# PhishDestroy threat dossier — slonj6.cc ================================================================ Fetched: 2026-06-30 13:41:28 UTC Canonical: https://phishdestroy.io/domain/slonj6.cc/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 84/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: Forcepoint ThreatSeeker, Fortinet Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 5.253.59.165 (NL, Amsterdam) ASN: AS215540 GLOBAL CONNECTIVITY SOLUTIONS LLP Hosting org: Neterra Ltd Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: jasmine.ns.cloudflare.com, kyle.ns.cloudflare.com Registered: 2026-05-30 Expires: 2027-05-30 Page title: slon6.at, slon6.cc — Оптовый маркетплейс строительных материалов HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-04 Status: INVALID chain Fingerprint: 80afa4317cc201826a0ddcf8ec031f15ca775b286594af1ee7714e7497edb38d Subject Alternative Names (related infrastructure — often same operator): - www.slonj6.cc ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-27 01:46:29 UTC (by PhishDestroy tracker) First reported: 2026-06-26 23:50:27 UTC (abuse notice filed) Last verified: 2026-06-30 12:40:07 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f0653-2403-70c8-a074-2d44cd05128e/ URLQuery: https://urlquery.net/report/148a7247-0bcd-4bc5-b92d-74c8822c61d8 Wayback Machine: https://web.archive.org/web/*/slonj6.cc crt.sh CT logs: https://crt.sh/?q=%25.slonj6.cc Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=slonj6.cc AlienVault OTX: https://otx.alienvault.com/indicator/domain/slonj6.cc URLhaus: https://urlhaus.abuse.ch/host/slonj6.cc/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-27 01:56:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, slonj6.cc, is an active generic phishing site with no specific brand impersonation or drainer kit identified. The threat type is generic phishing, indicating a broad attempt to deceive users into disclosing sensitive information without targeting a particular entity. Technical indicators: VirusTotal detection score is 2 out of 95 security vendors. The domain is registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar often associated with high-risk domains. It resolves to IP address 5.253.59.165 and was created on May 30, 2026. Google Safe Browsing status is not explicitly provided, but the low vendor detection suggests it may not yet be widely blocklisted. The SSL certificate is issued by Let's Encrypt, a free certificate authority frequently used by malicious sites. Current status remains active, with no reported takedown actions. Infrastructure analysis shows the IP is likely shared among multiple domains. Remaining risk is high due to active status and low detection rate, allowing the site to continue operating undetected by many security tools. Safety guidance: Users should avoid interacting with this domain, do not enter any credentials or personal data, and report the domain to their security team or blocklist providers. Organizations should monitor for any connections to this IP in network logs. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260626-A37308 Favicon MD5: 3ebb607a5b0cebe66a4b7dbeeb2ad481 TLS cert SHA-256: 80afa4317cc201826a0ddcf8ec031f15ca775b286594af1ee7714e7497edb38d ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/slonj6.cc/ JSON API: https://api.destroy.tools/v1/check?domain=slonj6.cc Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,677 domains (12,746 alive under monitoring, 159,341 confirmed takedowns/dead). Site: https://phishdestroy.io