# PhishDestroy threat dossier — obs-versions.com ================================================================ Fetched: 2026-05-02 00:24:19 UTC Canonical: https://phishdestroy.io/domain/obs-versions.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE THREAT — multiple warning signs Composite threat score: 59/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Flagging vendors: Bfore.Ai PreCrime ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: NAMECHEAP INC Nameservers: ariadne.ns.cloudflare.com, wilson.ns.cloudflare.com Registered: 2026-02-27 Page title: OBS Studio 32.1.2 - Current Version May 2026 | Download & Release Notes HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-07-26 Status: INVALID chain Fingerprint: a9ebca577668e581a92128e76dae1c98137a5dfdcb7cd054f99c4e2e2f9b6a0c ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-02-27 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-01 15:42:51 UTC (by PhishDestroy tracker) First reported: 2026-05-01 12:45:30 UTC (abuse notice filed) Last verified: 2026-05-02 01:40:05 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019de38c-43be-727a-a986-1c95a771a8c0/ URLQuery: https://urlquery.net/report/0b45f3cc-f048-4bd2-a19c-2313e6e495b4 Wayback Machine: https://web.archive.org/web/*/obs-versions.com crt.sh CT logs: https://crt.sh/?q=%25.obs-versions.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=obs-versions.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/obs-versions.com URLhaus: https://urlhaus.abuse.ch/host/obs-versions.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-01 15:46:50 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy has identified obs-versions.com as a high-risk website due to its use of brand impersonation. This site mimics the official OBS Studio website to trick users into downloading malicious software or providing sensitive information, potentially leading to system compromise or data theft. The page title "OBS Studio 32.1.2 - Current Version May 2026 | Download & Release Notes" attempts to legitimize the fake download. This assessment is based on several factors. VirusTotal reports that 1 out of 95 security vendors have flagged the domain as malicious. Further investigation reveals the domain was registered through NAMECHEAP INC and created relatively recently, on February 27, 2026, which is unusual for a legitimate software provider like OBS Studio. The site resolves to IP address 188.114.97.3. The SSL certificate is issued by Let's Encrypt. If you have visited obs-versions.com and downloaded any files, immediately run a full system scan with a reputable antivirus program. Change any passwords you may have entered on the site, especially if you use the same password for multiple accounts. Be vigilant for any suspicious activity on your computer or network, and consider reporting the incident to your local cybersecurity authority or the real OBS Studio website. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260501-9DD60D Favicon MD5: 7fc44c480cf2ff8c969e5c9f110d3d57 TLS cert SHA-256: a9ebca577668e581a92128e76dae1c98137a5dfdcb7cd054f99c4e2e2f9b6a0c ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/obs-versions.com/ JSON API: https://api.destroy.tools/v1/check?domain=obs-versions.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io