Is d2pn6vcl70n3ku.cloudfront.net safe?

phishing

2 deceptive links where visible host does not match destination host

brand impersonation

Site is hosted on a CloudFront CDN domain (d2pn6vcl70n3ku.cloudfront.net) but presents itself as the official 'madou.net' brand throughout all metadata, canonical tags, og:url, schema.org markup, and footer links. The actual serving domain does not match the claimed canonical domain, a classic brand-cloaking/impersonation pattern used to evade blocklists while trading on the brand's recognition. (location: page.html:19 (og:url), page.html:37 (canonical), page.html:68-103 (schema.org), metadata.json (url field))

malicious redirect

All 'friend link' items route through an on-site /urlRedirect?url= open-redirect endpoint before sending users to third-party destinations. This allows the operator to silently change destination URLs server-side, redirect victims to phishing or malware pages, and bypass link-scanner checks that only inspect the surface href. (location: page.html:2490-2600 (friendLinkBox /urlRedirect hrefs))

malicious redirect

App download links point to a second CloudFront distribution (d3v4plzhnm9msi.cloudfront.net) with a tracking parameter (?dc=mdnet1), and footer 'welfare app' link points to ddhp1.cc — both are opaque redirector hops whose final payload is unknown and outside the declared canonical domain. (location: page.html:2407-2425 (footer APP/welfare links), page.html:686-696 (nav app link))

social engineering

Multiple banner and popup advertisements use titles '同城约炮' (local hookup) and '迷情春药' (aphrodisiac/date-rape drug) as lures. These are consistent with social-engineering tactics that exploit sexual curiosity to drive clicks to potentially fraudulent or harmful third-party sites. (location: page.html:1282-1386 (swiper ads), page.html:2664-2710 (popup ads), page.html:2755-2390 (advList/nineGrid ads))

brand impersonation

Ad grid contains items labelled 'TikTok', 'Pornhub', and 'Xvideos' with matching branding images, but the underlying hrefs resolve to unrelated third-party CloudFront distributions and obfuscated domains (e.g. d3ndgb6poqunas.cloudfront.net/ttnhu003 for 'TikTok', d1ar0qjjxe2rzk.cloudfront.net for 'Pornhub'), impersonating well-known platforms to generate deceptive clicks. (location: page.html:2927-2993 (TikTok/Pornhub grid items), page.html:3097-3112 (Xvideos grid item))

social engineering

Several ad destinations use obfuscated random-subdomain URLs with channel/affiliate tracking codes (e.g. aplsof2fd.fylorzibrekjenvrybhsvar.com, aplsof2fd.flirnapolfwemvrybhszorex.com, aplsof2fd.drazelstorndrevrybhsznoil.com) that disguise their true destination — a technique used to evade URL reputation filters and funnel users to scam or malware landing pages. (location: page.html:2895-2925 (糖心/哔咔漫画/杏吧 grid items))

hidden content

The Yandex Metrika tracking pixel is loaded via a noscript tag with inline style 'position:absolute; left:-9999px;' to keep it invisible to users while still firing the beacon. This silently tracks all visitors including those without JavaScript enabled. (location: page.html:59 (noscript Yandex pixel))

hidden content

Two <ins> elements with class '5a165732' and data-key attributes appear in the page body with no visible content or labelling. These are consistent with injected third-party ad/tracker widgets that render content invisibly or load external scripts without user awareness. (location: page.html:1409 and page.html:2391 (<ins class='5a165732'>))

malicious redirect

An external script is loaded from cdn.54ads.com (https://cdn.54ads.com/7db20370.js) — an ad network domain with no disclosed identity. Dynamically loaded ad scripts from opaque CDN domains can execute arbitrary JavaScript including drive-by redirects, credential harvesting overlays, or cryptomining. (location: page.html:3223 (<script async src='https://cdn.54ads.com/7db20370.js'>))