# krab-1cc.net — SUSPICIOUS

> Investigating krab-1cc.net for credential theft phishing, flagged by 4 of 95 VirusTotal vendors. Review immediately to prevent account compromise.

## Summary
krab-1cc.net is identified as an active credential theft domain posing an elevated risk to enterprise and consumer users. This domain is currently engaged in malicious activities designed to harvest user credentials through deceptive login portals. The threat actor behind this infrastructure employs social engineering tactics to trick victims into surrendering sensitive authentication details, which are then leveraged for unauthorized access to accounts, financial theft, or further exploitation.

This domain was flagged by 4 of 95 VirusTotal security vendors, indicating limited but significant detection coverage. It was registered on December 12, 2025, through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar known to allow both legitimate and opportunistic domain registrations with minimal verification. The domain resolves to the IP address 104.21.43.81 and is protected by an SSL certificate issued by Google Trust Services, a trusted authority that may be abused to lend false legitimacy to the phishing site. The infrastructure's recent creation and the use of a reputable SSL issuer suggest a potentially short-lived but highly targeted campaign.

As of the latest intelligence, this domain remains active and presents an elevated risk profile due to its credential harvesting objective and partial detection evasion. Organizations and individuals should immediately block krab-1cc.net and its associated IP (104.21.43.81) at the network perimeter and DNS level to prevent user exposure. Additionally, users should be notified of this threat and advised to avoid interacting with the domain or any related landing pages. Security teams are urged to check authentication logs for any signs of compromise related to credentials entered on this domain. Proactive monitoring of NICENIC INTERNATIONAL GROUP CO., LIMITED registrations and similar naming conventions is recommended to detect emerging threats from this actor.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-12-12 04:28:41
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 104.21.43.81

## Detection Status
- VirusTotal: 4 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/2c5c874c-0caa-471d-9f42-f3285039c947
- PhishDestroy: https://phishdestroy.io/domain/krab-1cc.net/
- LLM endpoint: https://phishdestroy.io/domain/krab-1cc.net/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/krab-1cc.net/
Last updated: 2026-03-27