Summary
- Two variants: SouthLoader.exe (self-branded, immediately identifiable) and NVIDIA_app_v11.0.4.526.exe (NVIDIA masquerade).
- The NVIDIA variant lacks a valid NVIDIA Corporation Authenticode signature — the real NVIDIA App installer is always signed.
- PcaSVC and Prefetch records persist for both variants after execution.
- Execution path of the NVIDIA variant will be a non-NVIDIA path (Downloads, Desktop, etc.) rather than an official installer source.
Overview
SouthLoader is distributed in two known variants. The first, SouthLoader.exe, uses the cheat's own brand name and is immediately identifiable — no legitimate software uses this name. The second variant adopts the filename NVIDIA_app_v11.0.4.526.exe to impersonate the NVIDIA App installer, exploiting the ubiquity of NVIDIA graphics driver software to avoid suspicion.
The NVIDIA masquerade is distinguished from a legitimate NVIDIA installer by the absence of a valid NVIDIA Corporation Authenticode signature, a non-standard execution path, and a browser download origin from a non-NVIDIA source.
Sample metadata (IOC)
Variant 1 SouthLoader.exe
(self-branded — no legitimate software uses this name)
Variant 2 NVIDIA_app_v11.0.4.526.exe
Masquerade: NVIDIA App installer
Signature: None (real NVIDIA installer is signed by NVIDIA Corp)
Expected path: non-NVIDIA source / Downloads / DesktopBehavioral indicators
Variant 1: SouthLoader.exe — self-branded
The filename SouthLoader.exe is exclusive to this cheat. Any Prefetch entry, process list entry, or AppCompat record referencing this name is definitively SouthLoader. No further analysis is required beyond confirming the name.
Variant 2: NVIDIA masquerade
The NVIDIA App is a legitimate NVIDIA software suite. The real installer is signed by NVIDIA Corporation and distributed via the official NVIDIA website or GeForce Experience. Key distinguishing factors from the cheat:
- Real NVIDIA App installer: signed by NVIDIA Corporation, version numbers match official releases.
- SouthLoader variant: unsigned, obtained from a non-NVIDIA download source.
- Cheat version runs from Downloads, Desktop, or Discord cache rather than a standard NVIDIA installer path.
Screenshare check guide
Prefetch — SouthLoader.exe
- Check C:\Windows\Prefetch for SOUTHLOADER.EXE-*.pf.
- Any match is definitive — this filename has no legitimate origin.
Digital signature — NVIDIA variant
- If NVIDIA_app_v11.0.4.526.exe is present on disk, right-click -> Properties -> Digital Signatures.
- The real NVIDIA App installer is signed by NVIDIA Corporation. An unsigned file is not the legitimate installer.
Execution path — NVIDIA variant
- In Prefetch or AppCompat, check the full execution path of NVIDIA_app_v11.0.4.526.exe.
- Paths outside of official NVIDIA installer locations confirm this is not a legitimate NVIDIA installer.
Browser download history
- Check browser download history for the source of NVIDIA_app_v11.0.4.526.exe. Legitimate NVIDIA software is only distributed via nvidia.com.
PcaSVC / AppCompat entry
- Inspect the AppCompat PcaSVC log for entries referencing either SouthLoader.exe or the NVIDIA variant filename.
Detection summary
Artifact Survives cleanup? Check location ───────────────────────────────────────────────────────────────────────────── PcaSVC entry (both variants) Yes AppCompat / DPS log Prefetch (SouthLoader.exe) Usually C:\Windows\Prefetch Missing NVIDIA signature (variant 2) Yes (file on disk) File properties
For the self-branded variant, the Prefetch entry for SouthLoader.exe is definitive. For the NVIDIA masquerade, the missing NVIDIA Corporation Authenticode signature is the fastest confirmation.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.