# PhishDestroy threat dossier — midnight-pd.top ================================================================ Fetched: 2026-07-12 16:22:17 UTC Canonical: https://phishdestroy.io/domain/midnight-pd.top/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 81/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 10/91 security vendors flagged this domain Flagging vendors: ChainPatrol, alphaMountain.ai, CRDF, ESET, Emsisoft, Fortinet, LevelBlue, Netcraft, Sophos, Webroot AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.66.143.35 (NL, Amsterdam) ASN: AS200514 KnownSRV Ltd. Hosting org: KnownSRV Ltd Registrar: Cosmotown Nameservers: ns19.knownsrv.com, ns20.knownsrv.com Registered: 2026-07-05 Expires: 2027-07-05 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-10-08 Status: INVALID chain Fingerprint: 702c03e80340da64ff4ea0780449c2ff5dbd27dd0a5fba56b49dd4eb1171c7cd Subject Alternative Names (related infrastructure — often same operator): - midnight-pd.top.ocimumasset.top - www.midnight-pd.top.ocimumasset.top ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-05 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 15:52:37 UTC (by PhishDestroy tracker) Last verified: 2026-07-12 18:20:24 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f5699-9349-74d2-a551-5d5a03a12416/ Wayback Machine: https://web.archive.org/web/*/midnight-pd.top crt.sh CT logs: https://crt.sh/?q=%25.midnight-pd.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=midnight-pd.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/midnight-pd.top URLhaus: https://urlhaus.abuse.ch/host/midnight-pd.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:17:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Analysis indicates that the domain midnight-pd.top was registered on July 05, 2026 through the Cosmotown registrar and resolves to the IP address 185.66.143.35, which is hosted in the Netherlands by KnownSRV Ltd. The server presents a publicly trusted TLS certificate issued by Let’s Encrypt and runs Nginx with the OpenResty module, a stack commonly observed in malicious web‑hosting environments. Nameserver records point to ns19.knownsrv.com and ns20.knownsrv.com, both associated with the same hosting provider, confirming a single‑point infrastructure footprint. Threat intelligence sources show that midnight-pd.top appears on three security blocklists and has been referenced in two AlienVault OTX pulses, suggesting that the domain has been observed in prior phishing campaigns. VirusTotal scans have resulted in 10 out of 95 security vendors flagging the domain, reinforcing the suspicion of malicious activity. The combination of recent registration, low‑reputation hosting, and multiple independent detections aligns with patterns typical of generic phishing infrastructure. While the available data confirms the domain’s presence on blocklists and its detection by several security engines, details about the specific payload, targeted brands, or credential‑stealing mechanisms remain undisclosed. No public samples of the hosted content have been captured, and the exact phishing landing page structure has not been shared in open‑source feeds. Consequently, the full scope of the campaign—such as victim demographics or credential types sought—cannot be precisely determined from the current intelligence. Defenders should add midnight-pd.top to local deny lists and enforce network‑level blocking for the associated IP address. Monitoring of DNS queries for the domain and its authoritative nameservers is advised to detect any future re‑use of the same hosting assets. Organizations should also inspect outbound traffic for connections to the NL‑based server, especially from users handling sensitive login credentials. Continuous threat‑intel feeds should be consulted for updates that may reveal additional indicators of compromise tied to this domain. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 702c03e80340da64ff4ea0780449c2ff5dbd27dd0a5fba56b49dd4eb1171c7cd ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/midnight-pd.top/ JSON API: https://api.destroy.tools/v1/check?domain=midnight-pd.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,800 domains (49,496 alive under monitoring, 128,230 confirmed takedowns/dead). Site: https://phishdestroy.io