# PhishDestroy threat dossier — shangriladubai.spahotel.guru
================================================================

Fetched:   2026-04-30 17:12:57 UTC
Canonical: https://phishdestroy.io/domain/shangriladubai.spahotel.guru/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      18/95 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, BitDefender, Cluster25, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, OpenPhish, Seclookup, SOCRadar, Sophos, VIPRE, Webroot
Public blocklists: listed on 2 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      52.29.26.157 (DE, Frankfurt am Main)
ASN:             AS16509 Amazon.com, Inc.
Hosting org:     AWS EC2 (eu-central-1)
Registrar:       Spaceship, Inc.
Nameservers:     ["launch1.spaceship.net", "launch2.spaceship.net"]
Registered:      2026-04-30
Page title:      Shangri-La Dubai - Dubai, United Arab Emirates
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-07-01
Status:     INVALID chain
Fingerprint: 1da303c34dd7031e5b1fcc8f9aa0727e0cc7b775c55d84984abadc7e6d003c1c
Subject Alternative Names (related infrastructure — often same operator):
  - spahotel.guru

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-30 13:43:06 UTC (by PhishDestroy tracker)
Last verified:     2026-04-30 19:50:09 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dddfa-0216-7438-9d28-fd2272843750/
Wayback Machine:  https://web.archive.org/web/*/shangriladubai.spahotel.guru
crt.sh CT logs:   https://crt.sh/?q=%25.shangriladubai.spahotel.guru
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=shangriladubai.spahotel.guru
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/shangriladubai.spahotel.guru
URLhaus:          https://urlhaus.abuse.ch/host/shangriladubai.spahotel.guru/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-30 13:44:30 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies the domain shangriladubai.spahotel.guru as an active fake-hotel phishing campaign. The site impersonates the legitimate Shangri-La Hotel brand to harvest online booking credentials and payment card details. This campaign is currently live and is leveraging look-alike domain techniques to deceive travelers seeking luxury accommodations in Dubai.

Technical indicators confirm this site is malicious. VirusTotal flags the domain with 18 of 95 security vendors classifying it as malicious, and it appears on multiple open blocklists including OpenPhish and PhishingArmy. The infrastructure resolves to IPv4 address 52.29.26.157 and utilizes a Let’s Encrypt SSL certificate to appear legitimate. The domain was flagged within days of creation, with current blocklist counts showing 2 security services already blocking access. These characteristics indicate a hastily deployed but highly targeted credential-harvesting operation.

This domain remains active and poses an elevated risk to users searching for Shangri-La Dubai bookings. All visitors are advised to avoid interacting with shangriladubai.spahotel.guru and to report the domain to their browser vendor or security team. Organizations should update network blocklists with the IP and domain to prevent employee exposure. Travelers are encouraged to book directly through verified Shangri-La domains such as shangri-la.com or official partner platforms to ensure transaction safety.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       f64ad864d87e446dc9f89caf5522936c
TLS cert SHA-256:      1da303c34dd7031e5b1fcc8f9aa0727e0cc7b775c55d84984abadc7e6d003c1c

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/shangriladubai.spahotel.guru/
JSON API:          https://api.destroy.tools/v1/check?domain=shangriladubai.spahotel.guru
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io