# PhishDestroy threat dossier — phanexten.info
================================================================

Fetched:   2026-06-26 22:32:06 UTC
Canonical: https://phishdestroy.io/domain/phanexten.info/

## VERDICT
----------------------------------------------------------------
TAKEN DOWN (neutralised)
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: wordpress

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      17/93 security vendors flagged this domain
  Flagging vendors: ChainPatrol, alphaMountain.ai, BitDefender, CRDF, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Lionic, Seclookup, SOCRadar, Sophos, Trustwave, VIPRE, Webroot
Public blocklists: listed on 3 independent blocklists
Victim re-reports (public form): 1

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      162.241.85.94 (US, Provo)
ASN:             ASAS46606 UNIFIEDLAYER-AS-1, US
Hosting org:     AS46606 Unified Layer
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     rns19.webhostbox.net, rns20.webhostbox.net
Registered:      2026-01-01
Expires:         2027-01-01
Page title:      My Blog - My WordPress Blog

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     none
Status:     INVALID chain

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: CLOSED — no report required.
This domain was neutralised before the abuse-report cycle could be dispatched — either
the hosting provider / registrar suspended it on their own, the DNS went dead, or the
operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file
for audit but no formal notice was sent.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-01-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-02-25 02:39:27 UTC (by PhishDestroy tracker)
First reported:    2026-01-05 05:25:41 UTC (abuse notice filed)
Last verified:     2026-06-27 00:20:35 UTC
Neutralised:       2026-05-09 04:36:33 UTC
Current status:    taken down (registrar suspended or DNS dead)

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019b8c9d-e3d9-72d4-8357-b59acf28851c/
Wayback Machine:  https://web.archive.org/web/*/phanexten.info
crt.sh CT logs:   https://crt.sh/?q=%25.phanexten.info
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=phanexten.info
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/phanexten.info
URLhaus:          https://urlhaus.abuse.ch/host/phanexten.info/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-25 23:50:00 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, phanexten.info, poses a high-risk brand impersonation threat targeting WordPress users. The site mimics legitimate WordPress login or administrative pages, potentially tricking visitors into entering credentials or downloading malicious plugins. Such impersonation can lead to account takeovers, unauthorized access to websites, or the installation of backdoors, compromising both user data and site integrity. The threat is particularly dangerous for website administrators who may unknowingly expose their entire infrastructure to attackers by interacting with the fraudulent page.

Analysis indicates the domain was created on January 01, 2026, and is registered through PDR Ltd. d/b/a PublicDomainRegistry.com. It lacks an SSL certificate, a red flag for legitimacy, and resolves to the IP address 162.241.85.94, hosted on AS46606 (Unified Layer) in the United States. The domain appears on three security blocklists and is flagged by 17 out of 95 security vendors on VirusTotal. The page title, 'My Blog - My WordPress Blog,' further suggests an attempt to deceive users into believing they are interacting with a genuine WordPress site.

If you visited phanexten.info, take immediate action to mitigate potential risks. First, disconnect the affected device from the network to prevent further data exfiltration. Run a full scan using updated antivirus or endpoint detection tools to identify and remove any malware. Change all passwords associated with WordPress accounts, including administrative credentials, FTP, and database access, using strong, unique passwords. Enable multi-factor authentication (MFA) where available. Monitor the affected website for unauthorized changes, such as new user accounts, unfamiliar plugins, or modified files. If credentials were entered on the site, assume they are compromised and revoke any active sessions. Finally, report the incident to your organization’s security team or a trusted cybersecurity professional for further analysis.

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/phanexten.info/
JSON API:          https://api.destroy.tools/v1/check?domain=phanexten.info
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 170,645 domains (12,254 alive under monitoring, 158,002 confirmed takedowns/dead). Site: https://phishdestroy.io