# PhishDestroy threat dossier — rmbnagpur.com ================================================================ Fetched: 2026-06-28 17:23:44 UTC Canonical: https://phishdestroy.io/domain/rmbnagpur.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 16/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Cluster25, CTX AI, CyRadar, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, MalwareURL, SOCRadar, Sophos, VIPRE, Webroot AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.241.123.17 (US, Los Angeles) ASN: AS46606 Unified Layer Hosting org: Unified Layer Registrar: Gransy, s.r.o. Nameservers: grespl.earth.orderbox-dns.com, grespl.mars.orderbox-dns.com, grespl.mercury.orderbox-dns.com, grespl.venus.orderbox-dns.com Registered: 2025-10-06 Expires: 2026-10-06 Page title: Not Acceptable! ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-13 Status: INVALID chain Fingerprint: 09d17867ea67573f70c9b781a6d872967a0426595eee2412b0035e21d9829b7b Subject Alternative Names (related infrastructure — often same operator): - www.rmbnagpur.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-10-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-28 12:11:01 UTC (by PhishDestroy tracker) First reported: 2026-06-28 10:17:53 UTC (abuse notice filed) Last verified: 2026-06-28 18:18:16 UTC Neutralised: 2026-06-28 18:18:02 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f0db4-b0e6-754f-9e92-19a1a6702a2a/ URLQuery: https://urlquery.net/report/f28a290a-24ee-4d54-9c2a-cd55eaf3aed8 Wayback Machine: https://web.archive.org/web/*/rmbnagpur.com crt.sh CT logs: https://crt.sh/?q=%25.rmbnagpur.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=rmbnagpur.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/rmbnagpur.com URLhaus: https://urlhaus.abuse.ch/host/rmbnagpur.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-28 12:16:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, rmbnagpur.com, is flagged as an active credential harvesting phishing site posing an elevated risk to individuals and organizations. Analysis indicates the infrastructure is designed to mimic legitimate financial or corporate login portals, tricking users into submitting sensitive credentials such as usernames, passwords, and multifactor authentication codes. The threat type is classified as generic_phishing with a focus on credential theft, likely targeting customers of regional banks or financial services. Infrastructure analysis reveals the domain was registered on October 6, 2025, through Gransy, s.r.o., a registrar frequently associated with high-risk domains. It resolves to the IP address 162.241.123.17, which has been linked to multiple phishing campaigns in recent months. Detection engines on VirusTotal flag the domain as malicious, with 16 out of 95 security vendors marking it as phishing or fraudulent. The SSL certificate is issued by Let's Encrypt, a common choice for threat actors due to its free and automated issuance process. Gridinsoft's trust score for the domain is 0/100, further corroborating its malicious nature. Additional blocklists and threat intelligence feeds have also identified this domain as part of ongoing phishing operations. To mitigate risks associated with rmbnagpur.com, organizations should immediately block the domain and its resolving IP address (162.241.123.17) at the network perimeter using firewalls, DNS filters, or web proxies. End-users who may have interacted with the site should be instructed to reset credentials for any accounts entered on the page, particularly those associated with financial services. Security teams should monitor for indicators of compromise, including unusual login attempts or unauthorized transactions. If the domain is impersonating a specific brand or institution, affected entities should issue public advisories to warn their customers. Continuous monitoring of related infrastructure, such as newly registered domains under the same registrar or IP range, is recommended to identify potential follow-up campaigns. [Updates since narrative was generated:] - VirusTotal detections: now 16/95 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260628-AD5AB5 Favicon MD5: 7f94d10700e3b5e790366695c0c3d6ff TLS cert SHA-256: 09d17867ea67573f70c9b781a6d872967a0426595eee2412b0035e21d9829b7b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/rmbnagpur.com/ JSON API: https://api.destroy.tools/v1/check?domain=rmbnagpur.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,026 domains (13,415 alive under monitoring, 158,116 confirmed takedowns/dead). Site: https://phishdestroy.io