Summary
- config.json written to the user's Desktop — a persistent configuration artifact created by Xine with no legitimate origin in that location.
- Also distributed as a NordVPN masquerade — executable may appear as NordVPN in the process list; verify the true binary name.
- Journal Trace records XineTeamCheat.exe activity; Prefetch typically persists after execution.
- Event Viewer logs are present for the duration of the session; process list entry is only visible while the cheat is running.
Overview
Xine is a free, publicly distributed FiveM cheat loader. Its primary executable is named XineTeamCheat.exe and has been observed distributed under a NordVPN masquerade, meaning the process may appear with that name in a superficial process-list review. No C2 domain has been documented for this variant, and no DPS or PcaSvc timestamps have been confirmed.
The most accessible and distinctive artifact is a config.json file written directly to the user's Desktop. This file persists after the cheat closes, is visible in Explorer without any specialist tooling, and has no legitimate origin in that path. Combined with Journal Trace entries and Event Viewer records, Xine leaves a reliable forensic footprint across multiple independent artifact sources.
Sample metadata (IOC)
No cryptographic hashes, C2 domains, DPS timestamps, or PcaSvc entries have been confirmed for Xine at the time of publication. The primary file indicators are documented below.
Name XineTeamCheat.exe
(also distributed as NordVPN masquerade)
Hashes Not yet confirmed
C2 None documented
DPS Not provided
PcaSvc Not provided
Key artifact config.json on user DesktopThe absence of confirmed hashes does not diminish detectability. The config.json Desktop artifact and Journal Trace entries provide strong attribution without relying on hash matching.
Behavioral indicators
Loader UI
When active, the Xine loader displays a visible UI. The following screenshot shows the loader open and operational, confirming injection is in progress.
config.json on Desktop
Xine writes a config.json file to the user's Desktop. This file contains cheat configuration data and persists after the process exits. It is immediately visible in Explorer and is the fastest artifact to verify during a screenshare — no specialist tooling is required.
Event Viewer entries
Windows Event Viewer records entries associated with Xine for the duration of the session. These logs are session-length and may be cleared after the cheat closes, but will be present during an active screenshare.
Screenshare check guide
Work through these steps in order. Step 1 targets the Journal Trace entry, which is the most forensically reliable artifact. Step 3 targets the Desktop config file, which requires no tooling beyond Explorer.
Journal Trace for XineTeamCheat.exe
- Open a Journal Trace tool and search for XineTeamCheat.
- Look for file creation or execution events. This trace persists independently of Prefetch and confirms the executable was run from this machine.
Prefetch folder check
- Navigate to C:\Windows\Prefetch and look for a XINETEAMCHEAT.EXE-*.pf entry.
- Prefetch typically persists after execution. There is no legitimate process with this name in any standard Windows installation.
Desktop config.json
- Navigate to the user's Desktop (or run dir %USERPROFILE%\Desktop\config.json).
- The presence of config.json on the Desktop is the fastest and most visible artifact of Xine. Open it in Notepad to confirm cheat configuration content.
Event Viewer
- Open Event Viewer and check the Windows Logs for entries related to Xine or XineTeamCheat.exe.
- These entries are session-length and may be absent if the session ended before the screenshare, but will be visible during an active session.
Process list — XineTeamCheat.exe or NordVPN masquerade
- Open Task Manager or System Informer and search for XineTeamCheat.exe.
- Also check for any suspicious NordVPN process — Xine has been distributed under this masquerade. If a NordVPN process is found but NordVPN is not installed, verify the true binary path to confirm it is Xine.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── config.json on Desktop Yes %USERPROFILE%\Desktop Journal Trace (XineTeamCheat) Yes Journal Trace tool Prefetch (XineTeamCheat.exe) Usually C:\Windows\Prefetch Event Viewer entries Session-length Event Viewer logs Process (XineTeamCheat / NordVPN) Only while running Task Manager / SI
The most immediately actionable indicator is the config.json file on the user's Desktop, which requires no specialist tooling and persists after the cheat exits. Journal Trace and Prefetch provide corroborating execution records. The NordVPN masquerade variant requires careful verification of the underlying binary path if NordVPN is not genuinely installed.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.