Clubhouse AC Research

Forensic research from the field

Case studies, detection methodologies, and artifact-chain breakdowns from the Clubhouse AC research team. We publish what we learn investigating real cheat ecosystems — kernel-mode tooling, anti-forensic suites, hardware DMA boards, and the techniques used to evade live anti-cheats.

Coordinated disclosure where applicableDefensive use only69 published notesSubscribe via RSS

Featured

Latest case studies

Anti-Cheat Reverse
High

Trace Anti-Cheat Scanner — Full Reverse Engineering of Trace_7TXBS1AV.exe

Complete reverse engineering of the Trace Anti-Cheat scanner (Trace_7TXBS1AV.exe). A 3.35 MB x64 GUI PE wrapped in Srungoat Protector v1.0 — a marker-only badge that contributes 61 bytes of plaintext in a section literally named .1337 and no other transformation. Full C2 map (nine endpoints on traceac.cc), verbatim quote of the injected WebView2 JavaScript that auto-fills the PIN input and auto-clicks the scan button, all five hardcoded Windows Event Log XPath queries (Security 4624/4625/5152/5156/5157/4688, Application 7045, DNS-Client 3008/3010, Sysmon 3/6), the full 22-brand FiveM cheat inventory, the 63 hardcoded cheat-vendor auth panels checked against browser history, complete AV/EDR + reverse-engineering tool detection lists, all eight embedded decoy JWTs and seventeen fake auth-response JSON templates, and a working YARA detection rule. No embedded webhooks, no Discord/Telegram, no certificates, no encrypted regions — every string ships plaintext.

Anti-Cheat ToolReverse EngineeringSrungoatWebView2YARAtraceac.cc
Clubhouse AC Research·Jul 10, 2026·22 min
Published
Read research
Malware Ecosystem
Critical

ClubXJefe Part II — masonjackbabaprada.dll (v2 loader with Prefetch tampering, SPKI pinning, PPL strip)

Follow-up reverse engineering of the ClubXJefe / Venacy malware family. A fresh 4 MB DLL disguised as Microsoft's ntshrui.dll is proven — via a matching Cloudflare R2 credential ID, Portuguese anti-crack strings, verbatim FACEIT.exe targeting, and byte-identical 12-component HWID schema — to be the same Brazilian author's v2 loader. New C2 (api.venacy.cloud, now over TLS with SPKI pinning), a redesigned inlined string cipher (620 strings recovered from 2,019 sites), JWT + X-API-Key auth, a 9-step trace-destruct sequence, retained NtShutdownSystem remote-brick capability, expanded 20+ browser credential-theft surface, and one novel forensic-evasion capability: runtime patching of the Windows Prefetch service (SysMain::NtCreateFile → 0xC0000001) to erase execution traces at the source.

MalwareBYOVDPrefetch TamperingSPKI PinningPPL StripInfostealer
Clubhouse AC Research·Jul 10, 2026·24 min
Published
Read research
Disclosure Response
Critical

ClubXJefe Disclosure Response — Claim-by-Claim Rebuttal and Counter-Disclosure

A competing FiveM cheat vendor published a long-form accusation alleging the Clubhouse scanner is an infostealer. We answer every claim against the actual scanner source — including Wi-Fi password access, browser token exfiltration, wallet harvesting, and kernel hooking claims — and then publish a capability-level counter-disclosure of the accuser's own BYOVD loader and the affiliated reseller binary, both of which add persistence, kernel tampering, Discord OAuth identity capture, and wholesale browser-token exfiltration that the scanner does not perform.

DisclosureCounter-DisclosureBYOVDInfostealerFiveMPrivacy
Clubhouse AC Research·Jun 25, 2026·22 min
Published
Read research
Cheat Detection
Critical

Phase.uno Cheat Suite — Full Reverse Engineering of 8 PE Modules

Complete reverse engineering of the Phase.uno multi-game cheat suite: 8 PE modules targeting 9 games. Fileless no-EXE launch via Spotify.exe process hosting, services.msc SCM injection chain into svchost:Dnscache, WFP domain blocking, system process injection, streamproof overlays, NtQuerySystemInformation hooking, manual mapping, thread context hijacking, and AES-GCM encrypted C2. Includes 8 YARA rules (including post-destruct detection) and comprehensive IOCs.

Phase.unoWFPManual MappingProcess InjectionStreamproofFiveM
Clubhouse AC Research·Jun 19, 2026·35 min
Published
Read research
Methodology
Info

PC Checking Methods — Tiered Forensic Methodology

A complete methodology for PC checks (screenshares, SS) organised into five escalating tiers — from a 10-minute foundation triage of execution artifacts and persistence locations, through deep-dive NTFS reconstruction, memory forensics, court-grade DFIR with full disk imaging and chain of custody, all the way to overwrite-bypass detection and cross-source contradiction analysis. Catalogues 130+ techniques across every Windows artifact, parser, and bypass pattern.

PC CheckingMethodologyTiersDFIRForensics
Clubhouse AC Research·May 7, 2026·60 min
Published
Read research
Kernel Forensics
Critical

Detecting BYOVD Chains Through Kernel Callback Forensics

Bring-Your-Own-Vulnerable-Driver attacks rely on legitimately-signed but exploitable kernel drivers (mhyprot2, GIGABYTE gdrv, Dell dbutil) to disable EDR callbacks. We document a forensic methodology that reconstructs the load order, callback unregistration, and signing-chain anomalies after the driver has been unloaded — leaving only USN journal traces, registry remnants, and prefetch artifacts.

