# PhishDestroy threat dossier — upgraders.pro ================================================================ Fetched: 2026-07-05 23:50:15 UTC Canonical: https://phishdestroy.io/domain/upgraders.pro/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 70/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 5.253.61.77 (RU, Moscow) ASN: ASAS211642 AdminVPS AdminVPS OOO, RU Hosting org: AS211642 AdminVPS OOO Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: ns1.adminvps.ru, ns2.adminvps.net, ns3.adminvps.ru, ns4.adminvps.net Registered: 2026-05-13 Expires: 2027-05-13 Page title: Апгрейд скинов КС2 (КС ГО): лучший Upgrader CS HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-13 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-05 06:25:09 UTC (by PhishDestroy tracker) Last verified: 2026-07-06 00:30:11 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3084-3750-717a-96a9-3a5b6e8f89ed/ Wayback Machine: https://web.archive.org/web/*/upgraders.pro crt.sh CT logs: https://crt.sh/?q=%25.upgraders.pro Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=upgraders.pro AlienVault OTX: https://otx.alienvault.com/indicator/domain/upgraders.pro URLhaus: https://urlhaus.abuse.ch/host/upgraders.pro/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-05 06:35:11 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, upgraders.pro, is flagged as a phishing site targeting Counter-Strike 2 (CS2) and Counter-Strike: Global Offensive (CS:GO) players. The site presents itself as a skin upgrader service, offering in-game item enhancements under the title 'Апгрейд скинов КС2 (КС ГО): лучший Upgrader CS.' Such services are commonly used as lures to harvest Steam credentials, payment details, or trick users into executing malicious software. The threat posed includes unauthorized access to gaming accounts, financial theft, or malware installation, particularly targeting users seeking to upgrade or trade in-game items outside official platforms. Analysis indicates this domain exhibits multiple red flags despite its current low detection rate. As of the latest scan, VirusTotal reports 0 out of 95 security vendors flagging the site, suggesting it may be newly deployed or evading detection through obfuscation or cloaking techniques. The domain was registered on May 13, 2026, through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar frequently associated with high-risk domains. The SSL certificate is issued by Let’s Encrypt, a common but neutral indicator, as legitimate and malicious sites alike use it. The site resolves to the IP address 5.253.61.77, which may be part of a bulletproof hosting infrastructure or shared hosting environment known for harboring phishing and fraudulent operations. Users who have visited upgraders.pro or interacted with its content should take immediate action to mitigate potential risks. First, change passwords for any accounts accessed on the site, particularly Steam or other gaming-related credentials, using a strong, unique password and enabling multi-factor authentication. Scan the device used to access the site with updated security software to detect and remove any malware or unauthorized applications. Monitor financial accounts and gaming inventories for unauthorized transactions or missing items. If payment details were entered, contact the financial institution to report potential fraud and request card replacement. Finally, report the domain to relevant platforms, including Steam, to help prevent further exploitation of other users. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 6b001766e0655454d189b8e1ec1d8236 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/upgraders.pro/ JSON API: https://api.destroy.tools/v1/check?domain=upgraders.pro Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,949 domains (12,824 alive under monitoring, 161,236 confirmed takedowns/dead). Site: https://phishdestroy.io