# PhishDestroy threat dossier — zeuos-cfz010.huvcouao.workers.dev ================================================================ Fetched: 2026-04-30 00:39:16 UTC Canonical: https://phishdestroy.io/domain/zeuos-cfz010.huvcouao.workers.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 18/94 security vendors flagged this domain Flagging vendors: ADMINUSLabs, Criminal IP, alphaMountain.ai, BitDefender, Chong Lua Dao, CyRadar, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Lionic, Netcraft, OpenPhish, Sophos, VIPRE ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare, Inc. Nameservers: NS_NOT_FOUND Registered: 2026-04-25 Page title: 海外频道_央视网(cctv.com) HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-06-09 Status: INVALID chain Fingerprint: fff68e4cc65916b92a4d1c6fc8a4f90d8f3cc14fcfdc81824a5b66f8757afc5f Subject Alternative Names (related infrastructure — often same operator): - huvcouao.workers.dev ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-25 15:14:45 UTC (by PhishDestroy tracker) Last verified: 2026-04-28 01:30:23 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dc48f-21fe-700a-a91a-c15b89d0d343/ Wayback Machine: https://web.archive.org/web/*/zeuos-cfz010.huvcouao.workers.dev crt.sh CT logs: https://crt.sh/?q=%25.zeuos-cfz010.huvcouao.workers.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=zeuos-cfz010.huvcouao.workers.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/zeuos-cfz010.huvcouao.workers.dev URLhaus: https://urlhaus.abuse.ch/host/zeuos-cfz010.huvcouao.workers.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-25 15:15:32 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies the domain zeuos-cfz010.huvcouao.workers.dev as a credential theft endpoint under active investigation. The site impersonates authenticated login portals to harvest user credentials for potential account takeover attacks. The infrastructure relies on abused Google Cloudflare Workers domains, a tactic commonly observed in credential phishing campaigns distributing fake login forms across compromised or fraudulent subdomains. No specific drainer kit signature has been extracted from public sources, suggesting the use of a generic credential harvesting script or a modified kit designed to blend with legitimate login interfaces. This domain exhibits several technical indicators commonly associated with malicious infrastructure. According to VirusTotal, it currently shows 0/95 detection engines flagging the URL, indicating delayed or absent signature-based detection by antivirus vendors. It is registered through Cloudflare, Inc., resolving to IP address 188.114.96.3. The domain utilizes a valid SSL certificate issued by Google Trust Services, which increases user trust due to browser green padlock indicators. While creation date and Google Safe Browsing (GSB) status are not publicly disclosed via open intelligence feeds, the lack of detections and active phishing status imply it may have evaded automated scanning systems. No evidence of inclusion on major reputation blocklists such as PhishTank or OpenPhish was observed at the time of assessment. The absence of historical data and low VT score suggests this is a recently deployed or low-profile credential theft node. The domain remains active and classified as an ongoing threat under investigation. As of the latest assessment, no vendor signatures or automated systems have flagged the domain, increasing risk to end-users who may unknowingly enter credentials. PhishDestroy recommends immediate blacklisting of this domain and IP (188.114.96.3) at both network and endpoint levels. Users are urged to avoid interacting with the domain, validate URLs via reputable tools (e.g., Google Transparency Report or URLscan.io), and enable two-factor authentication on all accounts. Security teams should monitor for downstream credential leaks and correlate with known breach datasets. Although categorized as under_investigation, the combination of active status, credential-theft intent, and evasion tactics warrants a high-risk operational posture pending further analysis. [Updates since narrative was generated:] - VirusTotal detections: now 18/94 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: dbe194c88ae6739d44d8111ced8512b5 TLS cert SHA-256: fff68e4cc65916b92a4d1c6fc8a4f90d8f3cc14fcfdc81824a5b66f8757afc5f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/zeuos-cfz010.huvcouao.workers.dev/ JSON API: https://api.destroy.tools/v1/check?domain=zeuos-cfz010.huvcouao.workers.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io