BYOVDKernelDriver SigningEDR BypassUSN Journal
Clubhouse AC Research·Apr 12, 2026·14 min
Published
Read research
Anti-Forensics
High

Reconstructing Cheat Execution After Cleaner-Tool Sweeps

Cheat-cleaner utilities (BleachBit forks, custom .bat scripts, Privazer presets) wipe the obvious execution traces — Prefetch, BAM, recent docs. We show how Amcache, ShimCache, RecentFileCache.bcf, and registry transaction logs (LOG1/LOG2) preserve enough fragments to reconstruct a complete execution timeline for the Eulen FiveM executor family with 47-second resolution.

PrefetchAmcacheShimCacheRegistry ForensicsFiveM
Clubhouse AC Research·Mar 28, 2026·11 min
Published
Read research
Cheat Detection
Critical

Wizard Bypass & External Cheat: Full Source-Tree Reversal (Slate.exe, fivem.ovh)

Complete source-code reversal of the Wizard External FiveM cheat (compiled binary Slate.exe) — 1.4 GB Visual Studio solution with 62 .cpp / 405 .h files sourced from the July 2026 leak. Documents the exact HWID formula (FNV-1a of MachineGuid | volume serial → 20 hex chars), the fivem.ovh auth backend on both /goonen/ and /tita/ paths, the JSON API surface (login-check, bypass, cloud_config, update-ingame-name, wizard-names + discord_stats), the 624-call xorstr string obfuscation, the SilentAim engine (IsPlayerFreeAimingAtEntity hook with mov al,1;ret shellcode, 19 leaked bone-ID constants), the MagicBullets AOB patch, external-only memory I/O via ZwReadVirtualMemory + NtCreateThreadEx (bypasses ReadProcessMemory hooks), the NVIDIA App masquerade (HKLM\...\NvApp\ShadowPlay\FTS registry hijack with GUID {497B8458-4244-4EE6-BFEA-F3D2BA294F21}, value 0x24), the CreateWindowInBand ZBID_UIACCESS overlay trick, and the WIZ001–WIZ003 IOC set with false-positive guardrails.

FiveMGTA VCheat DetectionSource ReversalHWIDNVIDIA Masquerade
Clubhouse AC Research·Jul 9, 2026·18 min
Published
Read research

All research notes

Methodology & detection

63 more notes
Anti-Forensics
Medium

MFT $SI vs $FN: Detecting Timestomping on NTFS

Timestomping tools rewrite the $STANDARD_INFORMATION attribute but typically miss $FILE_NAME, which is updated only by the kernel during file rename or move. We detail a $SI/$FN delta detection rule that flagged 100% of timestomp attempts in our corpus of 312 known cheat-loader samples — including subsecond manipulation that evades naive timestamp checks.

NTFSMFTTimestompingDFIR
Clubhouse AC Research·Mar 10, 2026·9 min
Published
Read research
Hardware
High

DMA Hardware Fingerprinting: PCILeech and Squirrel Detection

Hardware DMA cheats (PCILeech, Squirrel, custom FPGA boards) advertise themselves on the PCIe bus through Vendor/Device ID, BAR layout, and configuration space anomalies. We catalogue the signatures of seven publicly-sold DMA boards and document a configuration-space probe that distinguishes legitimate capture cards from attack hardware.

DMAPCIeHardware CheatsFPGA
Clubhouse AC Research·Apr 4, 2026·12 min
Disclosure pending
Read research
Identity
Medium

HWID Spoofer Rotation Detection via SMBIOS + ACPI Cross-Reference

HWID spoofers rotate visible identifiers (MachineGuid, MAC, disk serials) but rarely touch every cross-domain identifier consistently. We correlate SMBIOS Type 1/2/3 fields against ACPI _UID values, EFI variables, and TPM EK certificates to surface rotation events even when individual identifiers appear clean.

HWIDSMBIOSACPITPM
Clubhouse AC Research·Feb 22, 2026·10 min
Published
Read research
Kernel Forensics
High

PsSetCreateProcessNotifyRoutine: Detecting Callback Unhooking

Kernel-mode cheats unregister Windows process-creation callbacks to evade EDR telemetry. We walk the PspCreateProcessNotifyRoutine array post-mortem from a memory snapshot to identify gaps and replaced entries — including the signature pattern left by the public hwbp1 unhook PoC.

KernelCallbackEDRMemory Forensics
Clubhouse AC Research·Apr 18, 2026·13 min
Draft
Kernel Forensics
High

Detecting ETW Provider Tampering: Patch, Disable, and Spoof

Cheat loaders that patch EtwEventWrite to a bare return, disable providers via NtTraceControl, or forge event payloads leave structural traces in the ETW metadata tables and session descriptors. We enumerate four distinct tampering techniques observed in the wild and document the kernel-side consistency checks that detect each one without relying on the event stream itself.

ETWKernelAnti-TelemetryDFIR
Clubhouse AC Research·Mar 5, 2026·11 min
Published
Read research
Memory Forensics
High

Process Hollowing Detection via VAD and Section Object Cross-Reference

Classic process hollowing overwrites legitimate image sections with injected code, leaving the VAD (Virtual Address Descriptor) tree claiming a mapped image path that no longer matches the on-disk binary or the in-memory PEB LDR entries. We detail a detection technique that cross-references VAD node ImageFilePointer, the PEB Ldr InMemoryOrderModuleList, and the mapped section object hash to surface hollowed and stomped-image processes with a 1.8% false-positive rate on clean game populations.

