Bypass Detection·Jun 2, 2026

Xytrus Bypass: Unity Game DLL Masquerade Injecting into Explorer

Xytrus abuses the Unity game runtime directory structure — specifically Crab Game's install — to plant a modified UnityPlayer.dll alongside a repackaged UnityCrashHandler64.exe. Once triggered, the loader injects into explorer.exe for persistent, low-visibility operation. This report covers all observable IOCs and screenshare-based detection steps.

FiveMBypass DetectionUnity MasqueradeExplorer InjectionDLL Hijack

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Xytrus is a FiveM anti-cheat bypass that leverages the legitimate Unity Engine runtime directory structure as a staging ground for its malicious components. Rather than dropping files in an obvious location like AppData\Local\Temp, the operator installs the bypass into the Crab Game directory — a legitimate Unity-based game available on Steam — making the files appear as standard engine components to a casual observer.

The two primary masquerade files are UnityCrashHandler64.exe and a trojaned UnityPlayer.dll. Both filenames are valid components in any Unity game installation, which is precisely what makes this technique effective against unsophisticated screenshare reviews.

After the bypass component executes, it injects a payload into explorer.exe — the Windows shell host — which provides persistence across sessions without requiring a separate service or scheduled task. The injected DLL runs within the explorer.exe address space, making it invisible to naive process listings that only show top-level process names.

Detection requires correlating multiple data sources: execution history (LastActivityView), file modification timestamps, and live module enumeration inside explorer.exe via System Informer or a comparable tool. Journal Trace creation events can also corroborate the initial drop time independently of NTFS timestamps, which may be tampered.

Primary IOCs

1

UnityCrashHandler64.exe Execution Record (LastActivityView)

Open LastActivityView and search for UnityCrashHandler64.exe. In a stock Crab Game installation this binary is never invoked during normal gameplay — it is only called when the Unity crash reporter fires, which is an exceptional event. Any execution record for this binary outside of a genuine game crash is highly suspicious.

Pay attention to the timestamp of execution and whether it correlates with other anomalous process launches in the same timeframe. Xytrus typically invokes this binary as a loader stage, so its execution record will often be clustered with other unusual activity.

2

UnityPlayer.dll Modification Timestamp vs. Game Install Date

Right-click UnityPlayer.dll in the Crab Game install directory and inspect the Last Modified timestamp. Cross-reference this with the Steam manifest file (appmanifest_1108600.acf in the Steam\steamapps folder) to determine when the game was originally installed or last legitimately updated.

If the DLL modification date post-dates the last Steam update by more than a few minutes, the file has been replaced. Note that attackers may attempt to forge NTFS timestamps using SetFileTime; corroborate with USN Journal or MFT record creation time.

3

UnityCrashHandler64.exe loading UnityPlayer.dll into explorer.exe

Open System Informer (formerly Process Hacker) and navigate to the explorer.exe process. Switch to the Modules tab and scan the full list. Every legitimate DLL in explorer.exe should have a valid Microsoft or known-vendor signature. Any module showing an unknown or missing signature, particularly one with a path inside the Crab Game directory, is direct evidence of injection.

Look specifically for DLLs loaded from paths that do not belong in a system process: C:\Program Files (x86)\Steam\steamapps\common\Crab Game\ or adjacent directories.

4

USN Journal Creation Events for Masquerade Files

Run fsutil usn readjournal C: csv or use a Journal Trace utility to query creation and modification records for the Crab Game install directory. A legitimate game install will show creation events at install time with subsequent modification events only during Steam updates.

If Journal Trace shows a creation event for UnityPlayer.dll that is significantly newer than the surrounding game files, it was written by the bypass installer rather than Steam. This record is significantly harder to forge than standard NTFS timestamps.

5

Process Ancestry of UnityCrashHandler64.exe

In System Informer's process tree or via Windows Event Log (Event ID 4688 with process creation auditing enabled), check what parent process spawned UnityCrashHandler64.exe. In a legitimate crash scenario, the parent will be the game's main executable (Crab Game.exe).

If the parent is an unrelated process — a browser, a Discord overlay, or a loader binary — the execution was manufactured, not triggered by a genuine crash. This parent-child relationship is a reliable detection signal that survives even if the operator attempts to clean execution artefacts.

