# PhishDestroy threat dossier — quark-drive.hl.cn ================================================================ Fetched: 2026-07-12 16:28:01 UTC Canonical: https://phishdestroy.io/domain/quark-drive.hl.cn/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 71/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, Antiy-AVL, BitDefender, CRDF, CyRadar, ESET, Fortinet, G-Data, Kaspersky, LevelBlue, Lionic, Sophos, VIPRE, Webroot AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 156.247.33.57 (HK, Hong Kong) ASN: AS138415 Yancy Limited Hosting org: Yancy Limited Registrar: 浙江贰贰网络有限公司 Nameservers: ns1.22.cn, ns2.22.cn Registered: 2026-05-23 Expires: 2027-05-23 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-08-21 Status: INVALID chain Fingerprint: 08e48bc3015e9b1625347e7b0b2eaa24147a9abb983d1516ed6c0243df628995 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 14:09:59 UTC (by PhishDestroy tracker) Last verified: 2026-07-12 18:20:28 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f563b-9bea-71ea-81eb-7c31071c22e1/ Wayback Machine: https://web.archive.org/web/*/quark-drive.hl.cn crt.sh CT logs: https://crt.sh/?q=%25.quark-drive.hl.cn Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=quark-drive.hl.cn AlienVault OTX: https://otx.alienvault.com/indicator/domain/quark-drive.hl.cn URLhaus: https://urlhaus.abuse.ch/host/quark-drive.hl.cn/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:18:43 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] quark-drive.hl.cn is currently active and was registered on May 23, 2026 through Zhejiang Er Er Network Co., Ltd. The domain resolves to the IP address 156.247.33.57, which is geolocated to Hong Kong and is associated with Yancy Limited. The authoritative name servers are ns1.22.cn and ns2.22.cn, and the web service is hosted on an Nginx server presenting a Let’s Encrypt R13 certificate. These infrastructure elements are consistent with recent phishing campaigns that leverage inexpensive hosting and automated certificate issuance to appear legitimate. VirusTotal scans have flagged the domain in 15 out of 95 security vendor detections, indicating a moderate level of confidence among AV engines. AlienVault OTX lists the domain in two separate threat pulses, and it appears on one public blocklist that is currently enforced by PhishDestroy. The convergence of multiple independent sources confirms that the domain is being used for malicious activity, specifically generic phishing, as classified by the intelligence feed. The generic phishing label suggests the site is likely used to harvest credentials by masquerading as a trusted service, but no specific payload or landing page content has been publicly disclosed. The lack of publicly available samples means that the exact lures, form fields, or credential collection mechanisms remain uncertain. Nevertheless, the presence of a valid TLS certificate and a standard web server indicates an attempt to increase user trust and bypass basic security checks. Defenders should add 156.247.33.57 to network deny lists and block DNS resolution for quark-drive.hl.cn at the perimeter. Continuous monitoring of TLS certificate issuances from Let’s Encrypt for this domain can provide early warning of re‑registration attempts. Organizations should also advise users to verify URLs carefully and to report any unexpected login prompts that reference “quark‑drive” or similar branding. Incident response teams should be prepared to collect forensic artifacts should a victim interaction be observed. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 08e48bc3015e9b1625347e7b0b2eaa24147a9abb983d1516ed6c0243df628995 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/quark-drive.hl.cn/ JSON API: https://api.destroy.tools/v1/check?domain=quark-drive.hl.cn Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,826 domains (49,573 alive under monitoring, 128,253 confirmed takedowns/dead). Site: https://phishdestroy.io