Is WuWa Tracker or Any Third-party Tool Safe to Use? | Wuthering Waves Resource & Companion App | WuWa Tracker
Is WuWa Tracker or Any Third-party Tool Safe to Use?
9 min read
W wuwatracker.com
Is WuWa Tracker or Any Third-party Tool Safe to Use?
W wuwatracker.com
9 min read
Recently, a pull tracker website for Arknights: Endfield called endfieldrecords.com (the site was taken down as of time of writing) was discovered to have been distributing malware to its users.
The incident has understandably sparked controversy and raised a lot of questions about whether any third-party pull tracker (including WuWa Tracker) can be trusted.
One popular gacha game content creator, fobm4ster, made this remark on X:
As the leading pull tracker website for Wuthering Waves for around 2 years now (as of time of writing), it's our moral responsibility to provide more context and give malware prevention tips for wuwatracker.com users and other gacha game players.
This article explains how these sites connect with gacha games to show your pull history, what actually happened to EndfieldRecords, and what we, at WuWa Tracker, do to protect you.
Gacha games, like Wuthering Waves, store your pull history on their own servers. When you open the in-game history window, the game opens a web browser window (called a Webview) that loads a page from Kuro Games' servers. This same page contains your pull history data.
That web page has a URL, and that URL contains identifiers like your player UID, your server ID, and a temporary record ID. We call this your "Convene URL". When you import your pulls into WuWa Tracker using our various Import Tutorials, all we do is read that URL from your game's log file and use it to fetch the same data your game would show you.
The record ID serves as a security token for accessing your pull history (and only the pull history, as far as we know) for a limited amount of time (about 1-2 hours from our prior testing).
Therefore, the Convene URL is only used to read your pull history and nothing else. It also expires, which is why you have to re-import periodically. We will never ask for your password or other account credentials for the pull history.
For instance, this is how my game pull history looks like compared to the browser pull history. They are the exact same window with your pull history data.
With that out of the way, let's see how Wuthering Waves differs from other gacha games like Arknights: Endfield.
How Other Gacha Games' Pull History May Work
Another common software architecture pattern used by gacha games is to make the user pass their access or auth token to view their pull history.
However, these tokens aren't always scoped to just the pull history.
This means that, allegedly, they can be used for simple things like getting account information, inventory, user profiles. Or worse, they could access more sensitive information like: viewing top-up history, checking into official websites (like HoYoLab or SKPORT), or even "full control over your account" according to a known HoYoverse leaks Telegram channel:
Unfortunately, Arknights: Endfield makes users use their access token to view their pull history and thus, exposing users to this exploit.
What Happened to EndfieldRecords (endfieldrecords.com)
According to this Reddit post entitled "EndfieldRecords dot com Pull Tracker Malware" and anecdotes from users, EndfieldRecords asked users to run a PowerShell script to extract their pull URL. The script itself, when people audited it, looked fine. It read a log file, found the token, and copied it to your clipboard. Same routine as most pull trackers.
However, the problem was that the script was fetched from a mutable URL, meaning the developer could change what was at that URL at any time without anyone knowing.
At some point around February 2026, the script was allegedly swapped out to include malware. The malicious version allegedly called out to an external domain (rouf.xyz), created scheduled tasks for operating system persistence, and according to reports, was capable of stealing browser cookies, Discord tokens, and data from other games on the infected machine.
And allegedly, it's possible that once the malware got enough exposure during a high-traffic period (likely right after a new banner dropped), the developer swapped the script back to the clean version to avoid detection.
How You Can Revoke the Access Token
It's common practice to revoke or delete old access tokens and invalidate old logins by changing your password. This forces malicious actors to get a new token before they can continue using accounts.
This only resolves the issue of the malicious actor logging into your account. This however, does NOT address the fact that malware may have infected your device. A reinstallation or reset of your system is necessary to guarantee safety during these cases.
The Core Vulnerability: Mutable Script URLs
When a pull tracker says "run this PowerShell command," and that command downloads a script from the internet before running it, you have to ask: what guarantees that the script at that URL is the same one you audited yesterday?
