Is masafun.com safe?

encoded payload

suspicious base64-like blobs detected in page content

phishing

1 deceptive links where visible host does not match destination host

obfuscated code

Highly obfuscated JavaScript in the first <script> tag uses a multi-layer obfuscation scheme: URL-encoded string decoding, character rotation cipher (Caesar-style with position-dependent offsets), array slicing by precomputed index offsets, and dynamic property/function resolution. The script dynamically constructs URLs and function references at runtime, making its true payload (likely ad-injection, traffic redirection, or fingerprinting) impossible to determine from static analysis. Loaded unconditionally with data-cfasync='false' to bypass Cloudflare's rocket-loader scrutiny. (location: page.html:12 — first inline <script> block, immediately before <meta charset>)

malicious redirect

External script loaded from driverhugoverblown.com — a domain with a clearly synthetic/randomised name consistent with malvertising infrastructure. Loaded asynchronously with data-cfasync='false' (bypassing Cloudflare scanning) and wired to the obfuscated obgow() dispatcher via both onerror and onload handlers. This pattern is a canonical drive-by redirect / popunder ad delivery mechanism used in adult traffic monetisation networks known to chain into malware and credential-harvesting landers. (location: page.html:13 — <script src='//driverhugoverblown.com/on.js'>)

obfuscated code

Second obfuscated JavaScript block in the page footer uses a hexadecimal string-array rotation loop (while(!![]){...push/shift anti-tamper pattern}) combined with MD5 implementation and obfuscated property names assembled from concatenated substrings. The decoded logic constructs a 'adMaNager' (ad manager) endpoint path and makes date-stamped requests, consistent with covert ad/tracking beacon injection or affiliate cookie stuffing. Loaded with data-cfasync='false'. (location: page.html:1978 / page-text.txt:1819 — footer <script data-cfasync='false'> block)

brand impersonation

The site operates under the URL masafun.com but presents its brand inconsistently across multiple identities: title tags claim 'MasaLoL.Com', og:site_name switches between 'MasaFun.Net' and empty string, the author meta tag references '[b]Masahub.com[/b]', and the copyright footer reads 'LOL-MF©2026 MasaLoL.Com'. This deliberate multi-brand identity confusion is used to impersonate or trade off the reputations of masahub.com, masafun.net, and masalol.com simultaneously, siphoning SEO equity and misleading users/crawlers about which site they are actually visiting. (location: page.html:17,24,27,80,97,110,141,160,1977)

hidden content

Multiple ad-network site-verification tokens are embedded that are not visible to users but expose the site's full monetisation stack: HilltopAds (×2), Clickaine (×2, duplicate token), DaoPush, ExoClick, and maValidation (×2). These networks are well-documented conduits for malvertising, push-notification spam, and popunder/redirect campaigns targeting adult traffic. Their presence confirms the obfuscated scripts are wired to these networks. (location: page.html:68–78 — meta verification tags (hilltopads-site-verification, clickaine-site-verification, daopush-site-verification, exoclick-site-verification, maValidation))

social engineering

The site presents itself as a free video streaming platform ('Watch free new porn videos') while silently running at least four obfuscated ad-network scripts. Users are lured with free content while being subjected to drive-by ad delivery, push-notification subscription prompts (DaoPush, Clickaine), and potential redirect chains — a classic bait-and-switch social engineering model used to harvest push-notification subscriptions and deliver unwanted software. (location: page.html:18,24 — meta description and og:description; corroborated by ad-network verification tags)

malicious redirect

Assets (CSS, JS, images) are loaded from cdn-mfun.b-cdn.net and mhub2.b-cdn.net — BunnyCDN pull zones under operator control — and init.js is loaded from cdn-mfun.b-cdn.net without subresource integrity (SRI) checks. These CDN-hosted scripts can be silently updated to inject redirects or malicious payloads without any change to the page HTML, and cannot be audited from the static page source alone. (location: page.html:125-126 — <script src='https://cdn-mfun.b-cdn.net/js/init.js?v=1.0.5'>)

hidden content

The page uses duplicate id='ajax_content' on two sibling <div> elements (Trending and Latest sections). While likely a WordPress theme bug, duplicate IDs combined with the jQuery .load() AJAX content-injection pattern (which targets '#ajax_content' to replace page content) creates an ambiguous DOM state that could be exploited to inject or swap content sections without user awareness, and may confuse AI agents parsing the page structure. (location: page.html:272,1096 — id='ajax_content' used twice on separate section divs)