# slon5.info — SUSPICIOUS

> PhishDestroy flags slon5.info as a credential harvesting domain, with 2 of 95 VirusTotal vendors flagging it. Review full report for IOCs and mitigation steps.

## Summary
PhishDestroy identifies slon5.info as an active credential harvesting domain, currently engaged in phishing operations targeting unsuspecting users. The domain is part of a broader campaign designed to mimic legitimate login portals, luring victims into submitting sensitive credentials under false pretenses. Security teams are advised to treat this domain as hostile and implement immediate countermeasures to mitigate potential breaches.  

  This domain was flagged by 2 of 95 security vendors on VirusTotal, indicating limited but confirmed malicious activity. Registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, slon5.info resolves to IP address 104.21.39.220 and operates with a Let's Encrypt SSL certificate for added authenticity. The domain was created on March 19, 2026, suggesting a recently deployed threat infrastructure. While the blocklist count remains low, the combination of active phishing operations and deceptive SSL credentials significantly elevates the risk profile of this domain.  

  As of this advisory, slon5.info remains an active threat, with ongoing credential harvesting attempts likely targeting enterprise and consumer users alike. Security teams should immediately block the domain at DNS and firewall levels and investigate any recent login attempts involving this domain. Additionally, users should be alerted to avoid interacting with this site and report any suspicious activity. Proactive monitoring of the associated IP address (104.21.39.220) and SSL certificate fingerprints is strongly recommended to detect potential lateral movement or follow-on attacks.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-19 23:42:02
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 104.21.39.220

## Detection Status
- VirusTotal: 2 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/88ade1df-06bf-4ed1-9103-7adbdf7cfa1d
- PhishDestroy: https://phishdestroy.io/domain/slon5.info/
- LLM endpoint: https://phishdestroy.io/domain/slon5.info/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/slon5.info/
Last updated: 2026-03-22