tl;dr
The NSFW furry quiz at yiffpersonality[.]com is part of a malvertising campaign that I assess with moderate-high confidence is a variant of ApateWeb.
If you took the quiz but did not get any malicious redirects/popups, you're fine. If you did get sketchy redirects but did not interact further, you may have been identified as a potential future victim, but have likely not been compromised. I cannot say beyond that at this stage of investigation. Read the full post and series for the nuance uwu
STIX/IOCs at the end of the series
NOTE: This post contains mildly NSFW content
Discovery
In mid-late January 2026, a silly quiz hosted at yiffpersonality[.]com began circulating in the furry community, purporting to tell you which kind of horny furry you are based on your answers to 20 questions. As a lover of such silly quizzes, I and many others took it with nothing apparently wrong or suspicious happening, other than my result not being a fox and 75% kinky oddly being considered "vanilla."
However, a day later a friend tried to take the quiz and received a redirect to a scareware page tuned for his device (in this case, Safari on iOS). This piqued my curiosity, as again I and several others had taken the quiz the previous day with nothing suspicious occurring. So I decided to reach out on social media to see if any other furries had experienced malicious redirects or popups.
While I have deleted my initial Bluesky post because I worried it was encouraging people to keep visiting the site out of a desire to help, the response was overwhelming: many furs had indeed experienced a variety of redirects and the like. At this stage it was time to investigate.
Domain
Before I talk about what I eventually found on the actual site, it's worth seeing what I found regarding the domain, yiffpersonality[.]com. WHOIS didn't tell me anything terribly interesting, this being a pretty typical private registration with GoDaddy, using GoDaddy nameservers. Remember the creation date though - 25.08.2025 (25 August 2025)
Domain Name: yiffpersonality.com
Registry Domain ID: 3013632826_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: https://www.godaddy.com
Updated Date: 2025-08-25T22:21:37Z
Creation Date: 2025-08-25T22:21:37Z
Registrar Registration Expiration Date: 2026-08-25T22:21:37Z
Registrar: GoDaddy.com, LLC
...
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
RegRegistrant State/Province: Arizona
Registrant Postal Code: 85281
Registrant Country: US
...
Name Server: NS47.DOMAINCONTROL.COM
Name Server: NS48.DOMAINCONTROL.COMFurthermore, checking other domains on the same IP showed legitimate sites, suggesting that this was a shared host with a legitimate hosting provider (based in California). However, yiffpersonality turned out to have a very...intriguingly-named subdomain:
Now, pay[.]yiffpersonality[.]com was not actually set up to do anything yet, but the question is obvious: why does a silly free furry quiz have something related to payment? When you combine this with people getting sketchy redirects, the implication that there may be some kind of malvertising campaign or similar afoot becomes an obvious lead.
For now, remember that implication and the August 2025 date. Next, back to the site itself.
Stage 0: Malicious external script and a domain
As the site itself is fairly simple (e.g. no CMS or anything) and victims were experiencing redirects while non-victims like myself had experienced the quiz without incident, some natural questions arose: where are those redirects coming from, and why some clients but not others?
Now, by this point I had collected some decent data from members of the furry public to see if I could find some pattern in who was and wasn't affected in terms of OS + browser, and frankly didn't see much of one. Instead of going even further with an attempt to discern a pattern (asking for versions, adblock or no, specific blocklist(s) being used...) I decided that at this point a much more effective use of time would be to just see if I could trigger the malicious behavior and then dive down the rabbit hole.
So as I often do when investigating web stuff, I decided to keep fiddling around with the site while watching DevTools...and basically immediately caught something interesting when beginning the quiz:
The site was attempting (and failing) to load an external script called invoke.js
Here we have our first (likely) real Indicator of Compromise (IOC), the domain highperformanceformat[.]com. Some cursory research showed that this domain had been flagged for malicious activity before (e.g. on AlienVault OTX), and it was referenced in this Q2 2025 (July 2025) client-side attack report from cside.
Do you remember that registration date I told you to remember from earlier? That's right, August 2025. And what is the top-ranked campaign from said report? Well, allow me the indulgence of a block quote:
1. Chinese PWA Injection Scam â Mobile Targeting with Adult Themes
First spotted in June 2025, this campaign has already hit over 10,000 websites and is still active.
Root Cause: Injected code into service worker and PWA logic of popular themes and templates.
Attack Infrastructure: Hosted on rotating subdomains linked to adult-themed APK lures.
Attack Infrastructure: Domains like qaztool[.]com and its subdomains were responsible for injecting iframes that took over the entire viewport.
What makes this attack unique?
It only triggers if youâre using a mobile device.
Encourages installation of malicious PWAs posing as adult apps
Uses fingerprinting and cloaking to evade sandboxes
Key Takeaway:Â This attack doesnât just affect browsers, it puts user devices at long-term risk.
Sure, not every detail matches, at least yet. But potentially rotating (sub)domains? Adult/NSFW lures? Code injection? Fingerprinting? Even if this isn't exactly the same, it still rhymes.
Even better, I now had some leads on how I might trigger the malicious behavior. Although it turns out there are supposedly some desktop users affected, based on the above + the data I had at the time, I decided to focus on mobile, a decision reinforced by the fact I could not get invoke.js to not 403 even with various browser/adblock-or-lack-thereof combinations on desktop. Furthermore, given the fact this was now an investigation (and neither of my actual phones had triggered the malicious behavior for whatever reason), it was time for an emulator.
Because the threat actors were clearly doing some kind of target filtering - even with adblock off, I would still get 403 trying to GET invoke.js - I decided to try to make myself look like a fairly realistic target, including giving myself a realistic resolution, making sure my user agent matched my navigator.platform value, and even using a cell modem for my internet connection rather than home internet (and VPNs and proxies via home internet).
With this combination finally in place, I decided to try again.
Success. There are actually a lot more requests than this, and depending which run it was on I would end up on either Alibaba or TikTok rather than the sort of final malicious result (e.g. scareware on a sketchy domain) I had seen with some victims, but we have multiple important leads in the above.
First of all, we're able to actually GET the stage 1 js, so analyzing it is within our reach. But there's more. Second, we have more domains:
* kettledroopingcontinuation[.]com
* wayfarerorthodox[.]com
* realizationnewestfangs[.]comThese in turn are initiators for various watch.<something>.js. This is a movie I've seen before, and a plausible structure of the chain was forming for me:
The attacker web infrastructure has some rudimentary checks (e.g. IP, user agent) to see if it should accept a GET request for the stage 1 invoke.js
invoke.js is a loader that does much more detailed checks, which it sends to a stage 2 watcher (watch.<stuff>.js)
The watcher script determines what to do with the information from stage 1 (invoke.js)
At this point, I was possibly being detected as not a real victim and sent to (relatively) innocuous redirects, which at least for me were notably Chinese (despite not being Chinese and being in Germany)
The next step was therefore obvious: analyze invoke.js in detail to see what it does. Because I need sleep, that's what we'll cover in part 2.