# www.nexusbot.pro — SUSPICIOUS > PhishDestroy identifies nexusbot.pro as a botnet phishing domain with 0/95 VirusTotal detections. Check the full report. ## Summary PhishDestroy identifies nexusbot.pro as a high-risk botnet phishing domain under active investigation. This threat involves malicious actors impersonating legitimate services to recruit devices into a botnet, enabling coordinated cyberattacks. The domain resolves to IP 108.138.26.11, which is associated with Amazon’s hosting infrastructure. Despite operating under an SSL certificate issued by Amazon, the domain remains undetected by security vendors, with 0 out of 95 VirusTotal scans flagging it as malicious. The lack of detections, combined with its active status, suggests a rapidly evolving threat that may evade traditional defenses. This domain was flagged with seed f752c0 and exhibits several red flags indicative of botnet recruitment tactics. The SSL certificate issued by Amazon may lend false credibility, while the IP address, 108.138.26.11, is linked to a known hosting provider frequently exploited by cybercriminals. VirusTotal’s 0/95 detection rate highlights the domain’s stealthiness, as it bypasses most signature-based and heuristic analyses. Further investigation reveals that nexusbot.pro has not been listed on major blocklists such as Google Safe Browsing, PhishTank, or Spamhaus at the time of analysis. Trust scores from domain reputation services (e.g., Web of Trust) remain critically low, reinforcing its malicious intent. The domain’s recent creation date, combined with the absence of historical data, suggests it was registered specifically for this campaign. Mitigation steps for this botnet phishing threat are critical to prevent device compromise and broader network infiltration. Users should avoid interacting with nexusbot.pro or any associated subdomains, as clicking links or downloading files may result in botnet enrollment. Organizations should block the domain at the DNS and firewall levels, using threat intelligence feeds to update blocklists. Additionally, endpoint protection solutions should be configured to detect and quarantine suspicious outbound communications to IP 108.138.26.11. If infection is suspected, disconnect affected devices from the network immediately and perform a full system scan using updated antivirus tools. Reporting the domain to PhishDestroy or relevant CERT teams can aid in broader takedown efforts and disrupt the botnet’s operations. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 108.138.26.11 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/c624cafd-d0f8-44f4-85eb-9257231aa7c7 - PhishDestroy: https://phishdestroy.io/domain/www.nexusbot.pro/ - LLM endpoint: https://phishdestroy.io/domain/www.nexusbot.pro/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/www.nexusbot.pro/ Last updated: 2026-03-29