# PhishDestroy threat dossier — pluginchad.xyz ================================================================ Fetched: 2026-06-21 22:07:48 UTC Canonical: https://phishdestroy.io/domain/pluginchad.xyz/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 17/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CRDF, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, Seclookup, SOCRadar, Sophos, Viettel Threat Intelligence, VIPRE URLQuery: 2 detections AlienVault OTX: 5 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.234.24.152 Registrar: NAMECHEAP INC Nameservers: ns1.fp261.parklogic.com, ns1.parklogic.com, ns2.fp261.parklogic.com, ns2.parklogic.com Registered: 2025-01-22 Expires: 2027-01-22 Page title: Redirecting... ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-08-23 Status: INVALID chain Fingerprint: c58b972ca862822812b59fc4a280092f2f7a8e2709f18b1df50764ce075e63b6 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-01-22 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-14 18:14:28 UTC (by PhishDestroy tracker) First reported: 2026-06-17 17:02:45 UTC (abuse notice filed) Last verified: 2026-06-21 20:20:35 UTC Neutralised: 2026-06-16 00:47:25 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ecae1-9260-7708-a6cd-9c924e3d1b73/ URLQuery: https://urlquery.net/report/e70f5160-bd44-4bbc-96e2-f7f2c6c3c3c0 Wayback Machine: https://web.archive.org/web/*/pluginchad.xyz crt.sh CT logs: https://crt.sh/?q=%25.pluginchad.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=pluginchad.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/pluginchad.xyz URLhaus: https://urlhaus.abuse.ch/host/pluginchad.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-14 18:14:57 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies pluginchad.xyz as an active credential theft phishing domain targeting users through deceptive login portals. This domain was flagged during routine threat intelligence monitoring for impersonating legitimate browser extension or plugin management platforms, a tactic commonly used to harvest usernames, passwords, and session tokens. The risk level remains under investigation, but early indicators suggest a high potential for harm due to the domain's plausible naming convention and lack of immediate detection by security tools. Technical analysis reveals the following data points: the domain pluginchad.xyz currently has 0/95 detections on VirusTotal, meaning no antivirus engines have flagged it as malicious at this time. It uses a Let's Encrypt SSL certificate, which provides HTTPS encryption but does not guarantee legitimacy, as free certificates are frequently abused by threat actors. The domain was registered through an undisclosed registrar, and its hosting IP resolves to a shared cloud provider, a common tactic to obscure ownership. Creation date details are not yet available, but passive DNS records suggest recent activation. No blocklist entries exist as of this report, and trust scores from reputation services remain neutral, likely due to its novelty. Users and organizations are advised to take immediate mitigation steps to counter this credential theft threat. First, avoid clicking on any links leading to pluginchad.xyz, especially those received via email, social media, or messaging apps. If credentials were already entered on the site, reset passwords for all associated accounts and enable multi-factor authentication (MFA) where available. Security teams should proactively block the domain at the network level using firewalls or DNS filtering tools like Pi-hole or Cisco Umbrella. Additionally, monitor for unusual login attempts or account access from unfamiliar locations, as stolen credentials may be used in follow-up attacks. Educate employees and end-users about the risks of fake login pages and the importance of verifying domain names before submitting sensitive information. If the domain is encountered in a corporate environment, report it to the IT security team for further analysis and potential takedown efforts. [Updates since narrative was generated:] - Public blocklists: now listed on 1 feed - VirusTotal detections: now 17/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260617-9AF42D Favicon MD5: 5d6a24ad739d242be25c303902b22408 TLS cert SHA-256: c58b972ca862822812b59fc4a280092f2f7a8e2709f18b1df50764ce075e63b6 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/pluginchad.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=pluginchad.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 167,452 domains (12,751 alive under monitoring, 154,383 confirmed takedowns/dead). Site: https://phishdestroy.io