Summary
- Injects via a fake ffmpeg.dll placed in the directory of a legitimate application — DLL hijacking.
- Four known application targets: Obsidian/CitizenFX, SteelSeries GG, Insomnia, Rocket.Chat.
- SHA-1 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5 identifies the malicious DLL.
- Detection: check for ffmpeg.dll in application directories where it does not belong, then hash-verify.
Overview
SSTB uses a DLL hijacking technique to load its cheat payload. It drops a malicious ffmpeg.dll into the installation directory of a legitimate application that loads ffmpeg.dll at startup. When the host application runs, Windows loads the malicious DLL instead of the legitimate one, executing the cheat payload within the context of a trusted process.
Four target applications have been identified across known SSTB variants:
- Obsidian / CitizenFX — note-taking app and FiveM's own CitizenFX launcher both load ffmpeg.dll at startup
- SteelSeries GG — gaming peripheral software
- Insomnia — API client application
- Rocket.Chat — messaging platform desktop client
The presence of a non-standard ffmpeg.dll in any of these application directories is an immediate red flag.
Sample metadata (IOC)
Name ffmpeg.dll (malicious — DLL hijack) Cheat SSTB SHA-1 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5 Target dirs Obsidian %APPDATA%\obsidian\ CitizenFX %LOCALAPPDATA%\FiveM\FiveM.app\ SteelSeries %PROGRAMFILES%\SteelSeries\GG\ Insomnia %APPDATA%\Insomnia\ Rocket.Chat %LOCALAPPDATA%\Rocket.Chat\
Behavioral indicators
DLL hijacking via ffmpeg.dll
The malicious ffmpeg.dll is placed in the application's own directory. Windows' DLL search order prioritises the application directory over System32, so the cheat DLL is loaded instead of the legitimate ffmpeg library. The host process (Obsidian, SteelSeries GG, etc.) loads normally from the user's perspective, but SSTB is now running inside it.
Identifying the malicious DLL
The legitimate ffmpeg.dll bundled with applications like Obsidian is signed by the respective software vendor or the FFmpeg project. The malicious SSTB DLL is unsigned. Additionally, the file size and SHA-1 hash will differ from any legitimate ffmpeg build.
Cross-variant identification
All four variants share the same SHA-1 hash 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5, indicating the same underlying payload is used across different application targets. The only difference between variants is the target application directory.
Screenshare check guide
Check ffmpeg.dll in application directories
- Navigate to the installation directories of Obsidian, CitizenFX/FiveM, SteelSeries GG, Insomnia, and Rocket.Chat.
- Check for the presence of ffmpeg.dll in each directory. Its presence is expected in some of these — proceed to hash check.
File hash verification
- For each ffmpeg.dll found, compute its SHA-1.
- Match against 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5. Any match is the SSTB cheat DLL.
- Legitimate ffmpeg DLLs will have a different hash and typically carry a valid signature.
Digital signature check
- Right-click the DLL → Properties → Digital Signatures.
- The SSTB DLL is unsigned. Legitimate ffmpeg builds may or may not be signed depending on the bundling application.
Process module list
- In System Informer, check the modules loaded by Obsidian, SteelSeries GG, Insomnia, or Rocket.Chat.
- If ffmpeg.dll is loaded from the application's own directory rather than System32 or a known path, inspect it.
Journal Trace for DLL drops
- Run a Journal Trace search for ffmpeg.dll creation events in application directories.
- A recent creation event in an app directory (not System32) is suspicious.
Browser and Discord
- Check browser history and downloads for references to SSTB or unusual DLL downloads.
- In Discord, check User Settings → Authorized Apps.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────────── Malicious ffmpeg.dll on disk Yes (if not deleted) App directory SHA-1 hash match Yes (file on disk) File system Journal Trace DLL creation event Yes Journal Trace Unsigned DLL in app directory Yes (file on disk) File properties
The most actionable indicator is a SHA-1 match on ffmpeg.dll in any of the four known target application directories. A Journal Trace search for ffmpeg.dll creation events in non-system paths provides a persistence-independent confirmation.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.