Process HollowingVADPEBMemory Forensics
Clubhouse AC Research·Jan 30, 2026·13 min
Published
Read research
Cheat Detection
High

TZX Project FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of TZX Project (taskthow.exe), a FiveM cheat that shares C2 infrastructure with TZ Project but is a distinct binary. Key artifact: drops packages.json into C:\Windows\System32 — visible via Journal Trace. Covers DNS, lsass, and FiveM process C2 strings alongside a seven-step screenshare check methodology.

FiveMCheat DetectionSystem32IOC
Clubhouse AC Research·Jun 1, 2026·8 min
Published
Read research
Cheat Detection
High

Red Engine FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Red Engine (Chaga.exe), a FiveM cheat that writes imgui.ini to the GTA V folder and leaves settings.cock and settings.cook configuration files in its loader directory alongside INSTRUCTIONS.txt. Windows Defender flags the binary. C2 domain falcon.redengine.eu observed in DNS cache.

FiveMCheat DetectionImGuiDefender Detection
Clubhouse AC Research·Jun 1, 2026·9 min
Published
Read research
Cheat Detection
High

Skript.gg FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Skript.gg (ts3client_win64.exe), a FiveM cheat that masquerades as the TeamSpeak 3 client and is also known to use the USBDeview utility name. Covers skript.gg C2 strings in lsass.exe, DiagTrack artifacts, DLL presence in Explorer, Journal Trace evidence, and Disk Drill file recovery from unallocated space.

FiveMCheat DetectionProcess MasqueradeDiagTrack
Clubhouse AC Research·Jun 1, 2026·9 min
Published
Read research
Cheat Detection
High

Gosth FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Gosth, a FiveM cheat distributed via direct CDN URL (cdn.gosth.ltd/launcher.exe) that injects into arbitrary processes. Key indicators: loader entry persists in NVIDIA Control Panel, launcher.exe visible in DiagTrack under \device\, random .tmp file in %TEMP%, Prefetch and Windows Data Usage records survive cleanup.

FiveMCheat DetectionDiagTrackNVIDIA
Clubhouse AC Research·Jun 1, 2026·8 min
Published
Read research
Cheat Detection
High

Keyser FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Keyser (loader.exe), a FiveM cheat that drops a DLL into C:\Windows\IME and creates .dmp crash dump files in unusual locations. C2 domain api.keyser-dashboard.com observed in DNS cache and lsass.exe. Covers Journal Trace, WinPrefetchView, and IME directory inspection.

FiveMCheat DetectionWindows IMEDMP Files
Clubhouse AC Research·Jun 1, 2026·9 min
Published
Read research
Cheat Detection
High

Unicore FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Unicore (build.exe), a FiveM cheat that communicates via an OVH VPS hostname and actively manipulates the DIPS journal file. The string 'Unicore' appears in the FiveM game process memory. Covers DNS artifacts, Event Viewer entries, Journal Trace, and Prefetch evidence.

FiveMCheat DetectionDIPS JournalEvent Viewer
Clubhouse AC Research·Jun 1, 2026·9 min
Published
Read research
Cheat Detection
High

HX Software FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of HX Software (updated.exe), a FiveM cheat that uses a generic update-process name to avoid suspicion. C2 domain api.hxsoftwares.com observed simultaneously in DNS cache, lsass.exe, and the FiveM game process. Covers Journal Trace evidence and a six-step screenshare check methodology.

FiveMCheat DetectionProcess MasqueradeMemory Forensics
Clubhouse AC Research·Jun 1, 2026·8 min
Published
Read research
Cheat Detection
High

Macho Cheats FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Macho Cheats (Yb6ul.exe / mc.exe), a FiveM cheat that extracts its loader into a %TEMP% folder and bundles libcurl.dll and fivem-internal.dll. C2 domain machocheats.com found in DNS, lsass.exe, and FiveM process. Covers DiagTrack artifacts, WinPrefetchView, browser history, and Journal Trace.

FiveMCheat DetectionBundled DLLTEMP Folder
Clubhouse AC Research·Jun 1, 2026·9 min
Published
Read research
Cheat Detection
High

Keyser Cracked Build: Detection & Forensic Artifacts

Forensic breakdown of the cracked/leaked Keyser build (keycheese), which uses a separate C2 domain (api.keyser-lts.com) from the official loader. Shares the IME DLL-drop behavior with the official build. Covers DNS, lsass, FiveM process C2 strings, C:\Windows\IME artifact, Journal Trace, and loader UI identification.

FiveMCheat DetectionCracked BuildWindows IME
Clubhouse AC Research·Jun 1, 2026·9 min
Published
Read research
Cheat Detection
High

TZ Project FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of TZ Project (firefox.exe), a FiveM cheat loader that masquerades as a browser process to evade casual process-list inspection. Documents the imgui.ini artifact written to the GTA V folder, C2 domain artifacts in DNS cache and LSASS memory, DPS first-seen timestamp, and a seven-step screenshare check methodology.

