context safety score
A score of 38/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
cloaking
Page conditionally redirects based on referrer or user-agent
js obfuscation
JavaScript uses Function constructor for runtime code generation
brand impersonation
TLauncher (tlauncher.ru) is a well-known unofficial Minecraft launcher that impersonates the Minecraft brand by using Minecraft branding, logos, and terminology throughout the site. The site presents itself as an official or best Minecraft launcher while being an unauthorized third-party distribution. It claims to distribute unmodified official Minecraft files ('все файлы скачиваются с серверов разработчиков') while simultaneously offering unlicensed access to a paid game, which constitutes brand impersonation of Mojang/Microsoft's Minecraft intellectual property. (location: page.html:4, page.html:386-407, page.html:27-28)
credential harvesting
The site presents a login modal (#login) that collects Minecraft/TLauncher account credentials (username '_username' and password '_password') via a POST form. The site explicitly encourages users to log in with their 'licensed account' email and password (page.html:437), with claims that requests go directly to developers' servers encrypted — but as an unauthorized third-party launcher, these credentials could be harvested or misused. The login form submits to the same origin but through an unofficial intermediary service. (location: page.html:982-1009, page.html:437)
social engineering
The site uses persuasive social engineering language to encourage users to download and trust the launcher: claims of 'maximum security' for licensed account credentials ('только максимальная безопасность'), assertion that game files are unmodified and downloaded directly from developers' servers, and competitive pressure messaging ('Мы на шаг впереди многих'). These reassurances are designed to overcome user hesitation about installing unofficial software. (location: page.html:437, page.html:467, page-text.txt:184)
malicious redirect
The download flow uses JavaScript window.location.href redirects triggered by a Vue.js component to serve executable files (/installer, /exe, /jar, /installer-linux, /installer-runner). These are opaque redirect chains where the actual download URL is determined client-side from a JSON configuration blob and executed via window.location.href = url, making it difficult to inspect what is actually being downloaded before the redirect occurs. (location: page.html:833-836, page.html:684)
hidden content
Yandex Metrica tracking pixel is hidden off-screen using CSS (position:absolute; left:-9999px) in a noscript tag. While standard analytics practice, the pixel is deliberately positioned outside the visible viewport to be invisible to users, constituting hidden tracking content. (location: page.html:1422)
hidden content
The page loads three simultaneous CAPTCHA scripts (Cloudflare Turnstile, hCaptcha, and Google reCAPTCHA) with a fallback rotation system. The primary CAPTCHA system used is determined dynamically at runtime and may differ per session/platform, obscuring which external service is receiving user interaction data. (location: page.html:857-859, page.html:1037-1151)
curl https://api.brin.sh/domain/tlauncher.ruCommon questions teams ask before deciding whether to use this domain in agent workflows.
tlauncher.ru currently scores 38/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.