# PhishDestroy threat dossier — kra34cc.vip ================================================================ Fetched: 2026-04-23 19:38:05 UTC Canonical: https://phishdestroy.io/domain/kra34cc.vip/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Generic Phishing Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 3/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 7/94 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, CRDF, Fortinet, G-Data, Sophos, Webroot ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.48.157 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: ["george.ns.cloudflare.com", "lola.ns.cloudflare.com"] Registered: 2026-03-29 Page title: Captcha HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-05-14 Status: INVALID chain Fingerprint: 35b8349f69452563e1ba7716060eebdf4e678a235efeee3ee7936bb91a0045f9 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-29 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-03-29 03:12:14 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-03-29 00:14:08 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-23 07:40:56 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d36ed-837e-731b-aedc-15788daeb676/ URLQuery: https://urlquery.net/report/43226fa9-c510-4563-8f35-5bd539191612 Wayback Machine: https://web.archive.org/web/*/kra34cc.vip crt.sh CT logs: https://crt.sh/?q=%25.kra34cc.vip Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=kra34cc.vip AlienVault OTX: https://otx.alienvault.com/indicator/domain/kra34cc.vip URLhaus: https://urlhaus.abuse.ch/host/kra34cc.vip/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-03-29 03:13:28 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies kra34cc.vip as an active credential harvesting domain posing an elevated risk to visitors. This recently created domain operates as a generic phishing site, likely designed to impersonate legitimate services and trick users into submitting login credentials. Security researchers and end-users should treat this domain with high caution, as it exhibits multiple red flags consistent with malicious activity targeting unsuspecting victims. This domain was flagged by 3 out of 95 VirusTotal security vendors, indicating limited but notable detection of its malicious nature. It is registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar known for hosting dynamic and often abusive registrations. kra34cc.vip resolves to IP address 104.21.48.157, a hosting provider frequently associated with phishing campaigns. The domain was created on June 03, 2025, making it extremely new and untrusted. Despite a valid SSL certificate issued by Google Trust Services—commonly abused by threat actors to appear legitimate—there are no indicators of legitimate use. This domain remains unlisted on major threat intelligence blocklists as of the latest scan, suggesting rapid deployment and currently low exposure in global defenses. Users who encounter kra34cc.vip should immediately refrain from interacting with the site, especially avoid entering any login credentials, personal information, or payment details. Given the domain’s recent registration and low but critical detection rate, it is likely targeting unsuspecting users with fake login portals. To verify site safety and confirm this domain’s malicious status, users should consult PhishDestroy’s threat lookup tool before proceeding. Organizations are advised to block access to 104.21.48.157 at the network level and update firewall rules to prevent outbound connections. Always report suspicious domains to threat intelligence platforms to enhance collective defense against credential harvesting campaigns. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260329-310E9E Favicon MD5: 7a8920b132f3579d7b00abf8a49c6df5 TLS cert SHA-256: 35b8349f69452563e1ba7716060eebdf4e678a235efeee3ee7936bb91a0045f9 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/kra34cc.vip/ JSON API: https://api.destroy.tools/v1/check?domain=kra34cc.vip Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io