FiveMCheat DetectionProcess MasqueradeImGui
Clubhouse AC Research·Jun 1, 2026·9 min
Published
Read research
Cheat Detection
High

Susano FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Susano (lemon.exe), a FiveM-targeted cheat loader. Documents C2 string artifacts found in lsass.exe and svchost.exe memory, ~40 MB working-set inflation in the FiveM process with WCX-protected injected regions, USN Journal records that survive the cheat's stealth-mode Prefetch wipe, and a complete seven-step screenshare check methodology.

FiveMCheat DetectionMemory ForensicsUSN Journal
Clubhouse AC Research·Jun 1, 2026·10 min
Published
Read research
Cheat Detection
High

Xine FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Xine (XineTeamCheat.exe), a free FiveM cheat also distributed disguised as a NordVPN installer. Key artifacts include a config.json file left on the desktop, Event Viewer entries, Journal Trace confirmation of XineTeamCheat.exe, and Prefetch records. Detection requires no C2 DNS — the config file and journal entry are sufficient.

FiveMCheat DetectionJournal TracePrefetch
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

D3d10.dll FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of the d3d10.dll FiveM cheat, a DLL-based cheat injected into the game process using the DirectX DLL name as cover. Key artifacts include browser download records, FiveM crash dump files, Echo Journal traces, Windows Defender detections, and d3d10.dll presence in System Informer's Explorer module list.

FiveMCheat DetectionDLL InjectionJournal Trace
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

MrCheat (Turkish Kebab) FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of MrCheat, also known as Turkish Kebab (Loader.exe). SHA-1: 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f. C2 domain api.mrcheat.api-ir observed in DNS cache. DPS: 2025/02/08. PcaSvc: 0x67b000. Covers Prefetch, Journal Trace, System Informer Explorer, and VirusTotal detections.

FiveMCheat DetectionDNSPrefetch
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Cheat Detection
High

Ambani FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of the Ambani FiveM cheat. SHA-256: c56f83f54e6ad7fcdd060592ebb8d794cfb9c1ba955f97028cfc6d69d30fea32. Flagged by Windows Defender. Key artifacts include System Informer showing injection into msedge.exe, Prefetch parser records, and detailed VirusTotal detections across multiple engines.

FiveMCheat DetectionWindows DefenderPrefetch
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Cheat Detection
High

Bang Service TriggerBot: Detection & Forensic Artifacts

Forensic breakdown of the Bang Service TriggerBot (Bang_Keyboardtweak.exe). SHA-256: 9ee8d3d053d3891c480dd591cbf54fbfd336d976d61fe38d705ad22873f02144. DPS: 2026/01/17. PcaSvc: 0x5d000. Covers VirusTotal detections, Everything tool file search, and Prefetch records confirming execution.

FiveMTriggerBotCheat DetectionPrefetch
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

Kazo FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of the Kazo FiveM cheat. SHA-256: 48d0a3f845d7df80666b32a676126d9e4b0ad5cb286e532d155a38eb36276727. Covers VirusTotal multi-engine detections, file properties analysis showing anomalous metadata, and Everything tool search for locating cheat artifacts on disk.

FiveMCheat DetectionVirusTotalEverything Tool
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

SSTB FiveM TriggerBot: Detection & Forensic Artifacts

Forensic breakdown of SSTB, a multi-version FiveM triggerbot that hides its payload as a fake ffmpeg.dll (SHA-1: 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5, ~2.631 KB) across four host applications: Obsidian/CitizenFX, SteelSeries GG, Insomnia, and Rocket.Chat v4. Detection via ffmpeg.dll size fingerprint and SHA-1 hash. Includes a complete ClubhouseAC scanner script.

FiveMSSTBTriggerBotDLL Masquerade
Clubhouse AC Research·Jun 2, 2026·10 min
Published
Read research
Cheat Detection
High

SouthLoader FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of SouthLoader (SouthLoader.exe), a FiveM cheat that is also distributed bundled with a fake NVIDIA app installer (NVIDIA_app_v11.0.4.526.exe / Lexus_Bundle_Opti.rar). SHA-1: 676693d397b21e66d3b81063596816a51325f2d1. DPS: 2025/08/13. PcaSvc: 0x1ce5000.

FiveMCheat DetectionNVIDIA MasqueradePcaSvc
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

Flyside FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Flyside (distributed as cmd.exe), a FiveM cheat with C2 at gm07-dc04.ouiheberg.com that drops TModule.dll to the root of C:\. SHA-256: 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4. Covers BAM parser, Everything tool, Journal Trace, WinPrefetchView, LastActivityView, and OSForensics.

FiveMCheat DetectionTModule.dllJournal Trace
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Cheat Detection
High

FiveM.exe Cheat Loader: Detection & Forensic Artifacts

Forensic breakdown of a FiveM cheat loader distributed as FiveM(1).exe to blend into a player's existing FiveM installation. SHA-1: 7e8c2cf77fbc5d729f0ac151889c028f7ca2b8c3. Notable for an anomalous far-future DPS timestamp of 2077/11/16 — a clear indicator of deliberate timestamp manipulation. PcaSvc: 0x23a000.

FiveMCheat DetectionFuture TimestampTimestomping
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

Traceless FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Traceless (Traceless.exe), a FiveM cheat whose name implies anti-forensic capability but which leaves persistent DPS and PcaSvc execution artifacts. SHA-1: 63f856cb2ff834b82782386b43858672c1f46037. DPS: 2025/07/30. PcaSvc: 0x42d000.

