Security HUD
System Watchdog
×
Threads Scanned
-- / --
SYS. LOAD --%
AI SHIELD ACTIVE
Backdoors Found: 0
DMCA Policy
×

📋 DMCA Compliance

This platform and community fully complies with the Digital Millennium Copyright Act (DMCA) and international copyright laws. We take all copyright protection seriously.

🛡️ Copyright Protection

If you believe a posted item belongs to you or violates your copyright, you may file a DMCA takedown request through our official channels. Upon receiving a valid claim, the infringing content will be removed within 24 hours.

What's new
×
Fiveguard
justscripts

Script RCORE CASINO FULLY UNLOCKED TESTED 100% WORKING

Virus total
https://www.virustotal.com/gui/file/7c5e0f3f0210b1b8b7f4fb10f1c1c8db225419cb10254ae64cdee120e48e0255?nocache=1
2011342989

2011342989

Member
Joined
Feb 24, 2026
Messages
2
Reaction score
0
Points
41
Location
china
rcore_casino Backdoor Analysis (Quick Report) **How I found the remote code execution path** I did a fast keyword scan for dangerous patterns: load, assert(load(...)), new Function, PerformHttpRequest, and external URLs. Two high-risk hits popped immediately: - server/server.lua loads hidden code from html/fonts/Gotham.ttf and executes it with load(...)(). - server/html/scripts/main.js fetches remote JS and runs it with new Function(...). The font file was the big red flag: it had obfuscated payload appended at the end. **How I reversed it (safe workflow)** I deobfuscated the font tail payload first. It resolved to: - fetch from
Hidden link for visitors, to see Log in or register now.
- execute response via assert(load(_b))() I then pulled the remote payload (fivems.lt/null), which was heavily obfuscated (Luraph). To avoid unsafe execution, I ran it inside a controlled Lua sandbox with stubbed FiveM APIs and call logging. This let me observe behavior safely (what it tries to write, call, and exfiltrate) without giving it real server access. I decoded dropped JS loaders and confirmed they fetch another remote stage and eval it. **What the malware does** - Remote code execution: downloads and executes attacker-controlled Lua from fivems.lt. - Persistence: drops random JS files (stack.js / hooks.js / manager.js) and injects them into fxmanifest.lua under server_scripts. - Exfil / beaconing: sends server/resource/player info to a hardcoded Discord webhook. - JS second-stage loader: runs https.get(...); eval(...) to pull and execute more remote code. - Net effect: attacker can update behavior anytime and run arbitrary code remotely. **IOC-style indicators** -
Hidden link for visitors, to see Log in or register now.
-
Hidden link for visitors, to see Log in or register now.
-
Hidden link for visitors, to see Log in or register now.
- Hardcoded webhook:
Hidden link for visitors, to see Log in or register now.
 

Gonzalapa

Member
Joined
Apr 30, 2021
Messages
10
Reaction score
0
Points
156
DO NOT EXECUTE IN YOUR SERVER!!!
2 BACKDOORS PRESENT IN THE FILES, 1 Visible 1 Encrypted in the Gothan.ttf font.
Proofs shown in screenshots:

1775441856190.png


Hidden in the "font":
1775441867245.png
 
You must log in or register to reply here.
Top