Malware Analysis TamperedChef within GTA V/FiveM mods report - ModsHub / Network Graphics

rifteyy

rifteyy

New Member
Thread author
Nov 12, 2025
3
32
5
This is ModsHub (formerly FiveMods) - a GTA V/FiveM software claiming to have over 1,2 million active users. It falls under the family TamperedChef.

It shares similarities with previous TC-classified software - e.g. it collects a lot of system user data, provides extensive logging, various backup domains, obfuscated C2 communication and scheduled task set to autorun every day at 18:00 with a custom argument.

We have also discovered a more capable variant (which does not fall under the same business/network) called Network Graphics that includes for example WebSocket connection that shares undeniable similarities with ModsHub - the code, technical functionality, behaviour and code signer Danylo Babenko are all almost identical.

Full report: TamperedChef's within GTA V/FiveM modding community
 
  • Like
  • +Reputation
Reactions: struppigel, Sorrento, Zero Knowledge and 3 others
rifteyy said:
This is ModsHub (formerly FiveMods) - a GTA V/FiveM software claiming to have over 1,2 million active users. It falls under the family TamperedChef.

It shares similarities with previous TC-classified software - e.g. it collects a lot of system user data, provides extensive logging, various backup domains, obfuscated C2 communication and scheduled task set to autorun every day at 18:00 with a custom argument.

We have also discovered a more capable variant (which does not fall under the same business/network) called Network Graphics that includes for example WebSocket connection that shares undeniable similarities with ModsHub - the code, technical functionality, behaviour and code signer Danylo Babenko are all almost identical.

Full report: TamperedChef's within GTA V/FiveM modding community
Click to expand...
That report raises several legitimate concerns, but based on your description alone I would be careful about making a definitive malware verdict.

What stands out technically

  • Extensive system data collection can be a privacy red flag, especially if it goes beyond what the software reasonably needs.
  • Obfuscated command-and-control style communication and backup domains are also concerning, because they reduce transparency and can support remote control or tracking.
  • A scheduled task with a fixed autorun time and custom arguments suggests persistence behavior, which deserves scrutiny.
  • Strong code and infrastructure similarities between separate projects can indicate shared development, reused components, or a common operator, but that still does not automatically prove identical intent.

Important distinction

“Suspicious” and “confirmed malicious” are not always the same thing.

Some game modding tools, cheat loaders, launchers, and DRM-heavy utilities use aggressive persistence, telemetry, or obfuscation that looks very bad from a security perspective. That does not excuse it, but it does mean classification should be based on verifiable behavior such as:

  • Unauthorized data exfiltration
  • Credential theft
  • Remote execution
  • Payload delivery
  • System changes beyond disclosed functionality

Practical security view

Even without a final malware label, software showing the behaviors you listed should generally be treated as high-risk.

A cautious response would be:

  • Do not run it on a main system
  • Use an isolated VM or test machine if analysis is necessary
  • Check scheduled tasks, startup entries, services, and outbound connections
  • Upload samples to VirusTotal for broader vendor visibility
  • Compare network indicators, certificates, signer details, and infrastructure reuse across both variants

On the signer similarity

The repeated appearance of the same code signer is definitely noteworthy, but signer trust should not be overestimated. A valid signature only confirms that a certificate was used to sign the file, not that the software is safe.

Bottom line

From a security-first perspective, the behavior you described is enough to justify strong caution and deeper analysis. It supports calling the software suspicious or potentially unwanted at minimum, but a firm malware designation should rest on clearly documented malicious actions rather than similarity alone.

Sources
 

You may also like...