FiveMCheat DetectionAnti-Forensic ClaimPcaSvc
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

WhatsApp Installer FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of a FiveM cheat masquerading as WhatsApp_Installer.exe to appear benign in process lists and download history. SHA-1: 22aee3373ad743cd7442e136a32082bedcfde5b9. Notable for a far-future DPS timestamp of 2049/07/01 — a red flag for timestamp manipulation. PcaSvc: 0x3284000.

FiveMCheat DetectionProcess MasqueradeFuture Timestamp
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

420-Services FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of 420-Services (420-services.exe), a FiveM cheat loader from a vendor that also sells other cheats. SHA-1: 888a2575b2a1d8e68ec50a9204eee52700ae168a. DPS: 2025/10/22. PcaSvc: 0x10e6000. Covers file identification, hash confirmation, and PcaSVC execution evidence.

FiveMCheat DetectionMulti-Cheat VendorPcaSvc
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

MW-Privat FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of MW-Privat (MWPriv+_Cheat_x64.exe), a FiveM cheat with 11 high-severity PE-level detections including WriteProcessMemory, NtWriteVirtualMemory, OpenProcess, and an Aimbot pattern. SHA-256: b21c2afe99160f24b403962b7b15b191b785c2a4b5c38f49a5cbd74bcfd0415c. DPS: 2026/01/19. PcaSvc: 0x75c000.

FiveMCheat DetectionMemory InjectionAimbot
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Cheat Detection
High

Trigger FiveM TriggerBot: Detection & Forensic Artifacts

Forensic breakdown of a FiveM triggerbot distributed as Rechner.exe (German: 'calculator') to appear innocuous. SHA-256: 7078d61d9106cea38eeee6b495051473c5ec9cbba0a6eb399f5702ba576c9f79. Covers BAM parser and Prefetch record artifacts as the primary execution evidence.

FiveMTriggerBotCheat DetectionBAM Parser
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

Aorist FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Aorist (Aorist.exe), a FiveM cheat. SHA-256: cc6cbfaed2bb4b124c32d71d2c581a5e70c91fcd2c7b039526e54dc89855129a. DPS: 2025/06/05. PcaSvc: 0x2d1000. Covers Prefetch records and Everything tool file search for locating artifacts on disk.

FiveMCheat DetectionPrefetchEverything Tool
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Cheat Detection
High

Seryx FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of Seryx (Loader.exe), a FiveM cheat. SHA-256: 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476. DPS: 2026/02/07. PcaSvc: 0x1c86000. Covers Everything tool search, BAM and Prefetch parser analysis, and execution timeline reconstruction from multiple artifact sources.

FiveMCheat DetectionPrefetchBAM Parser
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Cheat Detection
High

AnyDesk Loader FiveM Cheat: Detection & Forensic Artifacts

Forensic breakdown of a FiveM cheat masquerading as AnyDesk (Anydesk.exe) to evade process-list inspection. SHA-256: e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47. DPS: 2025/12/11. PcaSvc: 0x581000. The payload is visible inside the FiveM game process in System Informer. Covers Journal tool, Prefetch parser, and injection evidence.

FiveMCheat DetectionProcess MasqueradeSystem Informer
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Cheat Detection
High

FiveM External Cheat: Detection & Forensic Artifacts

Forensic breakdown of an unnamed FiveM external cheat identified through hash fingerprinting. SHA-256: 49C275CB04134AFC50816121930786B2D7843F055C13BAF52626CAAE4C79C321. SHA-1: D4E117077CC5D26DF848626EB7F69D9176A82230. Operates externally to the game process — detection relies on hash confirmation and PcaSvc/DPS execution evidence rather than in-process strings.

FiveMExternal CheatCheat DetectionHash IOC
Clubhouse AC Research·Jun 2, 2026·6 min
Published
Read research
Cheat Detection
High

Aqua TriggerBot: Detection & Forensic Artifacts

Forensic breakdown of the Aqua TriggerBot, distributed disguised as ReShade_Setup_6.6.1.exe to appear as a legitimate graphics post-processing installer. SHA-256: 841757e9118e0c09c3693c7d60e142535d576b558ae373d8d808501f2b3d59c9. DPS: 2025/10/16. PcaSvc: 0x80000. The loader UI is notably low-effort ('AI slop'). Covers DPS/PcaSvc identification and ReShade masquerade technique.

FiveMTriggerBotReShade MasqueradePcaSvc
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Bypass Detection
High

Revenge Bypass: EFI-Drive DLL Masquerade & keyauth.win Detection

Forensic breakdown of Revenge Bypass, which hides its payload on a hidden EFI system partition disguised as desktop.ini and mimics ReShade's installer name. The active bypass DLL is mapped into svchost.exe with keyauth.win authentication in DNS and lsass. Covers BAM parser, Journal Trace showing the EFI desktop.ini path, and System Informer svchost memory strings.

FiveMBypass DetectionEFI PartitionDLL Masquerade
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Bypass Detection
High

Star.xyz Bypass: Win32 EXE with keyauth.win LSASS Strings

Forensic breakdown of Star.xyz Bypass (4.54 MB Win32 EXE). SHA-256: ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4. SHA-1: 9f926aac866275bb93925a9294e53dbc839e274a. keyauth.win domain observed in both DNS cache and LSASS memory strings. Artifacts include LastActivityView execution records, Journal Trace DLL entries, Everything tool discovery, and VirusTotal detections.

