# PhishDestroy threat dossier — oc-google.com.cn ================================================================ Fetched: 2026-05-22 17:09:21 UTC Canonical: https://phishdestroy.io/domain/oc-google.com.cn/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 83/100 (PhishDestroy scoring — see methodology below) Targeted brand: Google ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 10/95 security vendors flagged this domain Flagging vendors: BitDefender, CRDF, Emsisoft, Fortinet, G-Data, Gridinsoft, Netcraft, OpenPhish, SOCRadar, Webroot URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 156.240.32.52 Registrar: 浙江贰贰网络有限公司 Nameservers: ns1.22.cn, ns2.22.cn Registered: 2026-04-06 Page title: 谷歌浏览器官方下载_Google Chrome最新免费下载-Windows版 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-08-19 Status: INVALID chain Fingerprint: d66b5ae9a8186c6644811305c68842122d9aa1b0c5539aa97db71a1bb9c7a365 Subject Alternative Names (related infrastructure — often same operator): - f-google.com.cn - if-google.com.cn - n-google.com.cn - ou-google.com.cn - ue-google.com.cn - uf-google.com.cn - um-google.com.cn - uo-google.com.cn - ur-google.com.cn - uz-google.com.cn - www.f-google.com.cn - www.if-google.com.cn - www.n-google.com.cn - www.oc-google.com.cn - www.ou-google.com.cn ... +6 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-22 09:25:16 UTC (by PhishDestroy tracker) First reported: 2026-05-22 06:27:07 UTC (abuse notice filed) Last verified: 2026-05-22 13:00:12 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e4e5a-d3ff-735d-9b25-7b9eb2c60a15/ URLQuery: https://urlquery.net/report/110f471e-a21d-42cc-b434-64b7fc4db6dc Wayback Machine: https://web.archive.org/web/*/oc-google.com.cn crt.sh CT logs: https://crt.sh/?q=%25.oc-google.com.cn Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=oc-google.com.cn AlienVault OTX: https://otx.alienvault.com/indicator/domain/oc-google.com.cn URLhaus: https://urlhaus.abuse.ch/host/oc-google.com.cn/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-22 09:25:38 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies oc-google.com.cn as a high-risk brand impersonation domain actively impersonating Google, posing a significant threat to unsuspecting users. This domain, created on April 06, 2026, resolves to IP address 156.240.32.52 and leverages a Let's Encrypt SSL certificate to appear legitimate. Registered through 浙江贰贰网络有限公司, the domain has been flagged by 10 out of 95 security vendors on VirusTotal and appears on 3 separate security blocklists, including Phishunt, OpenPhish, and PhishingArmy. Despite its seemingly trustworthy SSL certificate, the domain's recent creation and immediate detection by multiple security platforms underscore its malicious intent. The domain's technical indicators reveal a pattern consistent with phishing operations. VirusTotal's detection rate of 10/95 suggests moderate but not universal recognition of the threat, while its presence on three reputable blocklists confirms its malicious nature. The domain's registration through a Chinese registrar and its use of a generic-looking subdomain (oc-google) further align with common tactics used by threat actors to deceive users. The IP address 156.240.32.52, while not inherently suspicious, is associated with this domain's malicious activities, warranting caution. To mitigate the risk posed by oc-google.com.cn, users should avoid accessing the domain entirely and verify the legitimacy of any Google-related URLs before entering sensitive information. Organizations should ensure their security tools are updated to block this domain and similar impersonation attempts. Additionally, user education on recognizing brand impersonation tactics—such as scrutinizing domain names and SSL certificates—is critical. Network defenders are advised to implement DNS filtering rules to block resolution of this domain and monitor for any associated malicious activities. Proactive threat hunting for similar domains registered recently or mimicking other brands is also recommended to prevent further exploitation. [Updates since narrative was generated:] - VirusTotal detections: now 10/95 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260522-D30930 Favicon MD5: 37e4c953c3d82a9745da1f65435662f6 TLS cert SHA-256: d66b5ae9a8186c6644811305c68842122d9aa1b0c5539aa97db71a1bb9c7a365 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/oc-google.com.cn/ JSON API: https://api.destroy.tools/v1/check?domain=oc-google.com.cn Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 152,763 domains (42,108 alive under monitoring, 110,374 confirmed takedowns/dead). Site: https://phishdestroy.io