Is kinogo.inc safe?

encoded payload

suspicious base64-like blobs detected in page content

credential harvesting

credential form posts to an off-domain endpoint (may be legitimate SSO/OAuth)

cloaking

Page conditionally redirects based on referrer or user-agent

malicious redirect

The site is served from kinogo.inc but all canonical links, navigation, content links, and branding point to kinogo.my. The kinogo.inc domain acts as a redirect/mirror/clone that silently forwards users to a different domain (kinogo.my). Users browsing to kinogo.inc receive a full page that references kinogo.my as the authoritative site, including a rel=canonical tag pointing to https://kinogo.my/. This domain substitution is a common technique used by piracy mirrors and phishing infrastructure to capture traffic under alternate TLDs while funneling users to the actual content site. (location: page.html:11 (rel=canonical href='https://kinogo.my/'), metadata.json (domain: kinogo.inc vs. all links pointing to kinogo.my))

brand impersonation

The site at kinogo.inc impersonates the established Russian streaming brand 'Киного' (Kinogo), which operates from kinogo.my. The page title, meta tags, logo SVG, and all branding reference 'Киного - Kinogo.my', while the actual serving domain is kinogo.inc — a different TLD. This is a classic brand-squatting/impersonation pattern where an alternate domain mimics a known brand to capture its user base, potentially to serve malicious ads or harvest credentials. (location: page.html:6 (title tag), page.html:11 (canonical), page.html:1297 (logo link), metadata.json (domain: kinogo.inc))

hidden content

An ad injection div with id 'trickorlife' is present at the top of the body with no visible content. The name 'trickorlife' is atypical for legitimate ad placements and suggests potentially deceptive ad injection. Multiple anonymous <ins> ad tags with opaque data-key hashes (e.g., '62c397b6053b71bd0e8338e83a47b97f', '2ef87709fa0c3ad431f4872baf039e00', '24ce9959a706f69d84cb49a98a762ae5', '029e83ea4e38c8557fa3e26c890b277d') load third-party ad content from srv224.com and cdn77.srv224.com with no transparency about the ad network or content served. (location: page.html:75 (div#trickorlife), page.html:103, 257, 421, 894 (<ins> ad tags))

malicious redirect

An external script is loaded asynchronously from https://cdn77.srv224.com/ee314b03.js — a third-party CDN domain associated with ad networks that have been linked to malvertising and forced redirect campaigns. The obfuscated filename (ee314b03.js) and the CDN domain srv224.com are characteristic of ad-tech infrastructure that can inject pop-unders, redirect users to scam pages, or serve drive-by malware, especially on piracy streaming sites. (location: page.html:1508 (<script async src='https://cdn77.srv224.com/ee314b03.js'>))

hidden content

A CSS rule sets an epom pushdown ad div (div[id*=epom-pushdown]) to cover the full page with position:absolute, height:100%, width:100%, and z-index:1, while placing it behind legitimate content (z-index:2). This pattern is used to create invisible full-page clickjacking overlays: any click anywhere on the page that misses a foreground element lands on the ad div, generating fraudulent ad clicks or triggering redirect pop-ups. The use of the 'cursor:pointer' property on this full-page overlay reinforces the clickjacking intent. (location: page.html:44-56 (CSS for body > div[id*=epom-pushdown]))

social engineering

The site presents itself as a free, legitimate streaming service with claims of 'no hidden payments', 'data security', and 'millions of viewers', while operating under a suspicious alternate domain (kinogo.inc instead of the canonical kinogo.my) and distributing copyrighted content without authorization. These reassurance statements are typical social engineering tactics used on piracy sites to reduce user suspicion and encourage account registration and continued engagement. (location: page.html:1267-1275 (footer text), page-text.txt:1198-1206)