Is desifile.net safe?

encoded payload

suspicious base64-like blobs detected in page content

credential harvesting

credential form posts to an off-domain endpoint (may be legitimate SSO/OAuth)

cloaking

Page checks user-agent for bot/crawler strings to serve different content

cloaking

Page conditionally redirects based on referrer or user-agent

js obfuscation

JavaScript uses Function constructor for runtime code generation

malicious redirect

The URL being scanned is desifile.net, but the canonical URL, all internal links, all assets, and all form actions point to mmsbro.com. The Home menu item explicitly links back to desifile.net while the entire site is served as mmsbro.com. This indicates desifile.net is a redirect/cloaking domain funneling users to mmsbro.com without disclosure. (location: page.html:141 (canonical), page.html:308 (Home nav link href=https://desifile.net), metadata.json (url=https://desifile.net))

hidden content

CSS rules use 'visibility: hidden' on multiple UI elements including .exo_link, ._ccw-label, and .label__text. These classes suggest ad-network or content-warning labels are being deliberately hidden from users while remaining in the DOM, obscuring advertising disclosures or content warnings. (location: page.html:259-268 (.exo_link { visibility: hidden }, ._ccw-label { visibility: hidden }, .label__text { visibility: hidden }))

hidden content

The .membership CSS class is set to 'display: none', hiding membership-related UI elements. Combined with the registration/login modal collecting username, email, and password, this may obscure the true nature of account-creation prompts from users. (location: page.html:214-216 (.membership { display: none }))

prompt injection

The page contains a bot-detection script that explicitly checks for AI/crawler user agents (googlebot, bingbot, yandexbot, duckduckbot, ahrefsbot, semrushbot, and many others) and conditionally loads a separate script '/playvid.js' only for non-bot visitors. This is a classic cloaking technique that serves different content to AI agents and security scanners versus human users, constituting an active prompt injection / content-cloaking threat against AI-based analysis systems. (location: page.html:660-706 (isBot() function and conditional script loader))

obfuscated code

The page contains inline b64e/b64d base64 encode/decode functions and uses them throughout to store and execute code blocks (data-code attributes decoded at runtime via b64d()). The AI Inserter plugin infrastructure dynamically decodes and inserts arbitrary HTML/JS from base64-encoded data attributes, making static analysis of injected content impossible and providing a vector for hidden payload execution. (location: page.html:566-567 (b64e/b64d definitions), page.html:603-606 (ai_insert_code using b64d(u) to inject content))

credential harvesting

The page presents a modal registration and login form collecting username, email address, and plaintext password fields. The form action posts to https://mmsbro.com/ (a different domain than desifile.net being scanned), meaning credentials entered are transmitted to a third-party domain. Users visiting desifile.net would not expect their credentials to be submitted to mmsbro.com. (location: page.html:767-807 (wpst_registration_form and wpst_login_form posting to https://mmsbro.com/))

brand impersonation

The page title, meta description, og:tags, and visible content all brand the site as 'MmsBro' with canonical URL mmsbro.com, while the scanned domain is desifile.net. The meta description explicitly lists multiple brand names: 'MmsBro, Desifile, Viral Indian Porn, Desi Mms, Model Live, Desihub, Viralkand, Kamababa Desi', aggregating multiple brand identities to capture search traffic across all of them under a single site. The footer reads 'Powered by desifile.com' while the site is actually mmsbro.com, creating deliberate brand confusion. (location: page.html:138-151 (title/meta), page.html:727 (footer 'Powered by desifile.com'), page.html:141 (canonical mmsbro.com))