# PhishDestroy threat dossier — livemaintenance.pages.dev
================================================================

Fetched:   2026-05-03 11:04:34 UTC
Canonical: https://phishdestroy.io/domain/livemaintenance.pages.dev/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 77/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      4/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, G-Data, Sophos, Webroot

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.44.91 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     khalid.ns.cloudflare.com, maleah.ns.cloudflare.com
Registered:      2026-04-24
Page title:      EVM Resolve
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-06-29
Status:     INVALID chain
Fingerprint: 768f4bb892445b09207a36f5a3ed7d13ebd87f52d74dc84d3ea1f563160dc891

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-24 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-24 22:30:10 UTC (by PhishDestroy tracker)
Last verified:     2026-05-03 01:40:08 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dc0f7-4213-72f3-9d29-12e4b088fdd0/
Wayback Machine:  https://web.archive.org/web/*/livemaintenance.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.livemaintenance.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=livemaintenance.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/livemaintenance.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/livemaintenance.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-24 22:31:03 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies livemaintenance.pages.dev as an active credential theft domain designed to mimic legitimate maintenance portals. This domain leverages Cloudflare’s infrastructure (IP 172.66.44.91) to host a fraudulent login interface, tricking users into submitting sensitive credentials under false pretenses. The threat actor behind this domain likely employs social engineering tactics, such as spoofing system maintenance notifications, to lure victims into interacting with the malicious site. Credential theft remains the primary risk, as compromised accounts could be exploited for further fraud, unauthorized access, or lateral movement within targeted systems. The domain’s use of Google Trust Services for SSL certificates adds a veneer of legitimacy, further obfuscating its malicious intent for unsuspecting users.

Technical analysis reveals several red flags despite the domain’s low detection rate. As of the latest scan, VirusTotal registers 0 detections out of 95 engines, highlighting the evasive nature of this threat and the challenges in early-stage identification. The domain is registered through Cloudflare, Inc., leveraging the provider’s free tier (pages.dev) to rapidly deploy and discard infrastructure. While the exact creation date is not provided, the domain’s association with active credential theft campaigns suggests recent deployment aimed at exploiting current events or ongoing service disruptions. The absence of blocklist entries at this stage indicates the domain is either newly active or employing advanced evasion techniques to avoid automated detection systems.

Users who visited livemaintenance.pages.dev should assume their credentials were compromised if any login details were entered. Immediately rotate passwords associated with this domain and enable multi-factor authentication (MFA) on all related accounts. Monitor accounts for unauthorized activity, such as unexpected login attempts or financial transactions, and report any suspicious behavior to the respective service providers. For organizations, isolate affected systems, audit user access logs, and consider deploying endpoint detection and response (EDR) tools to contain potential breaches. If credentials were reused across multiple platforms, prioritize changing passwords on high-value accounts (e.g., email, banking, or corporate systems) first. Proactively report this domain to security teams or platforms like PhishDestroy to aid in broader threat intelligence sharing and prevent further victimization.

[Updates since narrative was generated:]
  - WHOIS creation date: 2026-04-24

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       fa92ee0042d7964cc9e7779788153ba7
TLS cert SHA-256:      768f4bb892445b09207a36f5a3ed7d13ebd87f52d74dc84d3ea1f563160dc891

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/livemaintenance.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=livemaintenance.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 144,974 domains (55,790 alive under monitoring, 88,755 confirmed takedowns/dead). Site: https://phishdestroy.io