A Chrome extension by the name SearchBlox that’s been downloaded over 200,000 times by Roblox players was discovered to contain a backdoor that attempts to steal users’ Roblox credentials and their Rolimons assets. It’s unclear at the moment whether the developers introduced the backdoor intentionally or is the result of a compromise.
Currently, there are two SearchBlox extensions on the Chrome Web Store with the following IDs:
- blddohgncmehcepnokognejaaahehncd — 200,000+ downloads
- ccjalhebkdogpobnbdhfpincfeohonni — 959 downloads
Both extensions claim to do the same thing — add a search bar allowing users to search for other Roblox players by their usernames, with the first one being more popular. Both extensions, however, are malicious and still available for download on the Web Store at the time of writing.

BleepingComputer’s analysis of the first extension reveals a malicious line in the content.js file of the extension attempting to load an image which pretends to fetch an image using the HTML <img> tag but loads hidden JavaScript code instead further encoded as HTML character entities. The second extension hides this line within a file named button.js. Both extensions, however refer to the same malicious URL mentioned below.
hxxps://searchblox[.]site/image.png/image.txt
When decoded, the aforementioned line appears to fetch JavaScript code that attempts to extract Roblox credentials and send them to releasethen.site. Both releasethen.site and searchblox.site were registered earlier this month and are hosted on Hostinger.
Additionally, the script also looks at the victim’s Rolimons.com profile, a trading platform for Roblox and can steal any trading assets to transfer them back to the alleged threat actor’s profile.
Detecting the malicious activity on these extensions and domains was further hindered by the fact that they have a clean record on Virustotal at the time of writing.
This isn’t the first time an extension named SearchBlox has either been taken down for malicious behaviour. Google reportedly took down a similar extension back in October this year which had been active on the Web Store since at least June 28, 2022.
The Roblox community has pointed out that the inventory of a user named ‘Unstoppableelucent’, allegedly the extension’s developer, has grown rapidly at the same time a Rolimons user named ‘ccfont’ has been terminated over suspicious inventory trades.
As mentioned before, it was unclear at the time whether the backdoor was placed by the extension’s developer or resulted from a compromise. We’ve reached out for a comment from the extension’s developer but haven’t received any yet. We’ll update this space when we do.
In the News: Two Estonians busted for running $575 million crypto Ponzi scheme