blocklist
Google Safe Browsing: FLAGGED

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.37.86.66
Registrar:       eNom, LLC
Nameservers:     ns1.gridfast.net, ns2.gridfast.net
Registered:      2014-12-22
Page title:      Rechnung Apple-ID
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     PerfectSSL / PerfectSSL
Expires:    2026-10-01
Status:     INVALID chain
Fingerprint: 95b5529035b136f0cc570ea3d28005aef142cd78645ab5c2c5af2eab0dfa4636
Subject Alternative Names (related infrastructure — often same operator):
  - cloudaccess.host

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2014-12-22 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-20 10:16:57 UTC (by PhishDestroy tracker)
Last verified:     2026-05-20 13:00:08 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019e443d-072b-779c-bad5-4f74fec34547/
Wayback Machine:  https://web.archive.org/web/*/icuwtzw.cloudaccess.host
crt.sh CT logs:   https://crt.sh/?q=%25.icuwtzw.cloudaccess.host
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=icuwtzw.cloudaccess.host
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/icuwtzw.cloudaccess.host
URLhaus:          https://urlhaus.abuse.ch/host/icuwtzw.cloudaccess.host/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-20 10:17:23 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies icuwtzw.cloudaccess.host as a high-risk tech-support scam domain actively impersonating legitimate support services. This domain was flagged by 17 VirusTotal security vendors, placed on one blocklist, and blocked by OpenPhish. Traffic to this site begins with a DNS lookup that resolves to the IP address 104.37.86.66, a hosting infrastructure historically associated with fraudulent pages. The domain leverages PerfectSSL for a deceptive padlock icon and a 2014 creation date to appear long-standing and trustworthy, but Google Safe Browsing categorizes it under SOCIAL_ENGINEERING due to its scareware tactics.  Tech analysts can pivot on the unique seed 1a4734 to track this sample across sandbox detections. The domain was registered through eNom, LLC, a registrar that has processed both legitimate and abusive registrations, and its SSL certificate adds superficial legitimacy. VirusTotal’s detection ratio of 17/95 underscores that while not universally flagged, multiple scanners—including reputable ones—associate it with fraudulent tech-support pop-ups or redirects that claim “Your device has been infected” to extract payment or remote access.  If you accessed icuwtzw.cloudaccess.host, stop any interaction immediately. Do not click any prompts, provide personal information, or allow remote access. If you entered credentials or payment details, change passwords and monitor accounts for unusual activity. Run a full antivirus scan and consider resetting browser settings. Report the domain to your security team or via the platform’s abuse channels so it can be blocked and mitigated across your environment.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      95b5529035b136f0cc570ea3d28005aef142cd78645ab5c2c5af2eab0dfa4636

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/icuwtzw.cloudaccess.host/
JSON API:          https://api.destroy.tools/v1/check?domain=icuwtzw.cloudaccess.host
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 151,942 domains (43,234 alive under monitoring, 108,428 confirmed takedowns/dead). Site: https://phishdestroy.io