# PhishDestroy threat dossier — upagz.com ================================================================ Fetched: 2026-05-04 16:22:04 UTC Canonical: https://phishdestroy.io/domain/upagz.com/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 76/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, Fortinet, G-Data, Google Safebrowsing, Gridinsoft, Kaspersky, LevelBlue, Lionic, Seclookup, Sophos URLQuery: 3 detections Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 18.66.147.45 (DE, Frankfurt am Main) ASN: AS16509 Amazon.com, Inc. Hosting org: AWS CloudFront (GLOBAL) Registrar: Gname.com Pte. Ltd. Nameservers: a.share-dns.com, a12.share-dns.com, b.share-dns.net, b12.share-dns.net Registered: 2024-08-25 Page title: UPA HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Amazon / Amazon RSA 2048 M04 Expires: 2026-10-03 Status: INVALID chain Fingerprint: 3789b4657de6198e15d73d60ad76bd2158634a47643d62d2e5a2b43d23168991 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2024-08-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-04 16:20:10 UTC (by PhishDestroy tracker) First reported: 2026-05-04 13:25:51 UTC (abuse notice filed) Last verified: 2026-05-04 19:20:38 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019df324-8ce1-7786-a60e-3d09c3c925ed/ URLQuery: https://urlquery.net/report/527bd3f7-8281-495d-92dc-239f98f08398 Wayback Machine: https://web.archive.org/web/*/upagz.com crt.sh CT logs: https://crt.sh/?q=%25.upagz.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=upagz.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/upagz.com URLhaus: https://urlhaus.abuse.ch/host/upagz.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-04 16:22:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies upagz.com as a high-risk fraudulent login portal designed to harvest user credentials through deceptive social engineering tactics. This domain was flagged with a Google Safe Browsing SOCIAL_ENGINEERING classification, indicating it poses an immediate threat to users attempting to access legitimate services. The site’s operators have deployed a sophisticated replica of authentication interfaces, tricking visitors into submitting sensitive login data which may be exploited for financial fraud, identity theft, or unauthorized account access. With a domain creation date of August 25, 2024, this threat is particularly insidious due to its recency, suggesting attackers are leveraging newly registered domains to evade traditional detection mechanisms. This domain exhibits multiple indicators of malicious intent across multiple security platforms. VirusTotal reports 15 out of 95 security vendors flagging upagz.com, demonstrating substantial consensus on its harmful nature. The domain resolves to IP address 18.66.147.45 and is currently blocked by InversionDNS, one of the industry’s leading threat intelligence networks. Additionally, the domain is registered through Gname.com Pte. Ltd., a registrar known for hosting questionable or malicious registrations. The presence of a legitimate Amazon SSL certificate is a deliberate tactic to mislead users, as attackers often obtain certificates from trusted providers to appear authentic. The domain’s inclusion on a primary security blocklist further corroborates its malicious classification and the urgent need for avoidance. Users encountering upagz.com should immediately cease all interaction and close the browser window. If any credentials were entered, the user must immediately change passwords on all associated accounts and enable multi-factor authentication where available. Avoid accessing links from unsolicited messages or emails, as these may redirect to similar fraudulent portals. Report the domain to your network administrator or security team if this site appears in your organization’s logs. Users should also verify website legitimacy by checking for HTTPS with a valid certificate from the correct issuing authority, and by comparing domain spellings against official brand websites. Network defenders are advised to block both the domain upagz.com and its resolved IP address 18.66.147.45 at the DNS and firewall levels to prevent internal exposure. Remain vigilant for similar domains registered through Gname.com Pte. Ltd. or using Amazon-issued SSL certificates, as these are common tactics in current credential harvesting campaigns. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260504-034411 TLS cert SHA-256: 3789b4657de6198e15d73d60ad76bd2158634a47643d62d2e5a2b43d23168991 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/upagz.com/ JSON API: https://api.destroy.tools/v1/check?domain=upagz.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 145,603 domains (56,132 alive under monitoring, 89,188 confirmed takedowns/dead). Site: https://phishdestroy.io