# PhishDestroy threat dossier — sahar2ray.online ================================================================ Fetched: 2026-07-13 05:31:11 UTC Canonical: https://phishdestroy.io/domain/sahar2ray.online/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 14/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, ArcSight Threat Intelligence, BitDefender, Chong Lua Dao, CRDF, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, SOCRadar, Sophos, Viettel Threat Intelligence, Webroot AlienVault OTX: 6 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 45.86.162.197 (NL, Amsterdam) ASN: AS199959 GWY IT PTY LTD Hosting org: CrownCloud Registrar: NameCheap, Inc. Nameservers: dns1.registrar-servers.com, dns2.registrar-servers.com Registered: 2025-09-14 Expires: 2026-09-14 Page title: Homepage | Women's Initiative for Gender Justice HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE1 Expires: 2026-09-18 Status: INVALID chain Fingerprint: 6fac6746b3a8f54ba4467364b8f74bf213fb1b30f9b49201692dc85ee70d6a27 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-09-14 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 14:14:36 UTC (by PhishDestroy tracker) Last verified: 2026-07-13 04:20:41 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f563f-d1bd-707a-a08a-21818cee79e9/ Wayback Machine: https://web.archive.org/web/*/sahar2ray.online crt.sh CT logs: https://crt.sh/?q=%25.sahar2ray.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=sahar2ray.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/sahar2ray.online URLhaus: https://urlhaus.abuse.ch/host/sahar2ray.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:18:42 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain sahar2ray.online was registered on September 14 2025 through NameCheap, Inc. and is served by the authoritative name servers dns1.registrar-servers.com and dns2.registrar-servers.com. The registration date places the site in the window of recent malicious infrastructure deployments, and the use of a widely‑used registrar aligns with typical phishing operators seeking quick domain acquisition. Network resolution points the domain to the IPv4 address 45.86.162.197, which resolves to a hosting provider identified as CrownCloud in the Netherlands. The web server is Nginx and the site presents a valid Let’s Encrypt certificate (issuer: Let’s Encrypt / YE1). Front‑end technologies include WordPress, MySQL, PHP, jQuery, jQuery Migrate, and HTTP Strict Transport Security (HSTS). Google Analytics scripts are also loaded, indicating attempts to track visitor interactions. Dynamic analysis on VirusTotal shows that 13 of 95 antivirus and scanning engines flag the domain as malicious, reflecting a moderate consensus among security vendors. The domain appears on a single public blocklist and is actively blocked by the PhishDestroy mitigation service. AlienVault OTX lists the indicator in six separate threat intelligence pulses, reinforcing its association with phishing campaigns. While the public evidence confirms the domain’s involvement in a high‑risk phishing operation, details such as the specific credential‑stealing kit, targeted brands, or victim geography remain unclear. Defenders should update perimeter filters to deny or quarantine traffic to sahar2ray.online and its resolved IP, monitor for any outbound connections to the embedded Google Analytics endpoint, and consider sinkholing the IP address where feasible. Continuous visibility through DNS logging and threat‑intel feed correlation will help detect any future re‑use of the same hosting infrastructure. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 9779554f591d7526270ea2da1f3d1a4b TLS cert SHA-256: 6fac6746b3a8f54ba4467364b8f74bf213fb1b30f9b49201692dc85ee70d6a27 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/sahar2ray.online/ JSON API: https://api.destroy.tools/v1/check?domain=sahar2ray.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,010 domains (49,744 alive under monitoring, 128,266 confirmed takedowns/dead). Site: https://phishdestroy.io