# PhishDestroy threat dossier — penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev ================================================================ Fetched: 2026-04-25 11:57:48 UTC Canonical: https://phishdestroy.io/domain/penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 90/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/94 security vendors flagged this domain Flagging vendors: ESET, Emsisoft, Gridinsoft, Netcraft, Webroot ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare, Inc. Nameservers: andy.ns.cloudflare.com, bristol.ns.cloudflare.com Registered: 2026-04-23 Page title: Suspected phishing site | Cloudflare HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-07-10 Status: INVALID chain Fingerprint: a17ceea8ba70760d3d1013dc45c54da5b7e3af5664222ca06b4c9564efcb02a2 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-23 03:11:56 UTC (by PhishDestroy tracker) Last verified: 2026-04-25 01:42:20 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019db7ab-5f57-7626-bf66-72a8ccab48e4/ Wayback Machine: https://web.archive.org/web/*/penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev URLhaus: https://urlhaus.abuse.ch/host/penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-23 03:12:17 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev as an active credential theft domain posing as a legitimate service to harvest user login credentials. This Pages.dev subdomain leverages Cloudflare’s infrastructure to host a spoofed login portal, likely targeting unsuspecting victims with fake authentication prompts to capture sensitive data. The domain’s use of a Google Trust Services SSL certificate adds a veneer of legitimacy, misleading users into trusting the malicious site. Based on current telemetry, the threat actor behind this campaign appears to be conducting reconnaissance for broader credential harvesting operations, potentially linked to fraudulent activities targeting corporate or personal accounts. This domain was flagged under seed dae629 for high-risk behavior consistent with identity theft campaigns. This domain exhibits multiple red flags indicative of credential theft infrastructure. According to VirusTotal analysis, it remains undetected by 0 out of 95 security engines as of the latest scan, highlighting the evasive nature of the threat. The domain is registered through Cloudflare, Inc., a common choice among threat actors for anonymizing hosting infrastructure, and resolves to IP address 188.114.97.3, a known hosting provider frequently abused for malicious activities. While the exact creation date is not publicly disclosed, the domain’s association with a Pages.dev subdomain suggests recent deployment, likely within the last 30 days. The absence of detections, combined with its infrastructure choices, underscores the urgent need for proactive monitoring and blocking by security teams and end users alike. Users who may have inadvertently visited this domain should immediately audit their account credentials for unauthorized access or suspicious activity. If you entered any login details on this site, change passwords immediately and enable multi-factor authentication (MFA) where available. Report the incident to your IT security team or email provider if corporate credentials were used, as this domain may be part of a larger credential stuffing campaign. Ensure your device is scanned for malware, as threat actors often deploy keyloggers or browser hijackers to maintain persistence. To prevent future exposure, avoid clicking on unsolicited links and verify the authenticity of websites through official channels. This domain remains active as of the latest assessment, and users are strongly advised to block it at the network level and update their threat intelligence feeds accordingly. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 5e1f5addac24d740cec0c41d5f99cd20 TLS cert SHA-256: a17ceea8ba70760d3d1013dc45c54da5b7e3af5664222ca06b4c9564efcb02a2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=penvex-darvin-biz-marpex-hilnox-sp15ct12.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io