# PhishDestroy threat dossier — metisprism.studio
================================================================

Fetched:   2026-04-22 08:20:32 UTC
Canonical: https://phishdestroy.io/domain/metisprism.studio/

## VERDICT
----------------------------------------------------------------
STATUS STALE — last probed 22 days ago, treat as ACTIVE until re-verified
Composite threat score: 60/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      5/95 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, ChainPatrol, CyRadar, Forcepoint ThreatSeeker, Seclookup
Public blocklists: listed on 2 independent blocklists
Victim re-reports (public form): 1

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      199.36.158.100 (US, Mountain View)
ASN:             ASAS54113 FASTLY, US
Hosting org:     AS54113 Fastly, Inc.
Registrar:       Google LLC
Nameservers:     ns-cloud-b1.googledomains.com, ns-cloud-b2.googledomains.com, ns-cloud-b3.googledomains.com, ns-cloud-b4.googledomains.com
Page title:      Metis Prism - Interactive Intelligence Platform
HTTP response:   404

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WR3
Expires:    2026-04-14
Status:     INVALID chain
Fingerprint: 85794c0253fa9bf6f427dce3a418883585d725d6407d33f0e442545712401786
Subject Alternative Names (related infrastructure — often same operator):
  - admin.dashport.run
  - airfieldmemorialunion.com
  - airfieldsrwc.com
  - airfieldstanford.com
  - app.crewrun.com
  - app.engage.ceebee.voyagernetz.us
  - app.noleggy.com
  - appstore.vanyasem.ru
  - askzuppy.com
  - auth.useomnyxai.com
  - b2b-dashboard.dawsat.com
  - biz.iworkie.com
  - bizmarketplace.co.uk
  - byline.fun
  - carpoolschedule.com
  ... +84 more

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
First detected:    2026-02-25 02:39:27 UTC (by PhishDestroy tracker)
First reported:    2025-11-17 14:27:57 UTC (abuse notice filed)
Last verified:     2026-03-31 01:00:26 UTC (STALE — 22 days ago, re-verify)
Flagged dead:      2026-02-22 06:06:41 UTC (NOT RE-VERIFIED IN 22 DAYS — treat as unconfirmed)
Current status:    UNCONFIRMED (our live-probe is 22 days stale)

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019a9236-caee-71c1-a667-3a09475907d5/
Wayback Machine:  https://web.archive.org/web/*/metisprism.studio
crt.sh CT logs:   https://crt.sh/?q=%25.metisprism.studio
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=metisprism.studio
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/metisprism.studio
URLhaus:          https://urlhaus.abuse.ch/host/metisprism.studio/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-03-19 02:43:10 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies metisprism.studio as a phishing domain impersonating the Metis Prism interactive intelligence platform. Although currently offline, this site posed a medium-level risk by attempting to deceive users into believing they were accessing a legitimate service. Phishing sites like this often aim to steal sensitive information such as login credentials or personal data.

The phishing tactic used by metisprism.studio involved mimicking the look and feel of the authentic Metis Prism platform to trick visitors. Users who visited the site risked entering confidential details that could be harvested by attackers. The domain was registered through Google LLC, resolved to IP 199.36.158.100, and appeared on two security blocklists, with some security vendors flagging it as malicious.

If you have visited metisprism.studio, it is recommended to avoid entering any personal or financial information. Run a security scan on your device, change passwords for any accounts potentially exposed, and remain vigilant for phishing attempts in emails or messages referencing Metis Prism. Reporting suspicious sites like this helps protect the broader community.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon SHA-256:       4d81b8b9b935e462911581a69181a05ee841a2578b3546a0f109738be0e1d0be
TLS cert SHA-256:      85794c0253fa9bf6f427dce3a418883585d725d6407d33f0e442545712401786

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/metisprism.studio/
JSON API:          https://api.destroy.tools/v1/check?domain=metisprism.studio
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io