This cluster centers on 2382 connected domains tagged as PureHVNC, elf, sh. 572 of these domains have been flagged by threat intelligence feeds including Google Safe Browsing and URLhaus. The connected infrastructure includes 969 phone numbers (8772427372, 1319641540, 1319641221) with 557 FTC complaints; 690 email addresses (kellymoore_64@yahoo.com, schantzsybg7@aol.com, online.motors@consultant.com). Across all linked entities, consumers have filed 2228 complaints with federal agencies. Geog...
Domain
x.co
First seen Feb 22, 2026
Suspicious
- No SSL certificate
- 8 community reports from users
Campaign Intelligence
This cluster centers on 2396 connected domains tagged as 156-233-71-230, Quakbot, lnk. 586 of these domains have been flagged by threat intelligence feeds including Google Safe Browsing and URLhaus. The connected infrastructure includes 969 phone numbers (8772427372, 1319641540, 1319641221) with 565 FTC complaints; 690 email addresses (kellymoore_64@yahoo.com, schantzsybg7@aol.com, online.motors@consultant.com). Across all linked entities, consumers have filed 2237 complaints with federal agen...
This cluster centers on 1895 connected domains tagged as BeaverTail, RedLineStealer, password: 2026. 113 of these domains have been flagged by threat intelligence feeds including Google Safe Browsing and URLhaus. The connected infrastructure includes 934 phone numbers (8772427372, 1319641540, 1319641221) with 524 FTC complaints; 683 email addresses (kellymoore_64@yahoo.com, schantzsybg7@aol.com, online.motors@consultant.com). Across all linked entities, consumers have filed 2093 complaints wit...
This cluster centers on 2416 connected domains tagged as BABADEDA, WallStealer, meterpreter. 607 of these domains have been flagged by threat intelligence feeds including Google Safe Browsing and URLhaus. The connected infrastructure includes 969 phone numbers (5086371451, 9366439335, 1842506726) with 570 FTC complaints; 690 email addresses (kellymoore_64@yahoo.com, schantzsybg7@aol.com, online.motors@consultant.com). Across all linked entities, consumers have filed 2243 complaints with federa...
This cluster centers on 2764 connected domains tagged as BeaverTail, Kaiji, fbf543. 645 of these domains have been flagged by threat intelligence feeds including Google Safe Browsing and URLhaus. The connected infrastructure includes 1132 phone numbers (7638857447, 8664372914, 2157987305) with 10266 FTC complaints; 146 companies (JPMORGAN CHASE & CO., Advanced Resolution Services Inc., EVERBANK, NATIONAL ASSOCIATION) with 8616274 CFPB complaints; 298 email addresses (xxxxxxxxxxxxxxxxxxxxxxxx@vm...
This cluster centers on 3287 connected domains tagged as HijackLoader, RemcosRAT, screenconnect. 617 of these domains have been flagged by threat intelligence feeds including Google Safe Browsing and URLhaus. The connected infrastructure includes 1649 phone numbers (5408463620, 8552597377, 8007873903) with 7110 FTC complaints; 143 companies (Informative LLC, HomePlus Corporation, Doral Capital Corporation) with 8547081 CFPB complaints; 807 email addresses (kellymoore_64@yahoo.com, schantzsybg7@...
This cluster centers on 2874 connected domains tagged as QuasarRAT, StealitStealer, pw-k53mv9bc. 652 of these domains have been flagged by threat intelligence feeds including Google Safe Browsing and URLhaus. The connected infrastructure includes 1375 phone numbers (2157987305, 2025069230, 2028641298) with 14635 FTC complaints; 160 companies (JPMORGAN CHASE & CO., Advanced Resolution Services Inc., EVERBANK, NATIONAL ASSOCIATION) with 8680419 CFPB complaints; 299 email addresses (abuse@fb.com, ...
Part of: Other Robocall Campaign3/27/2026
This cluster centers on 3 connected domains identified through shared infrastructure and registration patterns. The connected infrastructure includes 1 email addresses (oscar_shales@hornyalwary.top). Do not click links to any of the flagged domains. If you have visited one, check your accounts for unauthorized activity and consider changing your passwords. Do not reply to suspicious emails or click any links or attachments they contain. Check the sender's domain carefully for misspellings or u...
