Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
Xytrus is a FiveM anti-cheat bypass that leverages the legitimate Unity Engine runtime directory structure as a staging ground for its malicious components. Rather than dropping files in an obvious location like AppData\Local\Temp, the operator installs the bypass into the Crab Game directory — a legitimate Unity-based game available on Steam — making the files appear as standard engine components to a casual observer.
The two primary masquerade files are UnityCrashHandler64.exe and a trojaned UnityPlayer.dll. Both filenames are valid components in any Unity game installation, which is precisely what makes this technique effective against unsophisticated screenshare reviews.
After the bypass component executes, it injects a payload into explorer.exe — the Windows shell host — which provides persistence across sessions without requiring a separate service or scheduled task. The injected DLL runs within the explorer.exe address space, making it invisible to naive process listings that only show top-level process names.
Detection requires correlating multiple data sources: execution history (LastActivityView), file modification timestamps, and live module enumeration inside explorer.exe via System Informer or a comparable tool. Journal Trace creation events can also corroborate the initial drop time independently of NTFS timestamps, which may be tampered.
Primary IOCs
UnityCrashHandler64.exe Execution Record (LastActivityView)
Open LastActivityView and search for UnityCrashHandler64.exe. In a stock Crab Game installation this binary is never invoked during normal gameplay — it is only called when the Unity crash reporter fires, which is an exceptional event. Any execution record for this binary outside of a genuine game crash is highly suspicious.
Pay attention to the timestamp of execution and whether it correlates with other anomalous process launches in the same timeframe. Xytrus typically invokes this binary as a loader stage, so its execution record will often be clustered with other unusual activity.
UnityPlayer.dll Modification Timestamp vs. Game Install Date
Right-click UnityPlayer.dll in the Crab Game install directory and inspect the Last Modified timestamp. Cross-reference this with the Steam manifest file (appmanifest_1108600.acf in the Steam\steamapps folder) to determine when the game was originally installed or last legitimately updated.
If the DLL modification date post-dates the last Steam update by more than a few minutes, the file has been replaced. Note that attackers may attempt to forge NTFS timestamps using SetFileTime; corroborate with USN Journal or MFT record creation time.
UnityCrashHandler64.exe loading UnityPlayer.dll into explorer.exe
Open System Informer (formerly Process Hacker) and navigate to the explorer.exe process. Switch to the Modules tab and scan the full list. Every legitimate DLL in explorer.exe should have a valid Microsoft or known-vendor signature. Any module showing an unknown or missing signature, particularly one with a path inside the Crab Game directory, is direct evidence of injection.
Look specifically for DLLs loaded from paths that do not belong in a system process: C:\Program Files (x86)\Steam\steamapps\common\Crab Game\ or adjacent directories.
USN Journal Creation Events for Masquerade Files
Run fsutil usn readjournal C: csv or use a Journal Trace utility to query creation and modification records for the Crab Game install directory. A legitimate game install will show creation events at install time with subsequent modification events only during Steam updates.
If Journal Trace shows a creation event for UnityPlayer.dll that is significantly newer than the surrounding game files, it was written by the bypass installer rather than Steam. This record is significantly harder to forge than standard NTFS timestamps.
Process Ancestry of UnityCrashHandler64.exe
In System Informer's process tree or via Windows Event Log (Event ID 4688 with process creation auditing enabled), check what parent process spawned UnityCrashHandler64.exe. In a legitimate crash scenario, the parent will be the game's main executable (Crab Game.exe).
If the parent is an unrelated process — a browser, a Discord overlay, or a loader binary — the execution was manufactured, not triggered by a genuine crash. This parent-child relationship is a reliable detection signal that survives even if the operator attempts to clean execution artefacts.
Unity Directory Masquerade Explained
Every Unity game ships with a predictable set of runtime files: UnityPlayer.dll, UnityCrashHandler64.exe, and various data folders. Crab Game is an ideal target for this technique because it is a free-to-play title with a substantial player base, making it plausible for a FiveM player to also have it installed, and because its Unity version ships with a crash handler that is structurally identical in name to what a bypass author would want to place there.
The attacker replaces the legitimate UnityPlayer.dll with a modified version that contains the bypass payload. The original file is typically backed up or simply discarded. The replacement DLL exports the same functions as the real UnityPlayer to avoid breaking the game's startup sequence, while internally bootstrapping the bypass.
UnityCrashHandler64.exe is repurposed as the activation stub — the binary a user or scheduled task runs to trigger the injection chain. Because the filename is legitimate, it passes a superficial screenshare review where a moderator only checks whether recognizable names are present, without verifying file integrity.
The choice of explorer.exe as the injection target is deliberate. Explorer is always running, it hosts the shell, and many security tools exclude it from scanning to avoid UI disruption. A DLL injected into explorer.exe benefits from the process's long uptime and its exemption from aggressive monitoring in many endpoint configurations.
Detection Notes
The Xytrus masquerade technique is effective precisely because it exploits reviewer complacency — moderators who only check that filenames "look right" will not catch it. The detection methodology above requires moving beyond name recognition to timestamp analysis, hash verification, and live process inspection.
Note that the explorer.exe injection may persist across reboots if the bypass installs a Run key or scheduled task to re-trigger UnityCrashHandler64.exe at login. Check HKCU\Software\Microsoft\Windows\CurrentVersion\Run and Task Scheduler for entries referencing the Crab Game directory.
Steam Integrity Check (right-click game → Properties → Local Files → Verify integrity) will detect the modified UnityPlayer.dll and re-download the original, but this also destroys the forensic artefact. If preservation for evidence purposes is needed, hash and copy the files before running verification.
Server administrators should treat any player who has Crab Game installed and cannot account for a recent execution of UnityCrashHandler64.exe as a high-priority review candidate. The combination of unexplained execution history and any anomaly in the explorer.exe module list is sufficient justification for a ban pending further investigation.