# PhishDestroy threat dossier — staging.portal.islamhorizon.com ================================================================ Fetched: 2026-05-05 16:38:08 UTC Canonical: https://phishdestroy.io/domain/staging.portal.islamhorizon.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 91/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 10/91 security vendors flagged this domain URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.149.120.183 (RU, Rostov-on-Don) ASN: AS57724 DDOS-GUARD LTD Hosting org: Ddos-guard LLC Registrar: Domain.com - Network Solutions, LLC Nameservers: ns1.dns-parking.com, ns2.dns-parking.com Registered: 2022-06-15 Page title: Valo.taxi - नकद और सवारी HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-07-19 Status: INVALID chain Fingerprint: cceab99fc6b6ff01c637e0e02587ca9791650298fcc893d1ace3ddc17071faa2 Subject Alternative Names (related infrastructure — often same operator): - admin.a00dd2ac-543c-4d58-826d-24d3505185b9.islamhorizon.com - dev.portal.islamhorizon.com - test.app.islamhorizon.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2022-06-15 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-03 15:42:42 UTC (by PhishDestroy tracker) First reported: 2026-05-03 12:53:48 UTC (abuse notice filed) Last verified: 2026-05-05 13:07:54 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dedd9-7f06-76bc-a24c-b87f9d37a028/ URLQuery: https://urlquery.net/report/643a36db-8dae-4afc-bd9e-2c26336cdc8d Wayback Machine: https://web.archive.org/web/*/staging.portal.islamhorizon.com crt.sh CT logs: https://crt.sh/?q=%25.staging.portal.islamhorizon.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=staging.portal.islamhorizon.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/staging.portal.islamhorizon.com URLhaus: https://urlhaus.abuse.ch/host/staging.portal.islamhorizon.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-03 15:44:21 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain staging.portal.islamhorizon.com has been identified as an active brand impersonation site designed for credential theft, specifically targeting users of IslamHorizon’s portal services. This malicious infrastructure mimics the legitimate staging environment of IslamHorizon, a platform known for providing Islamic educational and community resources. The threat actor behind this domain leverages deceptive naming conventions to trick users into entering sensitive login credentials under the false pretense of accessing a legitimate staging portal. Current telemetry confirms the domain is operational and actively resolving, posing an immediate risk to unsuspecting users who may fall prey to this spoofing campaign. This domain was registered through Domain.com via Network Solutions, LLC on June 15, 2022, and is currently hosted on IP address 185.149.120.183. The SSL certificate in use is issued by Let’s Encrypt, a common tactic among threat actors seeking to evade detection by appearing legitimate. VirusTotal analysis shows zero detections out of 95 vendor engines as of the latest scan, indicating a potential zero-day or newly deployed threat that has not yet been widely recognized by security vendors. The domain has not been flagged on any known public blocklists at this time, and no reputation or trust scores are available due to its recent activity and low detection rate. The absence of detections does not equate to safety; rather, it underscores the stealthy nature of this campaign and the need for proactive defense measures. Given the domain’s active status and the specific threat of brand impersonation targeting IslamHorizon users, immediate action is required to mitigate risk. Organizations and users should block access to staging.portal.islamhorizon.com at the network and endpoint levels. Additionally, security teams are advised to inspect DNS logs for any resolutions to the associated IP (185.149.120.183) and to monitor for any successful credential submissions to this domain. User awareness training should emphasize verifying domain names and SSL certificates, particularly when accessing staging or portal environments. Due to the low detection rate on VirusTotal, this threat may evade traditional signature-based defenses, making behavioral analysis and user education critical components of a robust defense strategy. Further investigation into the domain’s infrastructure, such as WHOIS pivoting and certificate transparency logs, may reveal additional related malicious domains. This advisory will be updated as new intelligence becomes available. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260503-B41FBA TLS cert SHA-256: cceab99fc6b6ff01c637e0e02587ca9791650298fcc893d1ace3ddc17071faa2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/staging.portal.islamhorizon.com/ JSON API: https://api.destroy.tools/v1/check?domain=staging.portal.islamhorizon.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 146,028 domains (62,102 alive under monitoring, 83,651 confirmed takedowns/dead). Site: https://phishdestroy.io