Is missav123.com safe?

encoded payload

suspicious base64-like blobs detected in page content

malicious redirect

script/meta redirect patterns detected in page source

js obfuscation

JavaScript uses eval() with String.fromCharCode — common obfuscation

js obfuscation

JavaScript appears to use a common packer pattern (p,a,c,k,e,d)

malicious redirect

Multiple partner links use bit.ly URL shorteners (e.g., bit.ly/3HXTrNA, bit.ly/4bQtWu8, bit.ly/4tO0bAC, bit.ly/4rdPxBm, bit.ly/4o2Ad8Q, bit.ly/46CgsyZ, bit.ly/4apXHPS, bit.ly/3JkoZxK, bit.ly/4gRZIHs, bit.ly/3uTvrRM) that obscure true redirect destinations. These are labeled as sponsored links to adult sites but the actual landing URLs are unknown and unverifiable. (location: page.html:1440-1525, page.html:1967-2015)

obfuscated code

A heavily nested eval()-based packer (Dean Edwards p,a,c,k,e,d pattern, double-nested) is present at the bottom of the page. The outer layer unpacks an inner layer which itself contains obfuscated JavaScript. The inner payload appears to check for known MissAV domain variants (missav.ai, missav01.com, njavtv.com, missav123.com, 123av.org, missav.ws) but the full decoded logic is not visible due to truncation. Use of eval() with double-obfuscation is a strong indicator of code concealment. (location: page-text.txt:2777)

malicious redirect

The site loads an ad script from sunnycloudstone.com (//sunnycloudstone.com/62/bd/ca/62bdca270715b3b43fbac98597c038f1.js), a third-party domain with no established reputation. This script is dynamically injected into the document head and could redirect users or serve malicious payloads. (location: page-text.txt:2706)

hidden content

A Cloudflare challenge iframe is injected dynamically and set to 1x1 pixels with style position:absolute, top:0, left:0, border:none, visibility:hidden. While this pattern is used legitimately by Cloudflare Bot Management, it creates an invisible iframe that executes JavaScript (window.__CF$cv$params) without user awareness. (location: page-text.txt:2780)

credential harvesting

The site presents login, registration, password reset, and password change forms that collect email addresses, usernames, and passwords. The site domain (missav123.com) uses a numeric suffix variation of the brand name MissAV, which is consistent with copycat or mirror sites that harvest credentials from users who believe they are logging into the legitimate service. (location: page.html:455-534)

brand impersonation

The site presents itself as 'MissAV' (og:site_name, title, logo) but operates from missav123.com rather than the apparent canonical domain missav.ws (used for logo image: missav.ws/missav/logo-square.png). The numeric suffix '123' in the domain is a common pattern in copycat/mirror sites. The og:image pulls assets from missav.ws, suggesting this domain may be impersonating or is an unofficial mirror of missav.ws. (location: page.html:26-31, metadata.json:1)

social engineering

The 'more good sites' (更多好站) partner section uses persuasive Chinese labels describing linked sites as 'cracked versions' (破解版) of popular platforms including TikTok adult version (TikTok成人版), adult Douyin cracked version (成人抖阴破解版), Bika Comics cracked version (哔咔漫画破解版), and similar. These labels are designed to lure users into clicking through to unknown destinations via opaque bit.ly redirectors by implying free premium access. (location: page.html:1439-1511, page-text.txt:524-550)

malicious redirect

A link labeled '地址发布' (address publication) points to https://missav.live/cn in a new tab with target=_blank. This is a separate domain (missav.live) that may serve as a domain-forwarding or fallback site, potentially redirecting users away from the main domain under enforcement or takedown scenarios. (location: page.html:1419-1421)