# PhishDestroy threat dossier — onstreamhq.com ================================================================ Fetched: 2026-07-13 05:00:45 UTC Canonical: https://phishdestroy.io/domain/onstreamhq.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Brand Impersonation ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/91 security vendors flagged this domain Flagging vendors: Forcepoint ThreatSeeker, SOCRadar URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 88.222.222.128 (LT, Kaunas) ASN: AS47583 Hostinger International Limited Hosting org: AS47583 Hostinger International Limited Registrar: Spaceship, Inc. Nameservers: byte.dns-parking.com, pixel.dns-parking.com Registered: 2026-01-28 Expires: 2027-01-28 Page title: Latest OnStream APK v1.3.0 Free Download on Android (Official) HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE1 Expires: 2026-10-06 Status: INVALID chain Fingerprint: e1d6d2adf0086c2c1072c5a6644e4a98c10ce24531e126cc0adda705536e4594 Subject Alternative Names (related infrastructure — often same operator): - www.onstreamhq.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-01-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-10 14:47:37 UTC (by PhishDestroy tracker) First reported: 2026-07-12 20:27:08 UTC (abuse notice filed) Last verified: 2026-07-13 04:20:41 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4c10-4981-72c8-b258-8297354dd7b1/ URLQuery: https://urlquery.net/report/0c08d6d1-a8e7-4651-80fc-7cd960889aff Wayback Machine: https://web.archive.org/web/*/onstreamhq.com crt.sh CT logs: https://crt.sh/?q=%25.onstreamhq.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=onstreamhq.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/onstreamhq.com URLhaus: https://urlhaus.abuse.ch/host/onstreamhq.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-10 14:55:39 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, onstreamhq.com, is currently flagged as a generic phishing site targeting users seeking Android APK downloads. The page title explicitly claims to offer "Latest OnStream APK v1.3.0 Free Download on Android (Official)", suggesting an attempt to impersonate the legitimate OnStream brand or related services. The domain remains active and is categorized as under investigation due to its deceptive content and infrastructure patterns. Infrastructure analysis reveals the domain was registered on January 28, 2026, through Spaceship, Inc., and resolves to the IP address 88.222.222.128. As of the latest scan, it has not been flagged by any of the 95 vendors on VirusTotal, indicating either a newly established operation or evasion techniques. The SSL certificate is issued by Let's Encrypt, a common choice for both legitimate and malicious sites. No blocklist entries or trust score deviations have been recorded, but the lack of detections does not preclude malicious intent given the domain's content and registration details. Current status shows the domain remains active and accessible. Users are advised to avoid downloading APK files from this site, as they may contain malware or unwanted software. Network administrators should monitor for connections to 88.222.222.128 and consider blocking the domain at the perimeter. Security teams are encouraged to submit samples from the site for further analysis to confirm malicious payloads or phishing mechanisms. Given the domain's recent creation and lack of prior detections, continued monitoring is recommended. [Updates since narrative was generated:] - Public blocklists: now listed on 3 feeds ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-DA0D50 Favicon MD5: d10a31d2de739c6f335ab019c43654c1 TLS cert SHA-256: e1d6d2adf0086c2c1072c5a6644e4a98c10ce24531e126cc0adda705536e4594 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/onstreamhq.com/ JSON API: https://api.destroy.tools/v1/check?domain=onstreamhq.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,009 domains (49,743 alive under monitoring, 128,266 confirmed takedowns/dead). Site: https://phishdestroy.io