context safety score
A score of 22/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
obfuscated code
Large heavily obfuscated JavaScript block using multi-stage decoding: URI-encoded string decoded via decodeURI(), character rotation cipher (charCode offset by position mod 95), and array index splitting. The decoded payload sets up ad/pop-under network configuration with multiple ad provider endpoints. This technique is characteristic of malvertising loaders that hide their true behavior from static analysis. (location: page.html:99 — <script data-cfasync="false">!function(){"use strict";for(var n=decodeURI("wd%60andp%5E...")}())
malicious redirect
Third-party ad script loaded from cupbearergrowllurch.com, a domain with no legitimate brand identity and a name pattern consistent with randomly-generated malvertising domains. The script uses async loading and registers onerror/onload callbacks (btabbuqd), which is a pattern used by pop-under and forced-redirect ad networks to trigger redirects even on script load failure. (location: page.html:100 — <script data-cfasync="false" data-clocid="2090594" async src="//cupbearergrowllurch.com/on.js")
malicious redirect
Third-party ad script loaded from lf.enrolcopals.com, another unrecognized domain with a pattern consistent with ad-network subdomains used by aggressive or malicious ad networks to serve pop-unders or forced redirects to unsuspecting users. (location: page.html:179 — <script data-cfasync="false" async type="text/javascript" src="//lf.enrolcopals.com/sg3Dl3b7ENrLJ/137104">)
social engineering
The site prominently redirects users to a different domain (dualeotruyenky.com) in the notification area and footer, stating the current domain (dualeotruyenvx.com) may be inaccessible and encouraging users to use the alternate domain. The canonical tag and og:url also point to dualeotruyenky.com rather than the current domain. This domain-split pattern is used to shepherd users between mirror sites, which can be exploited to redirect users to a site with more aggressive malvertising or credential harvesting at a later stage. (location: page.html:18, 36, 168, 989 — og:url, canonical, notification box, footer link all point to dualeotruyenky.com)
hidden content
The registration form has reCAPTCHA v2 code commented out (<!-- Thêm phần reCAPTCHA v2 ... -->), meaning bot-registration and automated credential stuffing protections are disabled. Login and registration forms accept credentials without CAPTCHA, making the site's credential store easier to abuse. (location: page.html:1103-1105 — commented-out reCAPTCHA block in registration form)
credential harvesting
Login and registration modals collect username, password, and email via plain modal dialogs styled to look like native site UI. The form submissions are handled by process.js via AJAX to /process.php with no visible CSRF token or reCAPTCHA (which is commented out). On a 74-day-old domain with obfuscated ad scripts present, this increases the risk that credentials submitted are logged or exfiltrated. (location: page.html:1083-1225 — #box_pop_register, #box_pop_login, #box_pop_password modals)
obfuscated code
Ad banner script loaded from acscdn.com via aclib.runBanner() with a numeric zoneId. The aclib library is loaded inline inside the page content area (inside .content_view notification box rather than a dedicated ad slot), making it harder to distinguish ad injection from site content. This placement pattern is used to serve ads disguised as site notifications. (location: page.html:170-178 — aclib.runBanner({zoneId:'11004342'}) inside notification content div)
curl https://api.brin.sh/domain/dualeotruyenvx.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
dualeotruyenvx.com currently scores 22/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.