Part of: Domain Campaign3/28/2026
Details
Related Domains
Community Reports
Received a phishing email, tracked some info down. What can I, and should I, do with it? Hi all, my wife received a phishing email. For fun, I tried to see what I can learn from it. SMTP headers showed the use of SMTP relay, threading the email through gmail and hotmail. At the bottom, however, I found the IP address 5.231.208.76, which is in Germany and owned by GHOSTnet GmbH. A cursory google search showed that this ISP has a very plain website and is connected to phishing. [(example)](https://www.reddit.com/r/vpnreviews/comments/4jt5zh/nordvpn_a_little_review/?st=j3a1oepm&sh=971a3377) (EDIT: the actual geoocoordinates associated with the IP address are 50.2266, 8.6213, if that helps.) The phishing link was: http://x.co/6lsUZ. Using checkshorturl.com, I exploded that to https://apptrustedcloud.komsalam-service.info/. (Google translate tells me "komsalam" means "As a Muslim" in Arabic, possibly suggesting ISIL ties, perhaps?) The domain is registered to one Paula Alper, no organization, 2578 Balwynne Park Road, 19131 Philadelphia. Tech email is oscar_shales@hornyalwary.top. The domain is marked as inactive and on client hold. The site has a Let's Encrypt Authority X3 certificate made out to global-cheat.center (at least the name is honest there), valid from May 22 - August 20, 2017. (Is the short duration indicative of anything, here?) This FQDN is actually resolveable, leading only to a website with a private cgi directory. This is all I squeezed out from this. Is there anything I can do with this information? We're EU residents and citizens. Thanks!
3225 days ago2 upvotes
Received a phishing email, tracked some info down. What can I, and should I, do with it? Hi all, my wife received a phishing email. For fun, I tried to see what I can learn from it. SMTP headers showed the use of SMTP relay, threading the email through gmail and hotmail. At the bottom, however, I found the IP address 5.231.208.76, which is in Germany and owned by GHOSTnet GmbH. A cursory google search showed that this ISP has a very plain website and is connected to phishing. [(example)](https://www.reddit.com/r/vpnreviews/comments/4jt5zh/nordvpn_a_little_review/?st=j3a1oepm&sh=971a3377) (EDIT: the actual geoocoordinates associated with the IP address are 50.2266, 8.6213, if that helps.) The phishing link was: http://x.co/6lsUZ. Using checkshorturl.com, I exploded that to https://apptrustedcloud.komsalam-service.info/. (Google translate tells me "komsalam" means "As a Muslim" in Arabic, possibly suggesting ISIL ties, perhaps?) The domain is registered to one Paula Alper, no organization, 2578 Balwynne Park Road, 19131 Philadelphia. Tech email is oscar_shales@hornyalwary.top. The domain is marked as inactive and on client hold. The site has a Let's Encrypt Authority X3 certificate made out to global-cheat.center (at least the name is honest there), valid from May 22 - August 20, 2017. (Is the short duration indicative of anything, here?) This FQDN is actually resolveable, leading only to a website with a private cgi directory. This is all I squeezed out from this. Is there anything I can do with this information? We're EU residents and citizens. Thanks!
3225 days ago2 upvotes
Received a phishing email, tracked some info down. What can I, and should I, do with it? Hi all, my wife received a phishing email. For fun, I tried to see what I can learn from it. SMTP headers showed the use of SMTP relay, threading the email through gmail and hotmail. At the bottom, however, I found the IP address 5.231.208.76, which is in Germany and owned by GHOSTnet GmbH. A cursory google search showed that this ISP has a very plain website and is connected to phishing. [(example)](https://www.reddit.com/r/vpnreviews/comments/4jt5zh/nordvpn_a_little_review/?st=j3a1oepm&sh=971a3377) (EDIT: the actual geoocoordinates associated with the IP address are 50.2266, 8.6213, if that helps.) The phishing link was: http://x.co/6lsUZ. Using checkshorturl.com, I exploded that to https://apptrustedcloud.komsalam-service.info/. (Google translate tells me "komsalam" means "As a Muslim" in Arabic, possibly suggesting ISIL ties, perhaps?) The domain is registered to one Paula Alper, no organization, 2578 Balwynne Park Road, 19131 Philadelphia. Tech email is oscar_shales@hornyalwary.top. The domain is marked as inactive and on client hold. The site has a Let's Encrypt Authority X3 certificate made out to global-cheat.center (at least the name is honest there), valid from May 22 - August 20, 2017. (Is the short duration indicative of anything, here?) This FQDN is actually resolveable, leading only to a website with a private cgi directory. This is all I squeezed out from this. Is there anything I can do with this information? We're EU residents and citizens. Thanks!