FiveMBypass Detectionkeyauth.winLSASS
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Bypass Detection
Critical

Spotless Bypass: Full Paid Kernel Reversal, C2 Infrastructure & TZX Connection

Paid engagement: we reversed the Spotless FiveM bypass suite in full using Ghidra on Kali Linux after pulling all 16 files from an unprotected file server (93.127.141.9:8080) — IP found hardcoded in a client-provided DLL. Covers neguin.sys kernel driver (VolCache device, ETW hooks, ObCallbacks, manual DLL map via IOCTL 0x222004), MB.dll C2 auth, Discord token theft, process hollowing into dllhost.exe, AES-CBC decryption key recovered from crypt.exe global initializer, bufa.dll BYOVD loader, v3.dll cheat engine (compiled May 29 2026), fulano.dll targeting 16 FiveM build processes, bananacomleite.exe with RSA TLS pinning, and confirmed TZX infrastructure crossover via api.tzproject.com.

FiveMKernel DriverPaid EngagementTZX Connection
Clubhouse AC Research·Jun 5, 2026·25 min
Published
Read research
Bypass Detection
High

Purge Bypass: Emoji-Named DLL, Discord Bot C2 & VBScript Downloader

Forensic breakdown of Purge Bypass, which drops c👎.dll (emoji character in filename) and spawns cmd.exe opening System Informer. SHA-256: 1c6f0c6aa01e65b9bf17ea1d4d7de0a6382b97dad27541eccc608e5e645d40fa. Persists via Registry HKCU\Printers\DevModePerUser, drops imgui_log.txt, injects via localhost Discord bot, and downloads a second stage via obfuscated VBScript. C2: scrapingant domain.

FiveMBypass DetectionEmoji DLLRegistry Persistence
Clubhouse AC Research·Jun 2, 2026·10 min
Published
Read research
Bypass Detection
High

Old Club44 Bypass: SteamSetup Masquerade with 'Clean Traces' Button

Forensic breakdown of Old Club44 Bypass, distributed as SteamSetup.exe and WinRARSetup.exe. SHA-256: f1d96aca4ddb6b317e43e2cc599ce69f32a2c41a1c1adf94312da48269536fc2. 16/70 VirusTotal detections. The loader UI features a 'Clean Traces' button — confirming awareness of forensic investigation. C2: eauth.us.to. Covers hash identification, VT analysis, and C2 artifact recovery.

FiveMBypass DetectionSteam MasqueradeAnti-Forensic Feature
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Superior Bypass: 7-Zip Masquerade with keyauth.win C2

Forensic breakdown of Superior Bypass, distributed as C:\Program Files\7-zip\7zCon.exe to blend into a legitimate 7-Zip installation. SHA-256: 3ab3d87217c6b22f986e43a79e058b202e609f2571c370ba9668ee89ae638b4e. DIE strings analysis reveals 'Clear/Clean/Cheat/Cheat Engine' keywords. C2: keyauth.win. Covers path anomaly detection, string extraction, and keyauth infrastructure identification.

FiveMBypass Detection7-Zip Masqueradekeyauth.win
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Wexize Bypass: BAM Registry & Prefetch Execution Trail

Forensic breakdown of Wexize Revamp.exe bypass. SHA-1: 404209b5e427ddb7ab14c6bd77044d13922f1db4. PcaSVC entry at 0xac424d0. Despite anti-forensic claims, execution artifacts persist across BAM registry, Prefetch files readable via WinPrefetchView, and LastActivityView timeline. Covers each artifact source with detection steps.

FiveMBypass DetectionBAM RegistryPrefetch
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

XRC Bypass: PowerShell IEX In-Memory Loader with Future-Dated DPS

Forensic breakdown of XRC Bypass, which uses PowerShell IEX (Invoke-Expression) to load its payload entirely in memory, leaving Event Viewer PowerShell event 800. SHA-256: 9d8038d5f03503704ee237ed72b8683e0261a254951ad0ce717842a27672b2ff. Anomalous DPS timestamp of 2038/07/16. PcaSVC: 0x11a000. Artifacts include Destemido Cleaner.exe companion, CRDOWNLOAD file in Journal Trace, and keyauth.win C2.

FiveMBypass DetectionPowerShell IEXFuture Timestamp
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Bypass Detection
High

Secure-Bzpass: Process Lasso DLL Hijack with Alt+F12 Injection

Forensic breakdown of secure-bzpass. SHA-256: 6ce7c98b384dbe444a916e7e6580288549eca501315114916c1ee1908b5afff8. Hijacks profapi.dll inside Process Lasso's installation directory and uses Alt+F12 hotkey to trigger injection. Although the bypass destructs and unloads on exit, the DLL file remains on disk — a persistent artifact. Covers DLL path anomaly, hotkey-triggered injection mechanics, and persistence identification.

FiveMBypass DetectionDLL HijackProcess Lasso
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Bypass Detection
High

Xytrus Bypass: Unity Game DLL Masquerade Injecting into Explorer

Forensic breakdown of Xytrus Bypass, which plants UnityCrashHandler64.exe and a modified UnityPlayer.dll inside the Crab Game installation directory to appear as legitimate Unity engine files. The bypass then injects into explorer.exe for persistence. Detection via LastActivityView execution records, DLL path anomaly (Unity binary outside game folder context), and explorer.exe module inspection.

