# PhishDestroy threat dossier — support.suryagharyojna.com ================================================================ Fetched: 2026-05-20 19:03:06 UTC Canonical: https://phishdestroy.io/domain/support.suryagharyojna.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 3/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/91 security vendors flagged this domain URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.149.120.183 (RU, Rostov-on-Don) ASN: AS57724 DDOS-GUARD LTD Hosting org: Ddos-guard LLC Registrar: GoDaddy.com, LLC Nameservers: ns1.dns-parking.com, ns2.dns-parking.com Registered: 2024-02-19 Page title: Valo.taxi - नकद और सवारी ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-23 Status: INVALID chain Fingerprint: ad3337d3a6d4092e16635e5750027c709d366862740425cbd59e7d9bbeaab4b6 Subject Alternative Names (related infrastructure — often same operator): - app.admin.shop.suryagharyojna.com - app.vdi1.suryagharyojna.com - cdn.suryagharyojna.com - dev.assets.suryagharyojna.com - smtp.suryagharyojna.com - staging.admin.inqliautoconfig.suryagharyojna.com - status.admin.inqliautoconfig.suryagharyojna.com - test.98162d6b-a0c0-4c42-aeb4-bb493bb60d93.suryagharyojna.com - test.rds.suryagharyojna.com - www.api.suryagharyojna.com - www.remoteapps2.suryagharyojna.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2024-02-19 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-03 15:21:32 UTC (by PhishDestroy tracker) First reported: 2026-05-03 12:31:16 UTC (abuse notice filed) Last verified: 2026-05-17 01:40:11 UTC Neutralised: 2026-05-12 02:44:19 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dedc7-bbf3-7701-b7cb-c19adbabef0f/ URLQuery: https://urlquery.net/report/eea1502f-64da-47bc-8afc-b23012232df2 Wayback Machine: https://web.archive.org/web/*/support.suryagharyojna.com crt.sh CT logs: https://crt.sh/?q=%25.support.suryagharyojna.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=support.suryagharyojna.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/support.suryagharyojna.com URLhaus: https://urlhaus.abuse.ch/host/support.suryagharyojna.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-03 15:23:14 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies support.suryagharyojna.com as an ACTIVE generic phishing domain hosting a credential-harvesting trap designed to impersonate a legitimate support portal. The site lures victims under the guise of technical assistance to steal login credentials, banking details, or other sensitive data. Given the absence of current blocklist detections and the use of a freshly issued SSL certificate via Let's Encrypt, this campaign exhibits high operational stealth. Users who access this domain risk immediate credential compromise and downstream financial fraud due to the realistic look of the fake login interface. PhishDestroy categorizes this as an active, ongoing threat requiring immediate user caution and network-level mitigation. This domain was flagged by PhishDestroy seed #29da72 as a confirmed phishing site targeting unsuspecting users. The infrastructure analysis reveals the domain points to IP address 185.149.120.183 and was created on February 19, 2024, indicating a very recent registration intended to evade historical reputation filters. The domain is registered through GoDaddy.com, LLC using a privacy-protected registrant to obscure ownership, which is common in malicious campaigns. As of the latest VirusTotal scan, support.suryagharyojna.com shows 0 detections out of 95 engines, demonstrating zero detection by major AV suites at time of forensic capture. The Let's Encrypt SSL certificate provides a false sense of legitimacy but offers no real security benefit, as the certificate is only used to mask traffic as HTTPS and avoid browser warnings. Despite its current clean status on public threat feeds, the absence of domain age, lack of historical trust, and real-time activity strongly suggest this is an emergent credential-phishing campaign. To mitigate the credential theft risk posed by support.suryagharyojna.com, PhishDestroy recommends users verify any unsolicited login prompts by manually typing known, trusted URLs and enabling multi-factor authentication (MFA) on all accounts. Network administrators should implement DNS sinkholing or domain blocking at the firewall level using the IP address 185.149.120.183 and domain name support.suryagharyojna.com to prevent internal access. If credentials were entered, victims should immediately reset passwords across all accounts using the same login, revoke active sessions, and monitor for unauthorized transactions. Given the domain’s recent creation and zero detection rate, it is likely already propagating via phishing emails purporting to be from tech support. Immediate user education and proactive blocking are critical to contain this campaign before it gains wider traction. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260503-6BDD04 TLS cert SHA-256: ad3337d3a6d4092e16635e5750027c709d366862740425cbd59e7d9bbeaab4b6 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/support.suryagharyojna.com/ JSON API: https://api.destroy.tools/v1/check?domain=support.suryagharyojna.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 152,134 domains (43,336 alive under monitoring, 108,506 confirmed takedowns/dead). Site: https://phishdestroy.io