# PhishDestroy threat dossier — verify-rover.xyz ================================================================ Fetched: 2026-07-13 03:52:43 UTC Canonical: https://phishdestroy.io/domain/verify-rover.xyz/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Forcepoint ThreatSeeker, Fortinet, Google Safebrowsing, Gridinsoft, LevelBlue, SOCRadar URLQuery: 3 detections Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 91.240.20.15 (NL, Amsterdam) ASN: AS59939 WIBO Baltic UAB Hosting org: Hooray Solutions Corp. Registrar: Hosting Concepts B.V. d/b/a Registrar.eu Nameservers: ns1.eggywall.org, ns2.eggywall.org Registered: 2026-07-08 Expires: 2027-07-08 Page title: RoVer HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE2 Expires: 2026-10-06 Status: INVALID chain Fingerprint: 523544e5aede39636175b9f7fba602f4776f0c76561808786c27967d182ef4bf ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-08 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 18:37:41 UTC (by PhishDestroy tracker) First reported: 2026-07-12 22:05:08 UTC (abuse notice filed) Last verified: 2026-07-13 04:20:41 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f5730-acc4-7770-985f-9a81b9f3641c/ URLQuery: https://urlquery.net/report/4f337cb6-6873-472a-acdb-679c10b3c78e Wayback Machine: https://web.archive.org/web/*/verify-rover.xyz crt.sh CT logs: https://crt.sh/?q=%25.verify-rover.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=verify-rover.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/verify-rover.xyz URLhaus: https://urlhaus.abuse.ch/host/verify-rover.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 18:40:38 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Verification‑rover.xyz was registered on July 8 2026 and currently resolves to the IPv4 address 91.240.20.15. The domain is hosted on name servers ns1.eggywall.org and ns2.eggywall.org, both delegated to the registrar Hosting Concepts B.V. operating as Registrar.eu. Google Safe Browsing has classified the domain under the “SOCIAL_ENGINEERING” category, and the threat intelligence source assigns it a credential_phishing label with a high risk rating. The domain remains active as of the report date. Infrastructure analysis shows that the IP 91.240.20.15 is a single host serving the domain without additional known aliases. The use of the eggywall.org name servers is consistent with recent malicious infrastructure observed in other credential‑phishing campaigns, although no public reputation data currently associates the IP with prior detections. VirusTotal scans have returned zero detections across 95 engines, which reflects a lack of prior submissions rather than an indication of benign behavior. The combination of a freshly registered domain, a dedicated IP address, and a Google Safe Browsing social‑engineering flag provides a strong indicator of malicious intent. Credential phishing typically targets user login credentials by presenting deceptive pages that harvest usernames and passwords. While the exact content of the landing page has not been analysed, the classification and risk level imply that the domain is being used to lure victims into submitting sensitive authentication data. Defenders should treat verify‑rover.xyz as hostile. Immediate actions include adding the domain to blocklists at network perimeter and endpoint security layers, configuring DNS sinks or redirects to prevent resolution, and monitoring outbound traffic for connections to 91.240.20.15. Continuous observation of the associated name servers and any future VirusTotal submissions is recommended to detect changes in behavior. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-4FCE5B Favicon MD5: 1a56736e3d6164e7808c6d3996e3aa4b TLS cert SHA-256: 523544e5aede39636175b9f7fba602f4776f0c76561808786c27967d182ef4bf ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/verify-rover.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=verify-rover.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,009 domains (49,743 alive under monitoring, 128,266 confirmed takedowns/dead). Site: https://phishdestroy.io