# netflix-cloness.surge.sh — MALICIOUS > PhishDestroy identifies netflix-cloness.surge.sh as a fake Netflix clone phishing site hosting a credential drainer kit. ## Summary PhishDestroy identifies netflix-cloness.surge.sh as a live phishing domain impersonating Netflix to harvest login credentials via a fake streaming platform clone. The site employs a credential drainer kit designed to capture user inputs and transmit stolen data to attacker-controlled infrastructure. This campaign targets users seeking free or unauthorized access to Netflix content, leveraging social engineering through the domain's misleading branding. This domain was flagged by 15 out of 95 security vendors on VirusTotal, indicating elevated risk and widespread detection. It is registered through Surge.sh, a platform often abused by threat actors due to its ease of deployment and lack of stringent monitoring. The domain resolves to IP address 159.203.159.100, which is associated with malicious hosting activity. The site is blocked by OpenPhish, a leading phishing intelligence feed, and carries an SSL certificate issued by Sectigo Limited, enhancing its deceptive legitimacy. It appears on one active security blocklist, further validating its malicious nature. As of the latest assessment, netflix-cloness.surge.sh remains active and poses an elevated risk to end users. Immediate defensive actions include network-level blocking of the domain and IP address, user awareness campaigns highlighting the specific lure (fake Netflix clone), and integration of the domain into organization-wide threat intelligence platforms. While current defenses such as OpenPhish and VirusTotal detections provide partial coverage, this campaign demonstrates adaptability and may shift infrastructure to evade detection. Users are strongly advised to refrain from engaging with this domain and report any encounters to their security teams. The residual risk remains high due to the active status of the campaign and its use of legitimate hosting services to bypass traditional filters. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Surge.sh - IP: 159.203.159.100 ## Detection Status - VirusTotal: 15 vendors flagged - Google Safe Browsing: clean - Blocklists: 1 hits Lists: ["OpenPhish"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/19229b69-29b0-4c44-9141-a2d6793b55fc - PhishDestroy: https://phishdestroy.io/domain/netflix-cloness.surge.sh/ - LLM endpoint: https://phishdestroy.io/domain/netflix-cloness.surge.sh/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/netflix-cloness.surge.sh/ Last updated: 2026-03-27