Unity Directory Masquerade Explained

Every Unity game ships with a predictable set of runtime files: UnityPlayer.dll, UnityCrashHandler64.exe, and various data folders. Crab Game is an ideal target for this technique because it is a free-to-play title with a substantial player base, making it plausible for a FiveM player to also have it installed, and because its Unity version ships with a crash handler that is structurally identical in name to what a bypass author would want to place there.

The attacker replaces the legitimate UnityPlayer.dll with a modified version that contains the bypass payload. The original file is typically backed up or simply discarded. The replacement DLL exports the same functions as the real UnityPlayer to avoid breaking the game's startup sequence, while internally bootstrapping the bypass.

UnityCrashHandler64.exe is repurposed as the activation stub — the binary a user or scheduled task runs to trigger the injection chain. Because the filename is legitimate, it passes a superficial screenshare review where a moderator only checks whether recognizable names are present, without verifying file integrity.

The choice of explorer.exe as the injection target is deliberate. Explorer is always running, it hosts the shell, and many security tools exclude it from scanning to avoid UI disruption. A DLL injected into explorer.exe benefits from the process's long uptime and its exemption from aggressive monitoring in many endpoint configurations.

Screenshare Check Methodology

1

Navigate to Crab Game Install Directory

Ask the player to open Steam, right-click Crab Game, select Manage → Browse Local Files. This opens the install directory. Inspect the file listing — specifically the timestamps of UnityPlayer.dll and UnityCrashHandler64.exe relative to the other game files.

All stock game files should share similar modification timestamps from the last update. Any outlier that is dated after the rest of the directory contents warrants immediate further investigation.

2

Open LastActivityView and Filter for UnityCrashHandler64.exe

Have the player run LastActivityView as administrator. Use the search or filter function to locate any entries referencing UnityCrashHandler64.exe. Record the timestamp and note whether the game was actually running or had just crashed at that moment — cross-reference with Steam play time logs if available.

If the player cannot explain a recent execution of this binary, or if the execution time does not correspond to any known game session, treat this as a confirmed IOC.

3

Inspect explorer.exe Modules in System Informer

Ask the player to open System Informer with administrator privileges. Locate explorer.exe in the process list and open its Properties → Modules tab. Sort by Path to group modules by directory. Any module not originating from C:\Windows\, C:\Program Files\, or a known signed vendor path should be flagged.

Verify the signature column — unsigned or self-signed modules inside explorer.exe are extremely unusual and constitute strong evidence of injection.

4

Run fsutil USN Journal Query

In an administrator Command Prompt, run fsutil usn readjournal C: csv | findstr /i "crab" to extract USN Journal entries referencing the Crab Game directory. Compare the creation timestamps of UnityPlayer.dll in the journal against the directory's other DLL files.

A discrepancy between the journal creation date and the NTFS Last Modified timestamp is a strong indicator of timestamp manipulation. The journal entry is written by the kernel and is significantly more difficult to retroactively alter than file attributes.

5

Verify File Hash Against Known-Good Unity Builds

Right-click UnityPlayer.dll and compute its SHA-256 hash using PowerShell: Get-FileHash "UnityPlayer.dll" -Algorithm SHA256. Cross-reference this hash against the known-good Unity version shipped with Crab Game — the correct hash can be derived from a clean installation or from a reference database.

If the hash does not match the expected value for the installed Unity version, the file has been tampered with. This is the most definitive single check and should be performed whenever any of the prior signals are present.

Detection Notes

The Xytrus masquerade technique is effective precisely because it exploits reviewer complacency — moderators who only check that filenames "look right" will not catch it. The detection methodology above requires moving beyond name recognition to timestamp analysis, hash verification, and live process inspection.

Note that the explorer.exe injection may persist across reboots if the bypass installs a Run key or scheduled task to re-trigger UnityCrashHandler64.exe at login. Check HKCU\Software\Microsoft\Windows\CurrentVersion\Run and Task Scheduler for entries referencing the Crab Game directory.

Steam Integrity Check (right-click game → Properties → Local Files → Verify integrity) will detect the modified UnityPlayer.dll and re-download the original, but this also destroys the forensic artefact. If preservation for evidence purposes is needed, hash and copy the files before running verification.

Server administrators should treat any player who has Crab Game installed and cannot account for a recent execution of UnityCrashHandler64.exe as a high-priority review candidate. The combination of unexplained execution history and any anomaly in the explorer.exe module list is sufficient justification for a ban pending further investigation.