With a mutable URL like https://example.com/import.ps1, the answer is nothing. The developer can change the contents of the /import.ps1 server endpoint at any time.
You could read the script today and it looks fine, but tomorrow, it does something completely different. The URL is the same, but you would never know unless you open it up and read it.
What's even worse is that these scripts may also execute other scripts or call other remote websites within itself, making the initial script not contain the malicious code, but instead, have it call the actual malicious scripts, not originally in the first script.
The demo spins up a simple server with a single endpoint called /import.ps1 that mimics how a possibly unsafe pull tracker might serve an import script.
For demo purposes, every time the endpoint is hit, a coin flip runs server-side. Half the time it redirects you to a safe script; the other half, to the malicious one. Both scripts are hosted at different URLs, but from your perspective, you're hitting the same URL every time.
Try running the command below a few times in PowerShell:
Don't worry, the scripts don't do anything other than show messages in the terminal.
You'll notice that sometimes you get a safe result, and sometimes you may get a "malicious" result.
So yeah, you have no way of knowing if the URL you audited a few seconds ago still points to the same script you execute another time because the website owner can swap it out by editing the GitHub source code or by using server-side logic to route the request to another website.
The Solution to Script Swap Attacks
The only way to guarantee scripts to not change is to use an immutable hash-based one.
Here are some quick cybersecurity tips when using or dealing with third-party tools that make you run scripts, whether it's WuWa Tracker or the next new third-party tool website you come across.
Check what the script actually does before running it. If a site gives you a PowerShell or bash command, you can usually inspect what it does before executing it. If it downloads a script from another URL and immediately runs it with Invoke-Expression or iex, check that second URL too.
Prefer immutable URL scripts from reputable sources. Prefer permanently-linked scripts from an external service like GitHub or pastebin since they're guaranteed to never change according to their hash and they cannot be tampered with by the pull tracker website owner.
Never run scripts with Administrator privileges unless you trust the script. The EndfieldRecords malware checked for admin privileges before attempting to install scheduled tasks and registry keys. Several users weren't affected because they ran PowerShell without admin rights, causing the malware to silently fail.
Understand what token or data you are handing over. For Wuthering Waves, the Convene URL is scoped to read-only pull history access. For other games, the token scope may be different and potentially much broader. Arknights: Endfield's token was an account-level token that could be used for other purposes, giving the script owner full authority to use it however they want.
Open source and auditable is better than closed. Sites that host their scripts on public GitHub repositories and link directly to them are easier to audit than sites that serve scripts from their own server.
So, is WuWa Tracker (wuwatracker.com) Safe?
So to reiterate, we will never ask for or stored your login credentials or passwords.
Our import scripts only read your game's local log files to extract the Convene URL. We have moved all scripts to immutable hashed URLs so that the content you audit is the same content that runs in your terminal.
Our scripts have always been open source and publicly hosted on GitHub at github.com/wuwatracker/wuwatracker since our site's inception.
But even with WuWa Tracker's assurances and 2-year track record of not doing anything malicious or harmful with Wuthering Waves data, you - as the user - need to examine and audit the software and scripts that you use.
With tools like LLMs and AI chatbots, this small act of double-checking your sources goes a long way in preventing security incidents and staying safe online.
Surely, you don't want to constantly reinstall your system from time to time due to these incidents, right..?
Moving Forward
So, to all my fellow gacha gamers out there, always verify before you run scripts from the internet!
At the end of the day, using third-party tools is always done at your own risk, so exercise extreme caution when using them.
False Positive Reporting
Now that we've moved to source commit hash-based URLs, overly-aggressive antivirus software like Avast or VirusTotal may flag the new script as malware incorrectly.
Please email us at [email protected] or join our Discord Server to help us collaborate with security researchers to study and verify our scripts as false positives (meaning they're safe).
For reference, we've successfully contacted CRDF Labs and Bitdefender in the past to flag our previous scripts as safe-to-use and we'll continue to do so moving forward.
As always, may your Convenes may be golden evermore and stay safe out there, Rover! ✨
