Keitaro TDS Detector

How detection works

The scanner sends 4 HTTP request chains to the target and compares responses. Each chain targets a specific Keitaro behavior documented in official docs:

1

MAIN GET {url}

Baseline response for comparison

2

OFFER_TEST GET {url}?_lp=1&_token=invalid

Triggers offer redirect if Keitaro is present

3

CLICK_API GET {origin}/click_api/v3

Keitaro's documented click tracking endpoint

4

UPDATE_TOKENS GET {origin}/?_update_tokens=1

Keitaro's parameter update mechanism

Each response is analyzed through 7 independent evidence checks. If ≥2 checks pass — Keitaro is confirmed.

7 Evidence Checks

Verdict

Each evidence check is PASS or FAIL. The verdict is determined by the number of passed checks:

≥2

KEITARO

Keitaro TDS detected with sufficient evidence

≥1

CLOAKED

Cloaking or filtering detected, suspicious activity

0

CLEAN

No Keitaro evidence found

Two or more independent evidence checks must pass to confirm Keitaro TDS presence, reducing false positives.

Cloaking Analysis

Cloaking (content masking) is a technique where the server delivers different content based on the visitor type. TDS systems like Keitaro use this to show a clean page to search engine bots, moderators, and security scanners, while redirecting real users to a phishing page, scam offer, or malware download.

The scanner requests the same URL using 27 different profiles, divided into three groups:

Search Bots (8)

Googlebot, AdsBot-Google

Bingbot, Facebook Bot

DuckAssistBot, Amazonbot

Applebot, curl

AI Bots (12)

GPTBot, ChatGPT-User

ClaudeBot, Claude-Web

Gemini-AI, Google-Extended

PerplexityBot, DeepseekBot

xAI-Bot, Together-Bot

NotebookLM, GoogleAgent

Browsers (7)

Chrome + Google referrer

Chrome + Facebook referrer

Chrome + Twitter/X referrer

iPhone Safari, Android Chrome

macOS Safari, Firefox

For each profile, the response is compared against the baseline (standard Chrome request) by checking HTTP status code, response body size, final URL, Content-Type, and number of redirects. If any of these differ — the profile is marked as DIFF.

Typical cloaking pattern: Bots get HTTP 200 with a clean page, while browsers get HTTP 302 redirect to a different domain with scam content. If bots see the same content and browsers differ — this is a strong indicator of TDS filtering.

Requires Cloudflare Worker to function — CORS proxy cannot set custom User-Agent and Referer headers.

Redirect Chain & External Domain Detection

The scanner traces the full HTTP redirect chain from the initial request to the final destination and visualizes each hop as a timeline. Each step shows the HTTP status code, domain, and URL path.

External domain detection: if a redirect leads to a domain with a different root (e.g. example.com → scam-site.net), it is flagged with an EXTERNAL badge. External redirects are a common indicator of:

TDS routing — Keitaro redirects user to an offer page on a different domain
Cloaking — clean domain redirects to malicious content after bot filtering
Affiliate redirect chains — passing through tracking domains before the final offer

Note: not all external redirects are malicious. Legitimate CDN redirects, login flows, and domain migrations also produce external hops. Always correlate with other evidence.

Domain Intelligence

For each scanned domain, the tool collects background information from public sources:

IP & Geo

Resolves IP, hosting provider (ISP), ASN and location via ipwho.is

DNS (NS)

Queries nameservers via dns.google to reveal DNS provider

Registrar

RDAP query for domain registrar — useful for abuse reports

Standard Files

Checks robots.txt, sitemap.xml, security.txt presence

Only fields with resolved data are displayed. If a lookup fails or returns nothing, the field is omitted.

Common Endpoints (Extended)

Extended list of paths and patterns used by professional trackers, cloaks, and TDS systems. Includes classic endpoints and 2026 patterns.