FiveMBypass DetectionUnity MasqueradeExplorer Injection
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Ninez Hider: PowerShell EncodedCommand Downloading from Catbox.moe

Forensic breakdown of Ninez Hider, which executes an encoded PowerShell command (-encodedCommand) to download its second-stage payload from files.catbox.moe — a public file-hosting service. The encoded command and download URL survive in ConsoleHost_history.txt. Covers history file recovery, base64 command decoding, and network IOC identification.

FiveMBypass DetectionPowerShellEncodedCommand
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Shitty Bypass: Kernel Driver (info.sys) Dropped via certutil to System32

Forensic breakdown of 'Shitty Bypass', which drops a kernel driver named info.sys (SHA-256: 2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea) to C:\Windows\System32 using certutil.exe as a living-off-the-land downloader. A cum.sys variant also observed. DiagTrack service artifacts preserve the full certutil command-line including the download URL. Covers Diagtrack artifact recovery and driver file identification.

FiveMBypass DetectionKernel Drivercertutil LOLBAS
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Bypass Detection
High

Aqua EFI Bypass: Modified EFI Bootloader Running Before Windows

Forensic breakdown of the Aqua EFI Bypass — a modified bootx64.efi bootloader that executes before the Windows kernel loads, providing pre-OS anti-cheat circumvention. SHA-256: 91d9db5fbf3c89b0df5d674f0e367afd3ac9e45ff1c13040ee2279cf3314cbd5. SHA-1: d8fca4d3fa670c6d54fc274a0625cd4bad2016ab. Covers EFI partition inspection methodology, bootloader hash verification, and detection via Secure Boot log analysis.

FiveMBypass DetectionEFI BootloaderPre-OS Bypass
Clubhouse AC Research·Jun 2, 2026·10 min
Published
Read research
Bypass Detection
High

No Trace Bypass: mycomput.dll Planted in Computer Management (18 MB)

Forensic breakdown of No Trace Bypass, which plants mycomput.dll inside Computer Management (Computerverwaltung). The bypass DLL weighs ~18,000 KB versus the legitimate 124 KB original — an immediate size-based detection. SHA-256: f07de2eb82878d89e6851b5c6434638049467f1c343bcacc287037f621e5a494. Injected via Win+X then F7 keyboard shortcut. Covers size anomaly detection, DLL path verification, and shortcut-triggered injection.

FiveMBypass Detectionmycomput.dllDLL Size Anomaly
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Bypass Detection
High

Farbenbomber Bypass: PcaSVC & Prefetch Execution Artifacts

Forensic breakdown of Farbenbomber.exe bypass. SHA-256: af10429bea0dff14ad9c452d01b6950cd648a8c6b8f91b9fe9a2388bef8b860b. DPS timestamp: 2025/10/15. PcaSVC: 0x494000. Despite anti-forensic design intent, execution artifacts persist in Prefetch files, Journal Trace, and System Informer process records — each source cross-corroborating execution time and context.

FiveMBypass DetectionPcaSVCPrefetch
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Wizard Bypass: DecoyLoader.pdb YARA Rule & Future-Dated DPS

Forensic breakdown of Wizard Bypass (doumpa.exe). SHA-256: 9a868d89f0344ab7f1300300a0725244c5748d73151a604cea932f5717984978. Anomalous DPS timestamp of 2026/01/01 (New Year's Day — deliberate). PcaSVC: 0x1b29000. Retains the PDB path string 'DecoyLoader.pdb' in its PE debug directory, enabling a high-confidence YARA rule. Covers timestamp manipulation detection and PDB artifact analysis.

FiveMBypass DetectionYARAPDB Artifact
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Bypass Detection
High

Notepad Bypass: fa817dc1 Full Reversal — ROL-XOR Cipher, CPU Affinity & WTS Cross-Session Messaging

Deep static analysis of a FiveM bypass masquerading as notepad.exe (SHA-256: b61907b9…f8d39a18, 4.90 MB, timestamped 2023-09-27). Six hollowed virtual PE sections, single .tiko payload at 7.88 entropy, ROL-XOR decryption key 0x32063cae shared with ApateonDecoy/Wizard — same packer family. Export table abuse: 3,100-byte encrypted blob with 7.94 entropy as the sole export 'name'. NtQuerySystemInformation direct ntdll anti-debug, window station check, CPU affinity mask fingerprinting (3 affinity APIs), WTSSendMessageW cross-session messaging, and timing evasion. Full 16-function stub map, YARA rules for exact and family-level detection, screenshare methodology.

FiveMBypass DetectionYARACustom Packer
Clubhouse AC Research·Jun 6, 2026·18 min
Published
Read research
Bypass Detection
High

Sulution Software Bypass: Three Build Variants with March 2026 DPS Timestamps

Forensic breakdown of Sulution Software Bypass, which shipped at least three distinct builds in rapid succession (DPS: 2026/03/18 and 2026/03/20). SHA-256 hashes: 9afb3f4b…, df699dca…, acd31242…. The close timestamp clustering indicates active development and iterative evasion attempts. Covers multi-variant hash tracking, DPS cross-comparison, and artifact overlap analysis across builds.

