# PhishDestroy threat dossier — mail.x-icloud.com
================================================================

Fetched:   2026-06-29 16:20:21 UTC
Canonical: https://phishdestroy.io/domain/mail.x-icloud.com/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 86/100 (PhishDestroy scoring — see methodology below)
Targeted brand: Apple
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      4/91 security vendors flagged this domain
  Flagging vendors: G-Data, SOCRadar, Sophos
URLQuery:        2 detections
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      162.144.180.56 (US, Provo)
ASN:             AS46606 Unified Layer
Hosting org:     Unified Layer
Registrar:       Sav.com, LLC
Nameservers:     cns2013.webhostbox.net, cns2014.webhostbox.net
Registered:      2026-06-23
Expires:         2027-06-23
HTTP response:   406

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-06-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-29 03:22:06 UTC (by PhishDestroy tracker)
First reported:    2026-06-29 01:30:35 UTC (abuse notice filed)
Last verified:     2026-06-29 16:20:35 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019f10f6-bea9-7709-90bf-8a14ba4ae2d8/
URLQuery:         https://urlquery.net/report/ec8a2f19-2308-4d16-b491-87d2fc691dd1
Wayback Machine:  https://web.archive.org/web/*/mail.x-icloud.com
crt.sh CT logs:   https://crt.sh/?q=%25.mail.x-icloud.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=mail.x-icloud.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/mail.x-icloud.com
URLhaus:          https://urlhaus.abuse.ch/host/mail.x-icloud.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-29 03:25:28 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain mail.x-icloud.com has been identified as an active brand impersonation threat specifically targeting Apple users. This infrastructure is designed to mimic legitimate Apple webmail services, with the intent to deceive end users and harvest credentials or sensitive information. No evidence of an automated drainer kit is present, but the domain's construction closely aligns with tactics employed in credential phishing operations.

Technical analysis shows mail.x-icloud.com resolves to IP address 162.144.180.56 and was registered via Sav.com, LLC on June 23, 2026. The SSL certificate is issued by Let's Encrypt, a widely used certificate authority often leveraged by threat actors to create the appearance of legitimacy. VirusTotal intelligence confirms that 3 out of 95 security vendors detect this domain as malicious, which, while a minority, lends credence to its risk profile. At the time of reporting, additional blocklist data and reputation systems may not yet reflect this emerging threat, warranting heightened scrutiny.

The domain remains active and continues to pose an elevated risk to users who may mistake it for genuine Apple infrastructure. Recommended response actions include immediate blocking of the domain across email, network, and web security layers. Security teams should monitor for access attempts to mail.x-icloud.com and educate users about the potential for deceptive domains impersonating trusted brands. Ongoing risk persists until the domain is suspended at the registrar level and fully incorporated into global threat intelligence feeds.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260629-4E9112
Favicon MD5:       0a81714b61002c2c25a197ce6c45e694

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/mail.x-icloud.com/
JSON API:          https://api.destroy.tools/v1/check?domain=mail.x-icloud.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 172,677 domains (13,179 alive under monitoring, 158,908 confirmed takedowns/dead). Site: https://phishdestroy.io