Keitaro v10+ Core entry points, redirects, click uniqueness

/click.php /out.php /land /lp1 /lander/ /offer/ /?_lp=1 /?_new=1

IM KLO Verification & bot activity logging

/index.php /a.php?a= /verify /api/v1/log /gate.php /check.php

HideClick Session init & humanity verification

/check/ /verify/ /landing/ /validate /confirm/ /auth_check

JCI (Just Cloak It) Behavioral data scripts (mouse/touch)

/check.js /api/event /track /session/init /ts

Universal Custom scripts & bridge patterns

/go /to /redirect.php /link/ /promo/ /secure_link/ /validate/

Traps Fake actions to catch simple crawlers

/checkout /account-related /script-related /ordering-and-filtering

2026 CMS Mimicry Cloaking logic hidden in CMS-like paths

/wp-admin/admin-ajax.php?action=check_user

/catalog/products/compare/session_id=...

/api/v2/sessions/validate

Detection Points (Hidden Checks)

Beyond path analysis, cloaks search for anomalies in DOM and JS environment at these specific points.

DP-1 Client Hints Consistency (Sec-CH-UA)

2026 systems (Cloudflare Bot Management, JCI) compare User-Agent with Client Hints headers.

// Server sends:

Accept-CH: Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform-Version

Risk: If Worker spoofs only UA but doesn't respond to Client Hints or sends default values — instant ban (Anomalous Client)

DP-2 navigator.scheduling API

New 2026 standard for detecting real browser execution flow.

// Cloaks call during heavy JS blocks:

navigator.scheduling.isInputPending()

// Returns true if input events queued

Check: If method absent or always returns false (server-side env), request flagged as bot

DP-3 AI Labyrinth Traps

Cloudflare & DataDome use dynamic link networks visible only to bots.

// Signs in HTML:

Massive number of links with params like:

session=03D2CDBEA6... source=main-nav

// Leading to pages with duplicated content

Detection: Scanner counts duplicate-content link ratios to identify labyrinth pages

DP-4 Native Code toString Check

Cloaks verify that protection functions haven't been overridden.

// Expected result:

navigator.webdriver.toString()

// → "function get webdriver() { [native code] }"

Risk: Simply setting navigator.webdriver = false fails this test. Must use proper descriptor override.

Detection Signatures (Regex)

Patterns used by the scanner (HTMLRewriter / body parser) to identify cloaking and tracking scripts in page source.

Keitaro KClient Base64 Loader

dmFyIGtjbGllbnQ (Base64 → "var kclient")

window\.kclient

kclient\.js\?v=

IM KLO Stealth Script

imklo_loader

var\s+_0x[a-f0-9]{4}\s*=\s*['"]imklo['"]

ThreatMetrix TMX Profiling

h\.online-metrix\.net/fp/tags\.js

tmx_org_id\s*=\s*['"]\w+['"]

String Array Obfuscation Keitaro / HideClick

var\s+_0x[a-f0-9]{4}\s*=\s*\[\s*['"]\\x[0-9a-fA-F]{2}.*['"]\s*\]

Dynamic Function Constructor Base64 Execution

\b(new\s+Function|eval|setTimeout)\s*\(\s*atob\s*\(

Worker Enhancement Tasks

Task 16 Edge-Origin Masking via Residential Proxies

Why: CF Workers IPs are easily detected by ASN (Data Center).

Logic: Worker acts as "smart brain" — final request goes through proxy chaining on quality mobile/residential IPs.

Task 17 Dynamic Sec-CH-UA Emulation

Why: Data consistency between UA and Client Hints.

// Profile-based header generation

function getClientHints(ua) {

if (ua.includes("Chrome/140")) {

return {

'Sec-CH-UA': '"Google Chrome";v="140", "Chromium";v="140"',

'Sec-CH-UA-Mobile': '?0',

'Sec-CH-UA-Platform': '"Windows"',

'Sec-CH-UA-Full-Version-List': '"Google Chrome";v="140.0.6533.120"...'

};

}

Task 18 DOM Cleanup (JS Logs & Debug Variables)

Why: Systems like JCI leave hidden verification artifacts.

Logic: HTMLRewriter removes all scripts containing: fp.js, fingerprint, imklo, check.js

Task 19 Intl & Timezone Emulation

Why: Cloaks compare IP timezone vs browser timezone.

// Injection code:

const injectTimezone = `

Intl.DateTimeFormat.prototype.resolvedOptions =

function() {

return Object.assign(original.apply(this), {

timeZone: "${request.cf.timezone}"

});

};

`;