Known Malicious Plugins for HISR detection Megathread

ScriptingsMaster · March 26, 2021, 9:34am

Also says it is created by @sleitnick that is a known plugin creator and his plugins are totally not malicious in anyway. Looks like the actual group is trying to impersonate.

Antiquity_Spy · March 26, 2021, 10:45am

How has this not been shut down yet?? He has multiple groups that are obviously meant to impersonate well known developers and teams.

I also found this:

Image

DefNotTaterTot · March 26, 2021, 3:37pm

Roblox Studio+

Malicious Plugin: 5871957158
Original Plugin: 144358935

Malicious Script Location: PluginGuiService > PluginGui > Layers > UIListLayout > FX
Malicious Action:

require(5870849966)

Malicious Required Module: 5870849966*

*Suspicious obfuscated code. Assuming this is the source of the backdoor that multiple posts above have connected with the Updated/New mark at the top of the plugin thumbnail.

The plugin was published by a group named ROBLOX to make it seem as if the official ROBLOX account created it.

ROBLOX Impersonation: 8135004

VortexColor · March 26, 2021, 8:09pm

I hooked the functions of the obfuscated module and it seems that it was only calling require to this module MainModule - Roblox

It has a GUI for a server side backdoor service called “Ubuntu SS” which I have never heard of here is a picture.

The logging place for HTTP logs is

and the group for whitelisting seems to be

The module also seems to contain some webhooks URLs but they seem invalid. I am not sure if they were previously used for logging and were removed, if they were abused and removed thus or are just decous.

deluc_t · March 28, 2021, 4:19pm

Over half of these plugins are real, without any malicious intent.

Niqhtlyy · April 19, 2021, 8:53pm

Plugins List:

(Both Malicious & the Original Included.)

Studio Levels

Malicious: Studio Levels - Roblox

Original: Studio Levels - Roblox

Moon Animator

Malicious: Moon Animator - Roblox

Original: Moon Animator 2 - Roblox

I WILL ADD MORE HERE SOON!

ScriptingsMaster · May 10, 2021, 5:40pm

No plugin from the list is malicious.

I took a look at those plugin’s source and did not find anything. Also I see you have already posted 3 of those plugins already on this topic.

SkyWalk1n · May 10, 2021, 6:26pm

I just read through it’s source, turns out it was a mistake on my end. Sorry for re-posting, didn’t realize that.

Cool_Kidx1 · May 10, 2021, 6:44pm

Building Tools by F3X (Plugin)

Malicious plugin: 6240474358
Original plugin: 144950355

[FIXED] Realism Mod

Malicious plugin: 6792716290
Original plugin: 400812710

Load Character Lite

Malicious plugin: 6789266789
Original plugin: 752585459

to be continued…

Creativeoyuncu01 · July 26, 2021, 1:05pm

Someone apparently made a copy of AlreadyPro’s Load Character Pro under the name of “AlreadyPro” a group owned by a deleted account. Reported the plugin for using the code of AlreadyPro and also malicious code.

Malicious:

Original:

ScriptingsMaster · August 21, 2021, 12:50pm

Load Character Pro

Original: 4489766693
Malicious: 7070331213

source

Drops a malicious script. Malicious plugin creator attempting to impersonate AlreadyPro.

Y_OM · August 23, 2021, 12:56am

Yes

I would also like to report this one as well: Malicious Plugin

It’s a group that impersonates his name to promote their fake plugin.