Cheat DetectionHighPublished

SSTB FiveM cheat detection & forensic artifacts

SSTB is a FiveM cheat that uses a fake ffmpeg.dll as its injection vector. Four variants have been identified, each masquerading as a different legitimate application: Obsidian/CitizenFX, SteelSeries GG, Insomnia, and Rocket.Chat. The DLL SHA-1 is 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5.

CR
Clubhouse AC Research
June 2, 2026 8 min read

Summary

  • Injects via a fake ffmpeg.dll placed in the directory of a legitimate application — DLL hijacking.
  • Four known application targets: Obsidian/CitizenFX, SteelSeries GG, Insomnia, Rocket.Chat.
  • SHA-1 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5 identifies the malicious DLL.
  • Detection: check for ffmpeg.dll in application directories where it does not belong, then hash-verify.

Overview

SSTB uses a DLL hijacking technique to load its cheat payload. It drops a malicious ffmpeg.dll into the installation directory of a legitimate application that loads ffmpeg.dll at startup. When the host application runs, Windows loads the malicious DLL instead of the legitimate one, executing the cheat payload within the context of a trusted process.

Four target applications have been identified across known SSTB variants:

  • Obsidian / CitizenFX — note-taking app and FiveM's own CitizenFX launcher both load ffmpeg.dll at startup
  • SteelSeries GG — gaming peripheral software
  • Insomnia — API client application
  • Rocket.Chat — messaging platform desktop client

The presence of a non-standard ffmpeg.dll in any of these application directories is an immediate red flag.

Sample metadata (IOC)

ffmpeg.dll (SSTB) — file indicatorsIOC
Name        ffmpeg.dll  (malicious — DLL hijack)
Cheat       SSTB

SHA-1       7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5

Target dirs
  Obsidian    %APPDATA%\obsidian\
  CitizenFX   %LOCALAPPDATA%\FiveM\FiveM.app\
  SteelSeries %PROGRAMFILES%\SteelSeries\GG\
  Insomnia    %APPDATA%\Insomnia\
  Rocket.Chat %LOCALAPPDATA%\Rocket.Chat\

Behavioral indicators

DLL hijacking via ffmpeg.dll

The malicious ffmpeg.dll is placed in the application's own directory. Windows' DLL search order prioritises the application directory over System32, so the cheat DLL is loaded instead of the legitimate ffmpeg library. The host process (Obsidian, SteelSeries GG, etc.) loads normally from the user's perspective, but SSTB is now running inside it.

Identifying the malicious DLL

The legitimate ffmpeg.dll bundled with applications like Obsidian is signed by the respective software vendor or the FFmpeg project. The malicious SSTB DLL is unsigned. Additionally, the file size and SHA-1 hash will differ from any legitimate ffmpeg build.

Cross-variant identification

All four variants share the same SHA-1 hash 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5, indicating the same underlying payload is used across different application targets. The only difference between variants is the target application directory.

Screenshare check guide

1

Check ffmpeg.dll in application directories

  • Navigate to the installation directories of Obsidian, CitizenFX/FiveM, SteelSeries GG, Insomnia, and Rocket.Chat.
  • Check for the presence of ffmpeg.dll in each directory. Its presence is expected in some of these — proceed to hash check.
2

File hash verification

  • For each ffmpeg.dll found, compute its SHA-1.
  • Match against 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5. Any match is the SSTB cheat DLL.
  • Legitimate ffmpeg DLLs will have a different hash and typically carry a valid signature.
3

Digital signature check

  • Right-click the DLL → Properties → Digital Signatures.
  • The SSTB DLL is unsigned. Legitimate ffmpeg builds may or may not be signed depending on the bundling application.
4

Process module list

  • In System Informer, check the modules loaded by Obsidian, SteelSeries GG, Insomnia, or Rocket.Chat.
  • If ffmpeg.dll is loaded from the application's own directory rather than System32 or a known path, inspect it.
5

Journal Trace for DLL drops

  • Run a Journal Trace search for ffmpeg.dll creation events in application directories.
  • A recent creation event in an app directory (not System32) is suspicious.
6

Browser and Discord

  • Check browser history and downloads for references to SSTB or unusual DLL downloads.
  • In Discord, check User Settings → Authorized Apps.

Detection summary

Artifact matrix — SSTB / ffmpeg.dll hijackSummary
Artifact                              Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────────────
Malicious ffmpeg.dll on disk          Yes (if not deleted) App directory
SHA-1 hash match                      Yes (file on disk)   File system
Journal Trace DLL creation event      Yes                  Journal Trace
Unsigned DLL in app directory         Yes (file on disk)   File properties

The most actionable indicator is a SHA-1 match on ffmpeg.dll in any of the four known target application directories. A Journal Trace search for ffmpeg.dll creation events in non-system paths provides a persistence-independent confirmation.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.