context safety score
A score of 37/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
exfiltration
JavaScript intercepts form submissions to exfiltrate data
malicious redirect
JavaScript dynamically fetches redirect targets from an external C2-like endpoint (https://cdn.hub4u.cloud/host/) using a time-based hourly seed, then rewrites window.location.host to whatever domain the remote server returns. This allows the operator to silently redirect all visitors to an arbitrary domain at any time without modifying the page itself. (location: page.html:226 – chkh() function, atob('aHR0cHM6Ly9jZG4uaHViNHUuY2xvdWQvaG9zdC8='))
obfuscated code
All sensitive URLs, redirect targets, and UI strings are base64-encoded with atob() throughout the JavaScript to evade static analysis. Decoded values reveal: redirect URL https://hdhub4uv.com/?re=hd, C2 host-config endpoint https://cdn.hub4u.cloud/host/, and inline HTML injected into the DOM after click. (location: page.html:224-230 – multiple atob() calls in DOMContentLoaded handler)
malicious redirect
Any click on an 'a.new-tab' element (including the logo and 'View Full Site' button) triggers a programmatic redirect to a URL fetched from a remote server (data.c, base64-decoded) or falls back to https://hdhub4uv.com/?re=hd. The destination is not disclosed to the user and is controlled server-side. (location: page.html:224 – forEach click handler on a.new-tab elements)
malicious redirect
A URL parameter check ('re') unconditionally redirects the user to https://hdhub4uv.com/?re=hd via window.location.href. This enables silent chained redirects when users arrive via referral links containing '?re='. (location: page.html:230 – p_.get('re') redirect block)
social engineering
The page extensively promotes HDHub4u as 'secure,' 'safe,' and free of 'malware or viruses' (section 9) while simultaneously admitting it operates in a 'grey area of legality' and may expose users to 'malicious links.' This false safety narrative is designed to lower user guard before redirecting them to third-party piracy sites. (location: page.html:98,192-196 – contradictory safety claims in body text)
brand impersonation
The page impersonates the HDHub4u brand across multiple domains (hdhub4u.gd, hdhub4u.mn, hdhub4uv.com) using consistent logos, branding, and cross-linking. The meta keywords list historical domains (HDHub4u.Lc, HDHub4u.Tv) to capture search traffic, while the actual content site differs from the landing domain. The sharethis iframe references hdhub4u.mn as the canonical domain, not hdhub4u.gd. (location: page.html:12 – meta keywords; page.html:213 – sharethis iframe dmn=hdhub4u.mn)
hidden content
A hidden iframe (display:none) is loaded from //t.sharethis.com with tracking parameters including the user's IP address field (ipaddr= left blank but present), country code (cc=IN), and continent. This silently fingerprints visitors. Additionally, the page injects dynamic HTML into element #stx after user interaction, content of which is remotely controlled via base64-encoded server response. (location: page.html:213 – pxcelframe iframe style='display:none'; page.html:224 – stx innerHTML injection)
curl https://api.brin.sh/domain/hdhub4u.gdCommon questions teams ask before deciding whether to use this domain in agent workflows.
hdhub4u.gd currently scores 37/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.