whackFeatures
Everything you need to expose a cloak and turn one URL into shareable intel.
Split-Horizon Diff
Load the same URL through datacenter, residential and mobile egress, then diff how the page mutates across IP types. Divergence is cloaking — caught, scored, and shown side by side.
ASN & Org-Targeted Detection
Advanced kits don’t just split datacenter vs. real users — they fingerprint the visitor’s ASN and serve org-specific lures (a fake employee login to a bank’s range, say). whack.sh reveals what a kit serves the vantage points that matter and logs every payload-to-ASN mapping, so you see who a campaign is hunting.
Multi-Egress Capture
One whack <url> fires through datacenter, residential and mobile IPs in parallel. Cloakers that serve a clean decoy to datacenter scanners can’t hide when three IP classes hit at once.
HAR + Screenshot Timeline
Every egress does a full, faithful load — real Chromium, JavaScript executed, every resource fetched, exactly what a real visitor pulls — then returns the complete request waterfall as HAR plus a screenshot timeline. We keep stored HAR lean by trimming response bodies, never the load itself: cutting resources to save bytes is exactly what gets a scanner fingerprinted.
Redirect / TDS Chain
Follow the whole hop sequence through traffic distribution systems to the final payload. The chain that routes a victim is the chain we map.
Cloaking Score
Egress divergence is scored 0–100 so you can triage at a glance and alert on a threshold. High score = a mole serving two faces. Whack it.
Sample + IOC Pipeline
Sample capture is opt-in — off by default so your scan’s vantage never fetches the binary. Turn it on and the node flags the payload URL for an isolated vault to retrieve and identify out of band — the file never touches the scan node or your device. Hashed, checked against VirusTotal, MalwareBazaar and URLhaus, stored only if novel, served via single-use expiring links. Export IOCs to CSV, STIX 2.1 or MISP.
Curl-First API
Every endpoint is a curl endpoint. The API key IS the login — paste it or click a one-time magic link. httpOnly session, no passwords, scriptable from the first request.
Spend Controls + Anomaly Detection
Set per-account daily and monthly credit caps. Velocity anomaly detection auto-pauses a key on a spike and alerts you, so a runaway script never burns the budget.