# nord-ae.com — SUSPICIOUS

> nord-ae.com is a live credential-theft page masquerading as NordVPN. Only 2 of 95 VirusTotal engines detect it. Block it now.

## Summary
A newly registered domain, nord-ae.com, is actively hosting a credential-theft page specifically impersonating NordVPN services. Security telemetry indicates that the page is engineered to harvest user login details under the guise of a legitimate NordVPN login portal. Once credentials are entered, they are immediately transmitted to attacker-controlled infrastructure, enabling subsequent account takeovers, VPN misuse, and potential lateral movement if the same credentials are reused across other services. The domain’s swift activation, coupled with low detection rates, underscores a deliberate campaign to exploit trust in the NordVPN brand.  nord-ae.com was created on March 11, 2026—within the last 24 hours—registering only 2 detections out of 95 VirusTotal security vendor scans as of the latest intelligence feed. The domain is hosted on IP address 87.121.105.51 and utilizes a valid SSL certificate issued by Let’s Encrypt, which may help it bypass security controls that rely on heuristic blocking. It was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar known for low-friction registrations that are frequently abused by malicious actors. Despite its recent appearance, the domain has already been implicated in active phishing campaigns targeting users seeking NordVPN account access.  Organizations and users who may have entered login credentials on this domain are advised to immediately change passwords on NordVPN and any other services where the same email-password combination might have been reused. Enable multi-factor authentication wherever available and monitor VPN account activity for unauthorized usage. Security teams should block the domain at DNS and network levels, and inspect firewall logs for outbound connections to 87.121.105.51. If credentials were compromised, consider revoking active VPN sessions and initiating a password reset cycle across the environment. Proactive user awareness and DNS filtering remain the most effective defenses against this ongoing campaign.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-11 20:04:20
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 87.121.105.51

## Detection Status
- VirusTotal: 2 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/b7c775df-bf5f-4917-96bc-be50114c5b63
- PhishDestroy: https://phishdestroy.io/domain/nord-ae.com/
- LLM endpoint: https://phishdestroy.io/domain/nord-ae.com/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/nord-ae.com/
Last updated: 2026-03-23