# xn--krb2-roa.at — SUSPICIOUS

> xn--krb2-roa.at is flagged for fake login phishing targeting Austrian users. VirusTotal detects 1/95 vendors. Check the full report.

## Summary
xn--krb2-roa.at is an active phishing domain impersonating Austrian login portals, detected with elevated risk by PhishDestroy. The domain is likely leveraging a brand impersonation drainer kit targeting users in Austria, as indicated by its punycode encoding (xn--krb2-roa) which mimics the Austrian government or financial sector domains. The infrastructure resolves to IP 188.114.96.3 and utilizes a Let's Encrypt SSL certificate to appear legitimate, a common tactic to deceive users into entering sensitive credentials.  

This domain was flagged with a VirusTotal detection score of 1/95 security vendors, indicating low but notable recognition of its malicious nature. It was registered through 101Domain GRS Ltd., a registrar known for handling internationalized domain names (IDNs). The domain resolves to IP 188.114.96.3, a hosting provider associated with malicious activity. Creation details remain unverified, but the domain remains active and unresolved by Google Safe Browsing (GSB) as of the latest check. It has not been widely blocklisted, suggesting it may be a recent or targeted campaign.  

As of the latest assessment, xn--krb2-roa.at remains active and poses an elevated risk to users, particularly those in Austria. Immediate actions include blocking the domain at the network level and updating browser/endpoint security tools to flag the URL. Users should avoid interacting with this domain and report it to their security teams or local cybercrime units. While the threat is elevated due to active hosting and SSL usage, the low VirusTotal detection and lack of widespread blocklisting suggest this may be a targeted or emerging campaign. Remaining risk is moderate, contingent on user exposure and organizational defenses.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: 101Domain GRS Ltd. ( https://nic.at/registrar/670 )
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/aa9b9fd2-ed13-4023-affb-93c67e6e1e64
- PhishDestroy: https://phishdestroy.io/domain/xn--krb2-roa.at/
- LLM endpoint: https://phishdestroy.io/domain/xn--krb2-roa.at/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/xn--krb2-roa.at/
Last updated: 2026-03-21