[BUG] Security: gnupg entry in screenshot-database-v2.json links to a compromised/malvertising domain

[aravindvnair99]

Please confirm these before moving forward

• I have searched for my issue and have not found a work-in-progress/duplicate/resolved issue.
• I have tested that this issue has not been fixed in the latest (beta or stable) release.
• I have checked the FAQ section for solutions.
• This issue is about a bug (if it is not, please use the correct template).

UniGetUI Version

3.2.4

Windows version, edition, and architecture

Windows 11 Pro 25H2 x64

Describe your issue

Summary

The gnupg entry in WebBasedData/screenshot-database-v2.json (lines 17128-17135) references www.tech-faq.com, a domain that has been compromised and is now serving malicious redirects through DGA infrastructure.

Affected Code

https://github.com/Devolutions/UniGetUI/blob/1121c35de6b9a60fddaa96864c473069cb64da62/WebBasedData/screenshot-database-v2.json#L17128-L17135

"gnupg": {
  "icon": "https://www.tech-faq.com/wp-content/uploads/gnupg-shell.png",
  "images": [
    "https://www.tech-faq.com/gnupg-shell/keyring_editor.png",
    "https://www.tech-faq.com/gnupg-shell/create_new_keyring.png",
    "https://www.tech-faq.com/gnupg-shell/file_manager.png"
  ]
}

What is happening

The domain tech-faq.com was previously a legitimate tech FAQ site but is now parked (nameservers point to fleyo.com) and being used for malvertising. When visited, it:

1. Serves a minimal ~175 byte HTML page with JavaScript
2. Redirects to a rotating DGA (Domain Generation Algorithm) domain (e.g. xenorivaq.xenorivaq.shop)
3. Routes through a Cloudflare Pages cloaking layer (nectar-shore-wood.pages.dev)
4. Redirects to Amazon.com with a fraudulent affiliate tag

The domain exhibits cloaking behavior - it non-deterministically serves either cached WordPress content or the malicious redirect chain.

Impact

UniGetUI makes HTTP requests to these URLs to fetch package icons/screenshots. This causes DNS filtering and security tools to flag and block UniGetUI's network requests, since the domain is now on threat lists.

Evidence

Cloudflare Radar scans confirming the malicious redirect chain:

• https://radar.cloudflare.com/scan/b88f3403-977c-4b5f-814b-6d3501cc3ffc
• https://radar.cloudflare.com/scan/783056d1-1690-4fa8-976e-2f20502aa80c
• https://radar.cloudflare.com/scan/a996b5fc-9c8a-434a-91ee-8c0384e16f2e

DGA domain classified as malicious by Cloudflare:

• https://radar.cloudflare.com/scan/479492e6-e459-47d1-acb5-9165018d0c1e

Suggested Fix

Replace the icon URL with the official GnuPG logo: https://gnupg.org/share/logo-gnupg-light-purple-bg.png

For screenshots, consider sourcing from GnuPG's own site or removing the images entry if no suitable replacement is available on a trustworthy domain.

Steps to reproduce the issue

1. Open UniGetUI
2. Find a package that references tech-faq.com as a source/homepage URL
3. Click the tech-faq.com link
4. Observe the redirect chain through DGA domains to Amazon with affiliate tag

Alternatively, simply visit http://tech-faq.com in a browser (use a sandboxed environment) and observe the JavaScript redirect.

UniGetUI Log

N/A - This is a data/content issue, not a runtime bug. No logs relevant.

Package Managers Logs

N/A - This is a data/content issue, not a package manager issue.

Relevant information

• Domain WHOIS: tech-faq.com registered 2004-05-16, expires 2033-05-16, NameCheap registrar
• Current nameservers: ns1.fleyo.com, ns2.fleyo.com (parking/monetization service)
• The domain has been reported to NameCheap abuse team separately
• This appears to be a case of a previously legitimate domain being repurposed for affiliate fraud after expiry/sale
• The redirect infrastructure uses DGA domains and Cloudflare Pages for cloaking, suggesting organized operation

Screenshots and videos

See Cloudflare Radar scan links in the description above for visual evidence of the redirect chain.