Issue abstract: Safe web reports that svchost.exe is making DNS requests for phs8 (dot) krakencloud (dot) net which is a filesharing site, could be trying to download/install malware. This occurs just about hourly, at 10 minutes past the hour.
Detailed description:
Norton Safe Web keeps popping up notifications like this:
Details
Threat name: URL:Block [CryptScam]
Status: Blocked
Detected by: Safe Web
Origin
Location: 뙰脫Ɍ
Activity
Path | Type | Status
{“alertId”:“ea888f5c1bf1”,“url”:“dns://phs8.krakencloud.net”}
| URL | Blocked
It states in the alert that the dns requests are coming from svchost.exe. Full scans are not finding anything wrong, neither is sfc. I’ve placed the domain in my hosts list and my local DNS to block access even though Norton is preventing it from resolving anyway, but I can’t seem to find the cause of the issue to remove it. New alerts are still coming but now they say “We are sorry, something went wrong” (see screenshots)
Product & version number: Norton 360 for Gamers 25.8.10387
OS details: Windows 11 24H2
What is the error message you are seeing? See above
If you have any supporting screenshots, please add them:
spørg norton om problemet jeg kender ikke til noget om safe web kun de normale norton produkter og de har nogle gange fejl i den så spørg dem det kan jo være en fejl i den
AI Overview phs8.krakencloud.net is a domain associated with Kraken Technologies, a UK-based energy company that provides a cloud-based software platform for the energy and water industries. The domain has been flagged as malicious by multiple security databases.
Here’s what is known about the domain:
Malicious activity: Security analysis of the subdomain shows multiple instances of URLs being flagged for malicious activity. This activity includes association with the delivery of phishing and malware.
Legitimate owner: The parent domain krakencloud.net belongs to Kraken Technologies, which is part of Octopus Energy Group. The company uses its cloud platform to manage and optimize energy distribution for utilities and consumers. It’s possible the malicious subdomain was compromised or is being used fraudulently to exploit the trust of Kraken’s brand.
Security recommendations: As a security precaution, it is highly recommended that you do not click any links or download any files from this subdomain. If you have been directed to this address, assume it is part of a malicious campaign.
AI Overview
An alert from Norton about a connection to phs8.krakencloud.net is likely a false positive, but should still be treated with caution. The domain is not inherently malicious, but its activity can sometimes trigger security software.
Here is what you should know about phs8.krakencloud.net and how to handle a Norton alert.
What is krakencloud.net?
krakencloud.net is a legitimate domain used by legitimate applications for various purposes, such as hosting cloud services or distributing content.
The domain is often associated with the Kraken cryptocurrency exchange.
The phs8 subdomain likely refers to a specific server or service on the network.
Why Norton might issue an alert
Norton may flag connections to phs8.krakencloud.net for one of these reasons:
False positive: This is the most common reason. Norton’s security software may detect a legitimate but unusual connection and flag it as a potential threat.
Suspicious activity: While the domain itself is not malicious, a specific application or process on your computer could be trying to make a connection for a suspicious purpose.
Cloud service access: If you are using a cloud-based service, the connection might be for routine cloud access that Norton flagged out of caution.
What to do if Norton issues an alert Run a full scan: Perform a comprehensive scan of your computer with Norton to check for other suspicious activity. Verify the alert: Check the details of the Norton alert. It may provide more information on the specific file or process that attempted to connect to the domain. Check recent activity: Consider what you were doing when the alert occurred. Did you install new software, visit a new website, or open a file? Confirm the domain: Conduct your own search for the exact domain, phs8.krakencloud.net, to see if other users have reported similar issues. Use a second opinion tool: Run a scan with another anti-malware tool like Malwarebytes to get a second opinion on the state of your system. Block the domain (if concerned): If you are particularly concerned, you can configure your router or firewall to block traffic to krakencloud.net. This could, however, interfere with legitimate software that uses this domain. Contact Norton support: If you are still unsure, contact Norton’s support team for further assistance.
AI Overview phs8.krakencloud.net is a domain associated with Kraken, a company providing cloud-based technology and services. The dns:// prefix is a protocol identifier, similar to http:// or ftp://, and indicates that the query is about a domain name system (DNS) record.
