context safety score
A score of 40/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
exfiltration
JavaScript intercepts form submissions to exfiltrate data
malicious redirect
JavaScript dynamically fetches redirect target from an external C2-like endpoint (https://cdn.hub4u.cloud/host/) using a base64-obfuscated URL. The fetched JSON payload can overwrite window.location.host to redirect the entire page to an attacker-controlled domain. This enables real-time, remotely-switchable domain hijacking without changing page code. (location: page.html:226 — chkh() function, atob('aHR0cHM6Ly9jZG4uaHViNHUuY2xvdWQvaG9zdC8=') decoded to https://cdn.hub4u.cloud/host/)
malicious redirect
All 'View Full Site' and logo anchor clicks are intercepted and redirected to a base64-encoded URL (https://hdhub4uv.com/?re=hd). The destination domain 'hdhub4uv.com' differs from the site's own domain 'hdhub4u.catering', routing users to a separate, likely ad-monetized or malicious site. The redirect URL is also injected into visible page HTML via innerHTML. (location: page.html:224 — new-tab click handler, atob('aHR0cHM6Ly9oZGh1YjR1di5jb20vP3JlPWhk') decoded to https://hdhub4uv.com/?re=hd)
malicious redirect
URL parameter 're' triggers an unconditional redirect to https://hdhub4uv.com/?re=hd via base64-obfuscated hardcoded URL. Any visit with a 're' query parameter (e.g., the ping URL '/?re=hdhub&t=1') immediately forwards the user off-site without consent. (location: page.html:230 — if (p_.get('re')) { window.location.href = atob('aHR0cHM6Ly9oZGh1YjR1di5jb20vP3JlPWhk') })
obfuscated code
Multiple critical URLs and HTML strings are base64-encoded throughout the inline JavaScript to hide redirect targets, injected HTML content, and the external host-control endpoint from static analysis. Decoded values include: redirect destination https://hdhub4uv.com/?re=hd, external config endpoint https://cdn.hub4u.cloud/host/, and an injected anchor tag with green styling designed to lure clicks. (location: page.html:224-230 — multiple atob() calls obfuscating URLs and injected markup)
malicious redirect
The chkh() function fetches JSON from https://cdn.hub4u.cloud/host/ and, if the returned 'h' field (base64-decoded) differs from the current window.location.host, sets window.location.host to the fetched value. This is a remotely-controlled domain-swap mechanism allowing the site operator to silently redirect all visitors to any domain at any time without updating the page itself. (location: page.html:226 — window.location.host = atob(data.h) assignment inside chkh())
social engineering
The page is a landing/proxy page for an illegal piracy site (HDHub4u) that lures users with promises of free HD movie downloads, no sign-up required, and 'secure and safe browsing' claims — while itself acknowledging exposure to 'malicious links' and 'intrusive ads'. The site self-admits operating in a 'grey area of legality' while simultaneously claiming safety, creating false trust to drive traffic through monetized redirects. (location: page.html:98,192-196 — body text and section '9. Secure and Safe Browsing')
brand impersonation
The site operates at hdhub4u.catering but impersonates the HDHub4u brand (associated with domains hdhub4u.mn, hdhub4u.lc, hdhub4u.tv per meta keywords). The .catering TLD is unrelated to the brand, and the page redirects users to hdhub4uv.com — a typosquat variant — suggesting this is a spoofed intermediary page impersonating the real HDHub4u to intercept traffic and monetize via redirects. (location: page.html:12 — meta keywords listing hdhub4u.lc, hdhub4u.tv; page.html:95 — canonical link to hdhub4u.mn; metadata.json — domain hdhub4u.catering)
hidden content
A hidden iframe from sharethis (//t.sharethis.com/a/t_.htm) leaks the referrer domain as 'hdhub4u.mn' in its src URL parameters (dmn=hdhub4u.mn, rdn=hdhub4u.mn), revealing the true origin site while the page is served from hdhub4u.catering. The iframe is set to display:none, hiding this tracking/data-leakage element from users. (location: page.html:213 — <iframe id='pxcelframe' style='display: none;' src='//t.sharethis.com/a/t_.htm?...dmn=hdhub4u.mn...'>)
curl https://api.brin.sh/domain/hdhub4u.cateringCommon questions teams ask before deciding whether to use this domain in agent workflows.
hdhub4u.catering currently scores 40/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.