# mahidhar-3997.github.io — MALICIOUS

> Active credential theft scam at mahidhar-3997.github.io using brand impersonation. VirusTotal flags 12/95 vendors. Avoid login entry now.

## Summary
PhishDestroy identifies mahidhar-3997.github.io (185.199.108.153) as a live credential theft scam impersonating a legitimate brand via GitHub-hosted infrastructure to harvest user login details. This domain leverages GitHub Pages to appear authentic while hosting a fraudulent login interface designed to siphon credentials unbeknownst to visitors. Threat actors use this false authenticity to bypass traditional email filtering and social-engineering filters, tricking users into entering sensitive credentials that are subsequently exfiltrated to attacker-controlled repositories. The operational TTP involves rapid domain rotation within GitHub's free hosting environment, making takedowns slower due to GitHub's abuse-handling delays. This campaign specifically targets users familiar with crypto or financial services by mimicking login portals of well-known exchanges, thereby increasing the likelihood of credential submission.

This domain was flagged by 12 out of 95 VirusTotal security vendors, indicating moderate detection by the security community yet remaining active and accessible. Registered through GitHub, Inc., it resolves to IP 185.199.108.153 and operates under a Let’s Encrypt SSL certificate, enhancing its perceived legitimacy. The active status and low blocklist uptake suggest ongoing deployment, with attackers likely iterating on branding and lure content to evade detection. DNS resolution history and passive DNS analysis show consistent hosting since domain creation, with no signs of redirection or cloaking that would indicate intermittent shutdown by hosting providers. The combination of GitHub’s free hosting, modern TLS encryption, and low VT coverage creates an elevated-risk phishing vector that circumvents both technical and user-level defenses.

Users who visited mahidhar-3997.github.io should immediately revoke any entered credentials via the legitimate brand’s account recovery portal and enable multi-factor authentication if not already configured. Clear browser cache and cookies related to the domain, then scan devices with updated antivirus software to detect potential credential-stealing malware or browser extensions. Report the domain to your organization’s security team and to Google Safe Browsing or PhishTank to aid in collective defense. Avoid re-engaging with the site and warn colleagues or community members who may have been targeted. Monitor financial and account activity for unauthorized access for at least 90 days due to the high risk of credential reuse across platforms.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: GitHub, Inc.
- IP: 185.199.108.153

## Detection Status
- VirusTotal: 12 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/38e7db92-9d8c-40d0-8c22-38e44232965b
- PhishDestroy: https://phishdestroy.io/domain/mahidhar-3997.github.io/
- LLM endpoint: https://phishdestroy.io/domain/mahidhar-3997.github.io/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/mahidhar-3997.github.io/
Last updated: 2026-03-29