# lux24.biz — SUSPICIOUS

> lux24.biz shows signs of credential theft phishing targeting users. VirusTotal flags 1/95 vendors, signaling elevated risk. Avoid entering sensitive data.

## Summary
lux24.biz has been flagged as an active credential theft domain with an elevated risk level by PhishDestroy’s threat intelligence system. The domain leverages deceptive branding (lux24) to impersonate legitimate services, tricking users into submitting login credentials or financial details. Credential theft domains like this one are often used in follow-on attacks, including account takeovers, financial fraud, or identity theft. The threat actor behind this infrastructure operates with low operational security, as evidenced by its recent creation date and limited VirusTotal detection at the time of analysis. Users interacting with this domain risk immediate credential compromise and long-term exposure to follow-on attacks, including spear-phishing or malware delivery.

PhishDestroy identifies lux24.biz as a credential theft domain with multiple red flags in its technical profile. The domain resolves to IP address 91.206.71.131 and is associated with NICENIC INTERNATIONAL GROUP CO., LIMITED as the registrar. It was registered on April 22, 2022, indicating a short operational lifespan. The domain holds a Google Trust Services SSL certificate, which may be used to enhance credibility. However, only 1 out of 95 VirusTotal security vendors flagged the domain at the time of analysis, suggesting limited but not absent detection. The low detection rate highlights the sophistication of evasion techniques employed by the threat actor, including the use of a trusted certificate issuer to bypass browser warnings. This combination of factors—recent creation, low detection, and active hosting—positions lux24.biz as a credible but highly dangerous credential theft vector.

To mitigate risk, users should avoid entering any sensitive information on lux24.biz or interacting with its pages. If credentials or financial details were submitted, immediately reset passwords on all affected accounts and enable multi-factor authentication where possible. Monitor financial accounts and email inboxes for signs of compromise, such as unexpected login attempts or phishing follow-ups. Organizations should block the domain at the network level and update endpoint protection rules to flag the associated IP (91.206.71.131) and SSL certificate issuer (Google Trust Services) as indicators of compromise. Security teams should also investigate whether internal users have accessed this domain and initiate incident response procedures if any credential exposure is detected. Proactive blocking and user awareness are critical to preventing credential theft attempts from escalating into broader attacks.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2022-04-22 15:24:42
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 91.206.71.131

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/0c2713c9-6071-4ddf-8a7d-1613900ce440
- PhishDestroy: https://phishdestroy.io/domain/lux24.biz/
- LLM endpoint: https://phishdestroy.io/domain/lux24.biz/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/lux24.biz/
Last updated: 2026-03-26