# PhishDestroy threat dossier — pingpanl.pro ================================================================ Fetched: 2026-07-12 16:19:53 UTC Canonical: https://phishdestroy.io/domain/pingpanl.pro/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 95/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 19/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, ArcSight Threat Intelligence, BitDefender, Chong Lua Dao, CyRadar, ESET, ESTsecurity, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, Lumu, SOCRadar, Sophos, Viettel Threat Intelligence, VIPRE AlienVault OTX: 8 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.254.97.249 (DE, Frankfurt am Main) ASN: AS58212 dataforest GmbH Hosting org: dataforest GmbH Registrar: Spaceship, Inc. Nameservers: alan.ns.cloudflare.com, kim.ns.cloudflare.com Registered: 2025-09-03 Expires: 2026-09-03 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-10-06 Status: INVALID chain Fingerprint: 49414cba1fe26a2f4ff935f6a939ff0a61ad7be9713778d4dc22f30b8e75dbdc ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-09-03 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 14:30:20 UTC (by PhishDestroy tracker) Last verified: 2026-07-12 18:00:32 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f564e-2845-73db-82e4-98afb8292ee2/ Wayback Machine: https://web.archive.org/web/*/pingpanl.pro crt.sh CT logs: https://crt.sh/?q=%25.pingpanl.pro Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=pingpanl.pro AlienVault OTX: https://otx.alienvault.com/indicator/domain/pingpanl.pro URLhaus: https://urlhaus.abuse.ch/host/pingpanl.pro/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:18:03 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain pingpanl.pro was registered on September 03, 2025 through Spaceship, Inc. and is currently active. It is classified as a generic phishing infrastructure with a high risk rating. The domain uses Cloudflare nameservers (alan.ns.cloudflare.com, kim.ns.cloudflare.com) and serves an HTTPS certificate issued by Let’s Encrypt under the YR2 profile. The site is built on Microsoft HTTPAPI, a common component for lightweight web services. The hosting IP 185.254.97.249 resolves to a data center in Germany operated by dataforest GmbH, indicating the server is likely being used for short‑lived malicious campaigns. Detection telemetry shows that 19 of 95 VirusTotal security vendors have flagged the domain, and it appears on three external blocklists. It has also been listed in eight AlienVault OTX pulses, suggesting repeated reuse across different threat‑intel feeds. Community‑driven blockers such as PhishDestroy, MetaMask, and SEAL have already added pingpanl.pro to their deny lists, confirming that the domain is actively delivering phishing content. While the observable infrastructure points to a typical phishing deployment, certain operational details remain unknown. The exact phishing kit, credential harvesting fields, and target audience have not been publicly disclosed. No public code repositories or malware hashes have been linked to the domain, and the limited number of vendor detections implies that the payload may be dynamic or that detection signatures are still evolving. Continued monitoring of traffic to the IP and correlation with credential dump activity will be required to refine the threat profile. Defenders should prioritize immediate blocking of pingpanl.pro at perimeter firewalls, DNS filters, and endpoint protection layers. Given the active status and high risk rating, security teams should also watch for outbound connections to 185.254.97.249 and consider sinkholing or sandbox analysis of any payload retrieved from the host. Regular review of threat‑intel feeds for new OTX pulses or additional blocklist entries will help maintain situational awareness as the campaign evolves. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: d9c91e92af6776e767700c6f0c258ec0 TLS cert SHA-256: 49414cba1fe26a2f4ff935f6a939ff0a61ad7be9713778d4dc22f30b8e75dbdc ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/pingpanl.pro/ JSON API: https://api.destroy.tools/v1/check?domain=pingpanl.pro Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,800 domains (49,496 alive under monitoring, 128,230 confirmed takedowns/dead). Site: https://phishdestroy.io