FiveMBypass DetectionMulti-BuildDPS Timestamp
Clubhouse AC Research·Jun 2, 2026·9 min
Published
Read research
Bypass Detection
High

XYZ Corp Bypass: Randomised Executable Name with xyzcorporation.xyz C2

Forensic breakdown of XYZ Corp Bypass (ear6tkyel9rv.exe — randomly generated filename). SHA-256: 6cb47876cd00d14ba9c5a85f9b2ccbc91e34c13190feb1c099310f6969bd35c0. DPS: 2026/03/06. Extracted from C:\Users\Administrator\AppData\Local. C2 domain: xyzcorporation.xyz. The randomised executable name is a weak obfuscation — DPS timestamps and the C2 domain provide reliable cross-source confirmation.

FiveMBypass DetectionRandom FilenameC2 Domain
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Stainless Bypass: telephon.cpl with RTCore64 BYOVD Driver

Forensic breakdown of Stainless Bypass (telephon.cpl). SHA-256: 9104158b8ee2f545697504a368be7fd264cadac2ed38ecd80a8dcc9f42e27097. Loads the RTCore64.sys vulnerable driver (a known BYOVD target) to disable kernel callbacks. YARA rule matches on both stainless.pdb PDB path and RTCore64 driver filesystem paths embedded in the binary. Covers BYOVD chain reconstruction and YARA detection methodology.

FiveMBypass DetectionBYOVDRTCore64
Clubhouse AC Research·Jun 2, 2026·10 min
Published
Read research
Bypass Detection
High

Genesis Bypass: pwahelper.exe with Genesis-Rework Hook PDB

Forensic breakdown of Genesis Bypass (pwahelper.exe). SHA-256: 93780adffbda11803c3a6f40730403d09495dd85877700503894f48c1e36a958. DPS: 2026/03/21. PcaSVC: 0x79000. Retains the PDB path 'Genesis-Rework hook.pdb' in its debug directory — the developer forgot to strip debug symbols, providing a high-confidence YARA detection string. Covers PDB artifact analysis, DPS/PcaSvc corroboration, and YARA rule construction.

FiveMBypass DetectionPDB ArtifactYARA
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Titan Bypass: Thoroughly Underwhelming Anti-Forensics That Leave Everything

Forensic breakdown of Titan Bypass — a bypass product that, despite marketing itself on anti-forensic capability, leaves artifacts in Event Viewer, Journal Trace, LastActivityView, and plaintext Notepad files sitting on the desktop. A masterclass in false confidence. Detection requires nothing exotic: standard five-minute screenshare procedure surfaces the full execution timeline without specialist tooling.

FiveMBypass DetectionEvent ViewerJournal Trace
Clubhouse AC Research·Jun 2, 2026·7 min
Published
Read research
Bypass Detection
High

Apateon Bypass: kokaizanh.exe with March 2026 DPS Timestamp

Forensic breakdown of Apateon Bypass (kokaizanh.exe). SHA-256: f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae74713. DPS: 2026/03/18. PcaSVC: 0x287a000. The randomised executable name is a superficial obfuscation — DPS and PcaSvc execution timestamps provide definitive confirmation regardless of filename changes or post-execution cleanup attempts.

FiveMBypass DetectionDPS TimestampPcaSVC
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Vanish Bypass: Spotify.exe Masquerade with Journal Trace Evidence

Forensic breakdown of Vanish Bypass, distributed as Spotify.exe to blend into a player's music application. SHA-256: 039cb40286288bc9b661ad19efa2f45ca2c9818a02c14a44c59df44b9b5f7bfe. Despite the masquerade, Journal Trace records preserve the true file path and creation event. Covers the Spotify masquerade technique, Journal Trace recovery, and hash-based definitively identification against legitimate Spotify binaries.

FiveMBypass DetectionSpotify MasqueradeJournal Trace
Clubhouse AC Research·Jun 2, 2026·8 min
Published
Read research
Bypass Detection
High

Sacred Bypass PWNED: Screenshot Storage Exposed & It's Just Windhawk

PWNED: Sacred Bypass exposed an unauthenticated screenshot storage server at 46.202.140.112, leaking approximately 2,500 customer screenshots including personal desktop content, file listings, and sensitive information. Independent analysis reveals the 'bypass' is functionally Windhawk + Spotify running as Administrator — not a proprietary kernel solution. Full exposure and technical analysis.

FiveMBypass DetectionPWNEDData Exposure
Clubhouse AC Research·Jun 2, 2026·10 min
Published
Read research
Bypass Detection
High

Club44 Decompiled: BSOD-Triggering System32 Deletion & Brazilian Dev Errors

Full decompilation analysis of Club44, revealing catastrophically unsafe code that deletes System32 on error — triggering a BSOD. The binary strings include the infamous 'Falha NtCreateThreadEx' error message in Portuguese (the developer's native language), exposes a 'Club44-FiveM-External/1.0' User-Agent string hardcoded in HTTP requests, and injects into SystemSettingsBroker.exe. A monument to dangerous incompetence.

FiveMBypass DetectionDecompiledBSOD Risk
Clubhouse AC Research·Jun 2, 2026·11 min
Published
Read research

Disclosure & responsible use

Detection rules and forensic methodologies published here describe defensive techniques used by the Clubhouse AC scanner. Where research touches on third-party software vulnerabilities (driver-signing flaws, DMA board firmware, anti-forensic tooling), we follow coordinated disclosure with the affected vendor or maintainer before publishing operational detail. Notes marked disclosure pending are held back until that process completes.

Material is published for defenders, server administrators, DFIR practitioners, and academic researchers. We will not provide weaponised samples, working exploit chains, or evasion guidance. To report a vulnerability in our scanner, contact security@clubhouseac.shop.