# tripscan-fly.online — SUSPICIOUS > tripscan-fly.online lures victims with fake travel scans and exfiltrates sensitive documents. Review full report now. ## Summary tripscan-fly.online has been confirmed as an active document exfiltration domain masquerading as a travel document scanner. The site presents itself as a legitimate PDF or ticket scanner to trick users into uploading personal or corporate documents, which are then harvested by a JavaScript-based drainer kit hosted on the server. No specific brand or template family has been matched in known threat repositories, suggesting this campaign is either a new actor or a re-branded operation utilizing generic phishing lures. The domain resolves to a single IP address, 199.231.235.173, and leverages a recently issued Let's Encrypt SSL certificate to appear trustworthy. Users accessing this domain should be considered at high risk of credential and document compromise. Forensic analysis reveals this domain is freshly registered as of March 31, 2026, through REG.RU LLC. VirusTotal currently shows 0/95 detection engines flagging the domain or its payload, indicating a zero-day or low-profile threat. The IP address 199.231.235.173 hosts multiple suspicious domains, and historical data shows rapid turnover, a common tactic among bulletproof hosting providers. Google Safe Browsing (GSB) has not yet blacklisted the domain, and public blocklists such as AlienVault OTX and Abuse.ch have no current entries for tripscan-fly.online. Given its recent creation and low VT detection rate, the dwell time remains unquantified, but the absence of prior security coverage suggests immediate action is required to contain potential spread. Current status is classified as active and under investigation, with no official remediation beyond internal blocking in early-adopter security stacks. The domain remains accessible and continues to collect uploaded documents. Immediate response actions include adding tripscan-fly.online and its IP to enterprise blocklists, disabling outbound HTTPS connections to 199.231.235.173, and conducting user awareness training to prevent document uploads. While no mass compromise has been reported, the risk remains elevated due to the domain’s evasive design and lack of detection coverage. Organizations and individuals are advised to isolate any systems that may have accessed this domain and to audit document repositories for unauthorized access or exfiltration artifacts. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-31 14:06:08 - Registrar: Registrar of Domain Names REG.RU LLC - IP: 199.231.235.173 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/tripscan-fly.online - PhishDestroy: https://phishdestroy.io/domain/tripscan-fly.online/ - LLM endpoint: https://phishdestroy.io/domain/tripscan-fly.online/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/tripscan-fly.online/ Last updated: 2026-04-07