# PhishDestroy threat dossier — win138-uberlandiacriacaodesites.ihk65243.workers.dev
================================================================

Fetched:   2026-05-04 23:08:55 UTC
Canonical: https://phishdestroy.io/domain/win138-uberlandiacriacaodesites.ihk65243.workers.dev/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 65/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/94 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.97.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     NS_NOT_FOUND
Registered:      2026-04-24
Page title:      WIN138 | Link Game Moba Among Us Mode Baru Download
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-07-13
Status:     INVALID chain
Fingerprint: 1642fed14679dbd2405453262b67cb47d9ae2a190be8e3697fbaf2ea5c52f08f
Subject Alternative Names (related infrastructure — often same operator):
  - ihk65243.workers.dev

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-24 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-24 22:35:17 UTC (by PhishDestroy tracker)
Last verified:     2026-05-03 01:40:08 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dc0fc-26db-76f9-8856-3037f794578e/
Wayback Machine:  https://web.archive.org/web/*/win138-uberlandiacriacaodesites.ihk65243.workers.dev
crt.sh CT logs:   https://crt.sh/?q=%25.win138-uberlandiacriacaodesites.ihk65243.workers.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=win138-uberlandiacriacaodesites.ihk65243.workers.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/win138-uberlandiacriacaodesites.ihk65243.workers.dev
URLhaus:          https://urlhaus.abuse.ch/host/win138-uberlandiacriacaodesites.ihk65243.workers.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-24 22:36:17 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain win138-uberlandiacriacaodesites.ihk65243.workers.dev has been identified as a hosting platform for generic phishing activities. Currently under investigation, this domain does not impersonate any known brand specifically but poses a general risk by attempting to deceive users into divulging sensitive information via fraudulent means.

According to available intelligence, this domain utilizes an SSL certificate issued by Let's Encrypt, which may lend it deceptive legitimacy. It is registered through Cloudflare, Inc. and resolves to the IP address 188.114.97.3. VirusTotal analysis shows zero detections out of 95 vendors, indicating no current flagging or classification as malicious by mainstream antivirus providers. There is no data available on blocklist counts or trust scores, and the exact creation date is not provided.

Despite the lack of detections, the domain remains active and under close surveillance due to its phishing threat profile. Users are strongly advised to exercise caution when encountering this domain, especially when prompted for credentials or personal data. Network defenders should consider adding it to internal monitoring systems and apply filtering rules to prevent any potential compromise stemming from phishing attempts. Continuous observation and timely response are critical to mitigating the risks associated with this domain.

[Updates since narrative was generated:]
  - WHOIS creation date: 2026-04-24

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       91c6fd9b356bbb75bb4770320f80be4d
TLS cert SHA-256:      1642fed14679dbd2405453262b67cb47d9ae2a190be8e3697fbaf2ea5c52f08f

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/win138-uberlandiacriacaodesites.ihk65243.workers.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=win138-uberlandiacriacaodesites.ihk65243.workers.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 145,673 domains (56,121 alive under monitoring, 89,292 confirmed takedowns/dead). Site: https://phishdestroy.io