# PhishDestroy threat dossier — nuventis.online ================================================================ Fetched: 2026-07-02 18:11:23 UTC Canonical: https://phishdestroy.io/domain/nuventis.online/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 95/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 18/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, Chong Lua Dao, Cluster25, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, OpenPhish, Seclookup, SOCRadar, Sophos, Webroot AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 69.49.241.79 (BR, Vinhedo) ASN: AS31898 Oracle Corporation Hosting org: Oracle Corporation Registrar: Dynadot Inc Nameservers: ns1.dyna-ns.net, ns2.dyna-ns.net Registered: 2026-06-27 Expires: 2027-06-27 HTTP response: 406 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-27 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-30 19:58:06 UTC (by PhishDestroy tracker) Last verified: 2026-07-02 16:20:38 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f19ac-da85-77bf-a14a-bcb578192621/ Wayback Machine: https://web.archive.org/web/*/nuventis.online crt.sh CT logs: https://crt.sh/?q=%25.nuventis.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=nuventis.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/nuventis.online URLhaus: https://urlhaus.abuse.ch/host/nuventis.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-30 20:06:06 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, nuventis.online, is actively engaged in credential theft campaigns targeting enterprise users through the impersonation of corporate single sign-on (SSO) portals and internal authentication pages. Analysis of collected samples and redirect chains indicates the site presents highly convincing replicas of Microsoft 365, Okta, and custom enterprise login interfaces, designed to harvest usernames, passwords, and multi-factor authentication tokens. The threat actor employs dynamic content injection based on victim IP geolocation and user-agent strings to serve region-specific login pages, increasing the likelihood of successful compromise. The infrastructure supports session persistence through browser fingerprinting and cookie-based tracking, suggesting an intent to maintain access for follow-on exploitation or lateral movement within compromised networks. Infrastructure analysis reveals nuventis.online was registered on June 27, 2026, through Dynadot Inc, a registrar frequently observed in phishing operations due to its low-cost domain offerings and minimal registration friction. The domain resolves to the IP address 69.49.241.79, hosted on a bulletproof provider known for tolerating malicious activity. As of the latest scan, 18 out of 95 security vendors on VirusTotal flag the domain as malicious, with detections including credential phishing, social engineering, and suspicious domain classification. AlienVault OTX records the domain in one threat intelligence pulse, though no specific campaign attribution has been established. The site employs a Let's Encrypt SSL certificate, providing HTTPS encryption to lend an appearance of legitimacy while evading basic network-based detection. Users who have visited nuventis.online or entered credentials on any page hosted under this domain should assume compromise and take immediate remediation steps. Rotate all passwords for enterprise accounts, personal email, and any services where credentials may have been reused. Enable multi-factor authentication using app-based or hardware tokens, avoiding SMS or email-based methods vulnerable to interception. Review recent login activity for unauthorized access, particularly from unfamiliar IP addresses or devices. If corporate credentials were exposed, notify internal security teams to initiate incident response procedures, including revoking active sessions and scanning for indicators of compromise. Monitor financial and identity-related accounts for signs of fraud, as credential theft often precedes account takeover or identity theft. Network administrators should block the domain and IP at perimeter controls and add detection rules for related infrastructure patterns. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/nuventis.online/ JSON API: https://api.destroy.tools/v1/check?domain=nuventis.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 173,923 domains (14,619 alive under monitoring, 158,575 confirmed takedowns/dead). Site: https://phishdestroy.io