3225 days ago2 upvotes
Received a phishing email, tracked some info down. What can I, and should I, do with it? Hi all, my wife received a phishing email. For fun, I tried to see what I can learn from it. SMTP headers showed the use of SMTP relay, threading the email through gmail and hotmail. At the bottom, however, I found the IP address 5.231.208.76, which is in Germany and owned by GHOSTnet GmbH. A cursory google search showed that this ISP has a very plain website and is connected to phishing. [(example)](https://www.reddit.com/r/vpnreviews/comments/4jt5zh/nordvpn_a_little_review/?st=j3a1oepm&sh=971a3377) (EDIT: the actual geoocoordinates associated with the IP address are 50.2266, 8.6213, if that helps.) The phishing link was: http://x.co/6lsUZ. Using checkshorturl.com, I exploded that to https://apptrustedcloud.komsalam-service.info/. (Google translate tells me "komsalam" means "As a Muslim" in Arabic, possibly suggesting ISIL ties, perhaps?) The domain is registered to one Paula Alper, no organization, 2578 Balwynne Park Road, 19131 Philadelphia. Tech email is oscar_shales@hornyalwary.top. The domain is marked as inactive and on client hold. The site has a Let's Encrypt Authority X3 certificate made out to global-cheat.center (at least the name is honest there), valid from May 22 - August 20, 2017. (Is the short duration indicative of anything, here?) This FQDN is actually resolveable, leading only to a website with a private cgi directory. This is all I squeezed out from this. Is there anything I can do with this information? We're EU residents and citizens. Thanks!
3225 days ago2 upvotes
Received a phishing email, tracked some info down. What can I, and should I, do with it? Hi all, my wife received a phishing email. For fun, I tried to see what I can learn from it. SMTP headers showed the use of SMTP relay, threading the email through gmail and hotmail. At the bottom, however, I found the IP address 5.231.208.76, which is in Germany and owned by GHOSTnet GmbH. A cursory google search showed that this ISP has a very plain website and is connected to phishing. [(example)](https://www.reddit.com/r/vpnreviews/comments/4jt5zh/nordvpn_a_little_review/?st=j3a1oepm&sh=971a3377) (EDIT: the actual geoocoordinates associated with the IP address are 50.2266, 8.6213, if that helps.) The phishing link was: http://x.co/6lsUZ. Using checkshorturl.com, I exploded that to https://apptrustedcloud.komsalam-service.info/. (Google translate tells me "komsalam" means "As a Muslim" in Arabic, possibly suggesting ISIL ties, perhaps?) The domain is registered to one Paula Alper, no organization, 2578 Balwynne Park Road, 19131 Philadelphia. Tech email is oscar_shales@hornyalwary.top. The domain is marked as inactive and on client hold. The site has a Let's Encrypt Authority X3 certificate made out to global-cheat.center (at least the name is honest there), valid from May 22 - August 20, 2017. (Is the short duration indicative of anything, here?) This FQDN is actually resolveable, leading only to a website with a private cgi directory. This is all I squeezed out from this. Is there anything I can do with this information? We're EU residents and citizens. Thanks!
3225 days ago2 upvotes
Received a phishing email, tracked some info down. What can I, and should I, do with it? Hi all, my wife received a phishing email. For fun, I tried to see what I can learn from it. SMTP headers showed the use of SMTP relay, threading the email through gmail and hotmail. At the bottom, however, I found the IP address 5.231.208.76, which is in Germany and owned by GHOSTnet GmbH. A cursory google search showed that this ISP has a very plain website and is connected to phishing. [(example)](https://www.reddit.com/r/vpnreviews/comments/4jt5zh/nordvpn_a_little_review/?st=j3a1oepm&sh=971a3377) (EDIT: the actual geoocoordinates associated with the IP address are 50.2266, 8.6213, if that helps.) The phishing link was: http://x.co/6lsUZ. Using checkshorturl.com, I exploded that to https://apptrustedcloud.komsalam-service.info/. (Google translate tells me "komsalam" means "As a Muslim" in Arabic, possibly suggesting ISIL ties, perhaps?) The domain is registered to one Paula Alper, no organization, 2578 Balwynne Park Road, 19131 Philadelphia. Tech email is oscar_shales@hornyalwary.top. The domain is marked as inactive and on client hold. The site has a Let's Encrypt Authority X3 certificate made out to global-cheat.center (at least the name is honest there), valid from May 22 - August 20, 2017. (Is the short duration indicative of anything, here?) This FQDN is actually resolveable, leading only to a website with a private cgi directory. This is all I squeezed out from this. Is there anything I can do with this information? We're EU residents and citizens. Thanks!