Based on the search results, here is what is known about phs8.krakencloud.net:
Associated company
The domain belongs to Kraken, a technology company with two major divisions. It is important to note the distinction: Kraken Technologies: A firm that provides cloud-based platforms for energy and utility companies. This division uses advanced data, AI, and machine learning to manage services like billing and customer relations. Kraken (Cryptocurrency Exchange): One of the largest cryptocurrency exchanges in the world.
The krakencloud.net domain appears related to the Kraken Technologies branch, given its focus on “cloud-based” and “digitalization platforms” for utilities.
Use of the phs subdomain
The phs subdomain, followed by a number, is a common pattern for phishing and malicious activity, though not exclusively. Search results show other phs subdomains of krakencloud.net being flagged for malicious activity on sites like VirusTotal and URLhaus.
While phs8.krakencloud.net was not explicitly flagged in the provided search, the presence of similar subdomains with malicious tags suggests that it may be part of a malicious or phishing campaign.
Summary of DNS lookup
Since the query was for a DNS record, here is a breakdown of what a DNS lookup would typically reveal for this domain and what the search results show about its usage:
A DNS lookup would return records like the A record (the IPv4 address), AAAA record (the IPv6 address), and MX record (the mail server).
Due to the association with potentially malicious activity, DNS services like Quad9 have checked for alerts related to phs8.krakencloud.net. At the time of a report from July 20, 2025, no alerts were detected.
Potential threat implications
It is common for phishing campaigns to use “cloud” and “secure” sounding names in their domains to appear legitimate.
Given the use of similar phs subdomains in known malicious activities, exercising caution is advisable if this domain is encountered in a suspicious context, such as an unsolicited email or an unexpected link.
Did you clear browser cookies n cache?
Do you run browser sync?
Did you recently install any program / browser extension?
It’s not being caused by a web browser - some service is trying to access the site and I can’t identify which one..
Did you recently allow push notifications?
Did you recently change site permissions?
No changes there.
Did you run Norton Full Scan?
Yes, nothing found except for some python scripts in an ethical hacking training course I had downloaded.
Did you run Malwarebytes Scan?
Yes, I’ve had Malwarebytes running for months, and scheduled scans each week.
About six months ago I looked at my computer and someone had remoted in using ScreenAssist. I pulled the plug, unhooked the network, booted in safe mode and did everything I could think of to clear out however they had gotten in. I think the original source of the “infection” was because I had NoMachine installed so I could remote in from wherever I was, but I had also set up an account for transferring things between my PC and my virtual pin (a PC in a pinball cabinet) that had system admin rights and a weak password (because I didn’t realize nomachine lets any admin account access remotely). I’ve now replaced nomachine with a locally hosted rustdesk instance.
I spent days poring through the service list, and found a couple bogus services and renamed executables for the ScreenAssist setup. I figured I had cleared it out completely eventually and I relaxed a bit. That’s when I got Malwarebytes, which helped identify a couple things I had missed. I still kept seeing some odd behavior. My motherboard driver update keeps trying to push Norton install so I let it this time, and that’s the only reason I saw this odd DNS request.
So I set up a honeypot VM listening on all ports for TCP connections, disabled safe web, and put an entry in my hosts file and DNS servers to point the phs8 (dot) krakencloud (dot) net to my honeypot vm. On schedule I saw the DNS request come through, and the response from my DNS server, but no attempt to connect with the honeypot. It did, however, send a second DNS request five minutes later. The next attempt should be in about a half hour so I’ll see what happens then.
My concern really is that it is trying to download a payload stored there. I’m guessing if there was one there it has already been taken down, otherwise I’d probably have had more issues recently. The weirdest thing was that I had planned to reinstall windows after this and every time I’d try to reinstall windows it would crash before I even got to the disk assignment screen. That may have been due to the RAID card I was using starting to die however as I started not seeing the array intermittently after reboots. I’ve since replaced it and not had any issues since.
But if some fake service is still running or a real service has been injected to download malware I want to get it cleaned up.
Have you used these tools to ID the offending process? DNS redirects can also be an issue where your routing hardware has had its firmware compromised. Have you looked at that, respectively your DNS records within router(s)?
