⚠️ Disclaimer

This report is strictly for cybersecurity research and responsible disclosure. The information below documents a malicious JavaScript payload discovered on texturecraft.us and texturecraft.org which both of these are registered through Registrar.eu and hosted by Openprovider. More domains have been found with the same or slight variants of the payload used on texturecraft.us but they are using different hosting providers and are now logged in the triage/report section to save space. Please look at the triage section for more information on affected services. Do not execute or distribute this payload outside of controlled analysis environments.
All findings are reported in accordance with legal and ethical guidelines for security research.
The author assumes no liability for any misuse of the data contained herein.

From public scan records suggest this campaign has been running since January 24th 2024 and is still currently active

Domains where found by searching with intext:Drag the Compile Avatar bookmark bar

And by using the Favicon hash and Censys search system

Added a yara rule file to help detect version of this script and common IOC.

---

Token stealer and credential stealer from -

texturecraft.us texturecraft.org rbxtexture.com rotemplate.com bloxavatar.com rbxformat.com rbxcreator.com rbxart.com rbxvisual.com rbxbuild.com rocharacter.com rblxload.com

---

Why is this code malicious?

• Phishing/Account Takeover:
  The script interacts with Roblox APIs to fetch user authentication, birthdate, and other sensitive data. It manipulates authentication methods, removes and adds authenticators, and can change account emails.

• Data Exfiltration:
  It sends user data (including authentication tokens and possibly passwords) to external domains like texturecraft.us texturecraft.us texturecraft.org rbxtexture.com rotemplate.com bloxavatar.com rbxformat.com rbxcreator.com rbxart.com rbxvisual.com rbxbuild.com rocharacter.com rblxload.com

  which are not affiliated with Roblox.

• Bypasses Security:
  It attempts to bypass or manipulate two-factor authentication (2FA) and parental controls, and can change account credentials.

• Obfuscation:
  The code is heavily obfuscated to hide its true purpose, making it harder for users or security tools to detect what it does.

• Anti-Debugging:
  The setInterval(()=>{debugger;},0x1f4); line is meant to hinder analysis by freezing the browser if developer tools are open.

• Automated Abuse:
  It repeatedly tries to fetch and manipulate account data, retrying on failure, which is typical of automated account hijacking scripts.

---

What does it do? (Summary)

• Steals Roblox account info (userId, email, authentication tokens, birthdate, etc.).
• Removes and re-adds authentication methods to gain control of the account.
• Sends sensitive data to an attacker-controlled server (texturecraft.us) or (texturecraft.org) or (rbxtexture.com) or any of the above domains listed.
• Tries to bypass security features (like 2FA and parental controls).
• Uses obfuscation and anti-debugging to avoid detection.
• Changes users email to vrtuefaded@gmail.com or other emails based on payload configuration.

---

What it acts like? https://github.com/JustOptimize/rolinked-malware-analysis

• Uses the same bookmark bar exploit
• Has similar capabilites

---

Triage Information

Takedowns/Action Taken

• Openproivder has disabled the domain (texturecraft.us) on 2025-06-18 at 23:57:36 CEST.
• Openproivder has issued a statement that the domain (texturecraft.org) will be disabled and removed if they do not respond, The date for removal is 2025-06-21 at 04:38:28 CEST.
• Thanks Openprovider Abuse Team for your quick response time!
• Openproviders website can be found www.openprovider.com
• Both Takedowns were appealed by threat actors.

Reports submitted:

• report submitted for sister website (rbxtexture.com) through godaddy
• report submitted for sister website (rbxart.com) through godaddy
• report submitted for sister website (www.rbxvisual.com) through godaddy
• report submitted for sister website (rbxformat.com) through TucowsDomains
• **report submitted for sister website (rblxload.com) through TucowsDomains
• Report submitted for sister website (rbxcreator.com) through easydns
• Report submitted for sister website (rotemplate.com) through registrar
• Report submitted for sister website (www.bloxavatar.com) through registrar
• Report submitted for sister website (rbxbuild.com) through registrar

To be Reported:

• Need to report this sister website (rocharacter.com) through NameCheap

Reporting to CDN Networks

• texturecraft.us reported to cloudflare

  Quick Summary:

• texturecraft.us - Domain takedown - CDN Report - Attackers Appealed

• texturecraft.org - Domain takedown - Attackers Appealed

• rbxtexture.com - Reported

• rbxformat.com - Reported

• rbxart.com - Reported

• rbxvisual.com - Reported

• rblxload.com - Reported

• rbxcreator.com - Reported

• rotemplate.com - Reported

• bloxavatar.com - Reported

• rbxbuild.com - Reported

• rocharacter.com - WIP

This work is licensed under the Creative Commons Attribution 4.0 International License.