3225 days ago2 upvotes
Received a phishing email, tracked some info down. What can I, and should I, do with it? Hi all, my wife received a phishing email. For fun, I tried to see what I can learn from it. SMTP headers showed the use of SMTP relay, threading the email through gmail and hotmail. At the bottom, however, I found the IP address 5.231.208.76, which is in Germany and owned by GHOSTnet GmbH. A cursory google search showed that this ISP has a very plain website and is connected to phishing. [(example)](https://www.reddit.com/r/vpnreviews/comments/4jt5zh/nordvpn_a_little_review/?st=j3a1oepm&sh=971a3377) (EDIT: the actual geoocoordinates associated with the IP address are 50.2266, 8.6213, if that helps.) The phishing link was: http://x.co/6lsUZ. Using checkshorturl.com, I exploded that to https://apptrustedcloud.komsalam-service.info/. (Google translate tells me "komsalam" means "As a Muslim" in Arabic, possibly suggesting ISIL ties, perhaps?) The domain is registered to one Paula Alper, no organization, 2578 Balwynne Park Road, 19131 Philadelphia. Tech email is oscar_shales@hornyalwary.top. The domain is marked as inactive and on client hold. The site has a Let's Encrypt Authority X3 certificate made out to global-cheat.center (at least the name is honest there), valid from May 22 - August 20, 2017. (Is the short duration indicative of anything, here?) This FQDN is actually resolveable, leading only to a website with a private cgi directory. This is all I squeezed out from this. Is there anything I can do with this information? We're EU residents and citizens. Thanks!
3225 days ago2 upvotes
Received a phishing email, tracked some info down. What can I, and should I, do with it? Hi all, my wife received a phishing email. For fun, I tried to see what I can learn from it. SMTP headers showed the use of SMTP relay, threading the email through gmail and hotmail. At the bottom, however, I found the IP address 5.231.208.76, which is in Germany and owned by GHOSTnet GmbH. A cursory google search showed that this ISP has a very plain website and is connected to phishing. [(example)](https://www.reddit.com/r/vpnreviews/comments/4jt5zh/nordvpn_a_little_review/?st=j3a1oepm&sh=971a3377) (EDIT: the actual geoocoordinates associated with the IP address are 50.2266, 8.6213, if that helps.) The phishing link was: http://x.co/6lsUZ. Using checkshorturl.com, I exploded that to https://apptrustedcloud.komsalam-service.info/. (Google translate tells me "komsalam" means "As a Muslim" in Arabic, possibly suggesting ISIL ties, perhaps?) The domain is registered to one Paula Alper, no organization, 2578 Balwynne Park Road, 19131 Philadelphia. Tech email is oscar_shales@hornyalwary.top. The domain is marked as inactive and on client hold. The site has a Let's Encrypt Authority X3 certificate made out to global-cheat.center (at least the name is honest there), valid from May 22 - August 20, 2017. (Is the short duration indicative of anything, here?) This FQDN is actually resolveable, leading only to a website with a private cgi directory. This is all I squeezed out from this. Is there anything I can do with this information? We're EU residents and citizens. Thanks!
3225 days ago2 upvotes
Share Your Experience
What's Your Exposure?
Know your risk exposure to this message with a Thorough Analysis. It returns a detailed report covering the complaint history, your data breach exposure, related scam entities, and risk signals tied to this email message. Check the box and enter your email address now.
NordPass — Stop reusing passwords across accounts
After a breach, attackers try stolen passwords on every site you use. NordPass generates and stores a unique password for each account.
Try NordPassAffiliate link. We may earn a commission.