# PhishDestroy threat dossier — slon-cnc.sk ================================================================ Fetched: 2026-07-02 08:26:56 UTC Canonical: https://phishdestroy.io/domain/slon-cnc.sk/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 53/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/94 security vendors flagged this domain Flagging vendors: CRDF, Gridinsoft, SOCRadar AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 86.110.243.205 (SK, Galanta) ASN: AS29405 VNET a.s. Hosting org: VNET a.s. Registrar: WebHouse, s.r.o. Registered: 2026-03-28 Page title: SLON s.r.o. | CNC obrábanie HTTP response: 500 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-05-09 Status: INVALID chain Fingerprint: 60d6cb23189297c11186b7ef767174916a35e07bb4f6b5b166dae8db79d045a2 Subject Alternative Names (related infrastructure — often same operator): - www.slon-cnc.sk ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-03-28 06:30:07 UTC (by PhishDestroy tracker) First reported: 2026-03-28 03:55:27 UTC (abuse notice filed) Last verified: 2026-07-02 08:20:36 UTC Neutralised: 2026-04-23 02:14:21 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d3292-5e5b-70ec-a06f-2a700aab37b4/ URLQuery: https://urlquery.net/report/268ecccc-05b0-4c96-ba95-26e67f70b586 Wayback Machine: https://web.archive.org/web/*/slon-cnc.sk crt.sh CT logs: https://crt.sh/?q=%25.slon-cnc.sk Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=slon-cnc.sk AlienVault OTX: https://otx.alienvault.com/indicator/domain/slon-cnc.sk URLhaus: https://urlhaus.abuse.ch/host/slon-cnc.sk/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 12:48:51 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, slon-cnc.sk, is confirmed to operate as a credential theft site designed to harvest login credentials by impersonating SLON s.r.o., a legitimate CNC machining company. The site presents itself as the official portal for SLON s.r.o., using the company’s branding, logo, and page title (SLON s.r.o. | CNC obrábanie) to deceive visitors into entering sensitive information such as usernames, passwords, or corporate credentials. Credential theft of this nature is often leveraged for further attacks, including unauthorized access to corporate networks, financial fraud, or identity theft. The risk is particularly elevated for employees or partners of SLON s.r.o., as well as individuals searching for CNC machining services in Slovakia or Central Europe. Analysis indicates this domain was registered on March 28, 2026, through WebHouse, s.r.o., a registrar commonly associated with both legitimate and malicious domains. The site resolved to the IP address 86.110.243.205 and was secured with a Let’s Encrypt SSL certificate, a tactic frequently employed by threat actors to create a false sense of legitimacy. At the time of assessment, the domain was flagged by 3 out of 95 security vendors on VirusTotal, including entries in two security blocklists and one threat intelligence pulse on AlienVault OTX. The Gridinsoft trust score of 0/100 further corroborates the malicious nature of the infrastructure. The domain’s recent creation date, combined with its immediate appearance on blocklists, suggests a deliberate attempt to exploit the SLON s.r.o. brand for short-term malicious activity before detection and takedown. If you or someone in your organization visited slon-cnc.sk and entered any credentials or personal information, immediate action is required. First, reset all passwords associated with the compromised account, prioritizing email, financial, and corporate systems. Enable multi-factor authentication (MFA) wherever possible to mitigate the risk of unauthorized access. Monitor accounts for suspicious activity, such as unauthorized logins, password change requests, or unusual transactions. If the compromised credentials were used for corporate access, notify your IT or security team to conduct a thorough review of network logs and potential lateral movement. Additionally, consider reporting the incident to local cybersecurity authorities or the legitimate SLON s.r.o. to aid in broader threat mitigation efforts. Users should also verify the authenticity of any communications claiming to be from SLON s.r.o. by cross-referencing official contact details from the company’s verified website or business registry. [Updates since narrative was generated:] - VirusTotal detections: now 3/94 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260328-4096AF Favicon MD5: d2d5239eb8cf34454d83ef10221860d7 TLS cert SHA-256: 60d6cb23189297c11186b7ef767174916a35e07bb4f6b5b166dae8db79d045a2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/slon-cnc.sk/ JSON API: https://api.destroy.tools/v1/check?domain=slon-cnc.sk Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (14,589 alive under monitoring, 158,288 confirmed takedowns/dead). Site: https://phishdestroy.io