# PhishDestroy threat dossier — mail.localizadorsatelital.sbs ================================================================ Fetched: 2026-07-02 07:11:20 UTC Canonical: https://phishdestroy.io/domain/mail.localizadorsatelital.sbs/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 71/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: SOCRadar Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.144.180.56 (US, Provo) ASN: AS46606 Unified Layer Hosting org: Unified Layer Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: cns2013.webhostbox.net, cns2014.webhostbox.net Registered: 2026-06-23 Expires: 2027-06-23 HTTP response: 406 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-29 02:36:41 UTC (by PhishDestroy tracker) Last verified: 2026-07-02 08:20:36 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f10cd-3243-7515-94cf-25c384a19665/ Wayback Machine: https://web.archive.org/web/*/mail.localizadorsatelital.sbs crt.sh CT logs: https://crt.sh/?q=%25.mail.localizadorsatelital.sbs Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=mail.localizadorsatelital.sbs AlienVault OTX: https://otx.alienvault.com/indicator/domain/mail.localizadorsatelital.sbs URLhaus: https://urlhaus.abuse.ch/host/mail.localizadorsatelital.sbs/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-29 02:46:03 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, mail.localizadorsatelital.sbs, is actively engaged in credential theft operations targeting users of satellite tracking and logistics platforms. Analysis indicates the infrastructure is designed to mimic legitimate tracking portals, tricking victims into entering sensitive login credentials, API keys, or other authentication tokens. The threat extends beyond basic phishing, as the domain may also distribute malicious payloads or redirect users to secondary credential-harvesting pages, increasing the risk of account compromise and subsequent unauthorized access to corporate or personal systems. Infrastructure analysis reveals concrete indicators of malicious intent. The domain was registered on June 23, 2026, through NameSilo, LLC, a registrar frequently associated with high-risk domains. It currently resolves to the IP address 162.144.180.56, which has been linked to other fraudulent activities in recent months. VirusTotal reports that 1 of 95 security vendors has flagged this domain as malicious, a low but notable detection rate that suggests either evasion techniques or recent activation. Additionally, the domain employs a Let's Encrypt SSL certificate, a common tactic to lend an air of legitimacy while encrypting malicious traffic to evade network-based detection. Users who have interacted with mail.localizadorsatelital.sbs should take immediate action to mitigate potential risks. First, revoke any credentials entered on the site and enable multi-factor authentication on all associated accounts. Monitor for unauthorized access or unusual activity, particularly in systems tied to logistics, shipping, or satellite tracking services. Network administrators should block the domain and its resolving IP (162.144.180.56) at the firewall or DNS level to prevent further exposure. If the domain was accessed from a corporate device, initiate an incident response protocol to assess potential data exfiltration or lateral movement within the network. Given the elevated risk level, affected users should also consider reporting the incident to relevant cybersecurity authorities for further investigation. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 0a81714b61002c2c25a197ce6c45e694 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/mail.localizadorsatelital.sbs/ JSON API: https://api.destroy.tools/v1/check?domain=mail.localizadorsatelital.sbs Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (14,589 alive under monitoring, 158,288 confirmed takedowns/dead). Site: https://phishdestroy.io