# joel-johnson-exe.github.io — MALICIOUS

> joel-johnson-exe.github.io is a credential theft site flagged by 8/95 VirusTotal vendors. Disguised as a legitimate service, it targets unsuspecting users.

## Summary
PhishDestroy identifies joel-johnson-exe.github.io as an active credential theft domain leveraging GitHub Pages for legitimacy. This domain, hosted on IP 185.199.108.153 with a Let's Encrypt SSL certificate, is currently propagating through phishing campaigns aimed at harvesting user credentials under the guise of a personal or professional page. The domain's infrastructure—registered via GitHub, Inc.—provides a veneer of trustworthiness, which threat actors exploit to bypass traditional security filters. Initial exposure to this domain could result in unauthorized access to sensitive accounts or data exfiltration, particularly if users are tricked into entering login credentials.  

Threat analysis reveals a coordinated effort to impersonate a reputable individual or entity, likely targeting professionals or users familiar with the impersonated person. VirusTotal confirms this threat with 8 out of 95 security vendors flagging the domain as malicious, indicating widespread, though not universal, detection. The domain resolves to a GitHub-owned IP range (185.199.108.153), which is commonly abused by threat actors to host malicious content due to GitHub's trusted reputation. While GitHub Pages is a legitimate service, the misuse of this platform for credential theft campaigns underscores the need for heightened vigilance. The domain's SSL certificate, issued by Let's Encrypt, further lends an air of legitimacy, making it harder for users to discern the malicious nature of the site.  

If you or your users have visited joel-johnson-exe.github.io, assume credentials entered on the site have been compromised. Immediately rotate passwords for all accounts associated with this domain, including email, social media, and any other services where the same credentials might have been reused. Enable multi-factor authentication (MFA) wherever possible to add an additional layer of security. Report the domain to your security team or via platforms like VirusTotal to aid in broader threat intelligence sharing. For organizational environments, consider blocking the domain and IP (185.199.108.153) at the network perimeter to prevent further exposure. Remain cautious of unsolicited emails or messages referencing this domain, as they may be part of a larger social engineering campaign.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: GitHub, Inc.
- IP: 185.199.108.153

## Detection Status
- VirusTotal: 8 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/2c454d8a-e06f-4184-b271-cda31fcffdec
- PhishDestroy: https://phishdestroy.io/domain/joel-johnson-exe.github.io/
- LLM endpoint: https://phishdestroy.io/domain/joel-johnson-exe.github.io/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/joel-johnson-exe.github.io/
Last updated: 2026-03-28