# PhishDestroy threat dossier — jhalakmanuja.github.io ================================================================ Fetched: 2026-07-12 15:26:17 UTC Canonical: https://phishdestroy.io/domain/jhalakmanuja.github.io/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 66/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 6/95 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Emsisoft, Fortinet, Gridinsoft, Netcraft, Webroot Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.199.108.153 (US, San Francisco) ASN: AS54113 Fastly, Inc. Hosting org: GitHub, Inc Registrar: GitHub, Inc. Nameservers: NS_NOT_FOUND HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-02 Status: INVALID chain Fingerprint: 32491b26bfaf7bfb556029ef32299ac4374db34d09eecd4ffd01f21b2c5a8567 Subject Alternative Names (related infrastructure — often same operator): - github.com - github.io - githubusercontent.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-12 13:36:59 UTC (by PhishDestroy tracker) Last verified: 2026-07-12 17:19:00 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f561d-63b5-712c-b4de-d1c5c0124558/ Wayback Machine: https://web.archive.org/web/*/jhalakmanuja.github.io crt.sh CT logs: https://crt.sh/?q=%25.jhalakmanuja.github.io Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=jhalakmanuja.github.io AlienVault OTX: https://otx.alienvault.com/indicator/domain/jhalakmanuja.github.io URLhaus: https://urlhaus.abuse.ch/host/jhalakmanuja.github.io/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:19:00 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Analysis indicates that the domain jhalakmanuja.github.io is actively being used in a high‑risk generic phishing campaign. The domain resolves to the IPv4 address 185.199.108.153, which is owned by GitHub, Inc. and located in the United States. The site is delivered through a stack that includes Varnish, GitHub Pages, and Fastly, and the TLS certificate is issued by Let’s Encrypt (YR2). HTTP requests return a 404 status, suggesting that the landing page may be hidden or dynamically generated elsewhere in the sub‑directory structure. VirusTotal reports that six out of ninety‑five scanned security vendors have flagged the domain, providing modest but notable detection coverage. Google Safe Browsing categorises the domain under the “SOCIAL_ENGINEERING” label, and PhishDestroy has already added it to its blocklist. The domain also appears on one additional security blocklist, although specific list identifiers are not disclosed. Nameserver information could not be retrieved, which is consistent with the default GitHub Pages configuration. The observed infrastructure points to an attacker leveraging legitimate hosting services to obscure malicious activity. The use of a reputable certificate authority and a well‑known CDN reduces the likelihood of immediate browser warnings, increasing the chance of successful credential harvesting. However, the lack of a visible landing page (HTTP 404) creates uncertainty about the exact phishing payload, URLs, or targeted brands. Continuous monitoring of the domain and any newly created sub‑paths is required to capture evolving threat behavior. Defenders should block outbound connections to jhalakmanuja.github.io at the DNS and network layers, and add the domain to internal threat intel feeds. Security teams should also monitor traffic for TLS connections to 185.199.108.153 and alert on any HTTP requests that return non‑404 responses, as these may indicate the activation of a phishing page. Regularly reviewing updates from phishing‑specific blocklists and re‑scanning the domain with sandbox tools will help maintain situational awareness. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 32491b26bfaf7bfb556029ef32299ac4374db34d09eecd4ffd01f21b2c5a8567 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/jhalakmanuja.github.io/ JSON API: https://api.destroy.tools/v1/check?domain=jhalakmanuja.github.io Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,717 domains (49,468 alive under monitoring, 128,119 confirmed takedowns/dead). Site: https://phishdestroy.io