# PhishDestroy threat dossier — qq99.vip ================================================================ Fetched: 2026-06-29 05:00:10 UTC Canonical: https://phishdestroy.io/domain/qq99.vip/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: referer_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 19/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, Cluster25, CyRadar, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Lionic, MalwareURL, Netcraft, OpenPhish, SOCRadar, Sophos, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 45.125.15.105 (HK, Mong Kok) ASN: AS55933 Cloudie Limited Hosting org: Cloudie Limited Registrar: Namemart Limited Nameservers: clay.ns.cloudflare.com, tiffany.ns.cloudflare.com Registered: 2023-06-05 Expires: 2027-06-05 Page title: 姚记游戏 HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2023-06-05 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-28 12:02:23 UTC (by PhishDestroy tracker) First reported: 2026-06-28 10:06:47 UTC (abuse notice filed) Last verified: 2026-06-29 04:20:35 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f0dad-8b4c-76c0-8034-6cf4c1b3f35b/ URLQuery: https://urlquery.net/report/5a939101-118d-44fe-80fc-1e7adc6070e5 Wayback Machine: https://web.archive.org/web/*/qq99.vip crt.sh CT logs: https://crt.sh/?q=%25.qq99.vip Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=qq99.vip AlienVault OTX: https://otx.alienvault.com/indicator/domain/qq99.vip URLhaus: https://urlhaus.abuse.ch/host/qq99.vip/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-28 12:55:52 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain qq99.vip is identified as a generic phishing threat and is currently active. There is no specific brand being impersonated at this time. Analysis of the domain reveals that it was registered through Namemart Limited on June 05, 2023. The domain resolves to the IP address 45.125.15.105 and appears on 2 security blocklists. Security assessments indicate that 18 out of 95 VirusTotal vendors have flagged this domain. Furthermore, it has a Gridinsoft trust score of 0/100, which indicates a high level of risk. Given its elevated risk and active status, it is recommended to block access to qq99.vip and monitor for any incoming traffic to the associated IP. Organizations and individuals are advised to educate users to avoid interacting with links or communications from this domain and to employ updated security measures to prevent phishing attempts. [Updates since narrative was generated:] - VirusTotal detections: now 19/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260628-76ACBF Favicon MD5: 146d3781c1050eed48bc35cc7cd8aa52 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/qq99.vip/ JSON API: https://api.destroy.tools/v1/check?domain=qq99.vip Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,288 domains (13,596 alive under monitoring, 158,144 confirmed takedowns/dead). Site: https://phishdestroy.io