TamperedChef's within GTA V/FiveM modding community

17/04/2026 · ~14 min read
tamperedchefmalware analysisevilaisignedevasionelectronnodejs
Sponsored By Hudson Rock

Hudson Rock offers a free cybercrime (including infostealers) intelligence. Thanks to their support I can spend more time creating valuable content.

Introduction to ModsHub (formerly FiveMods)

ModsHub (modshub.io) was previously called FiveMods (fivemods.io now redirects to modshub.io as well). It is an all-in-one mod manager for the game FiveM.

FiveM is a multiplayer modification framework for GTA V, which allows you to play on customized and dedicated servers with other players.

ModsHub has their headquarters in Estonia - a business called OPENCORE OÜ where the primary shareholder is an ukraine person Danylo Babenko. This name will play a significant role eventually, keep it in mind. The who.is data of any domains recognized or used by ModsHub directly is unfortunately not public. Their software, Discord or promotions on YouTube do not look like they would target Russian-speaking people unlike Network Graphics.

ModsHub is a quite large platform. As of today, they have over 232K users on Discord. Surprisingly, the number of these users is at least partially real - the chat, support channels are constantly active with users typing and talking about it. Those users were almost definitely not bots. One of the owners claimed over 1,2 million users but we aren't able to confirm that - this number was likely collected through telemetry during the use of their software.

It has some userbase on YouTube as well:

Introduction to Network Graphics

Network Graphics (ntw.graphics) is a coincidentally an "All Mods In One" application just like their website says for GTA 5 roleplay servers. The difference in functionality is that Network Graphics claims they do not work on FiveM servers.

Unlike FiveMods, this one seems to be tied to a personal data operator according to their privacy policy - an individual called Kulikov Roman Vladimirovich from Russia. Their user agreement also states:

1.1. This document is a public offer (hereinafter referred to as the Offer) within the meaning of Article 437 of the Civil Code of the Russian Federation and defines the terms of use of the service available at: https://ntw.graphics (hereinafter referred to as the Service), as well as the terms of provision of paid functions of the Network Graphics application.
1.2. The Contractor offers any legally capable individual (hereinafter referred to as the User) to conclude an agreement on the terms of this Offer.
1.3. The agreement is considered concluded from the moment of acceptance of the Offer by the User (Article 438 of the Civil Code of the Russian Federation).

3 out of 6 their domains were also identified to come from the Russian registrar REGRU. Their promoting campaigns seem to be more targeted on Russia-speaking users.

Their YouTube channel @ntwgraphics seems to post videos with English and also with Russian titles. Discord server of Network Graphics offers either RU/EN version of channels and the main activity is happening in the RU channels.

Context to ModsHub and NTW Graphics

Initial light on this sample was brought by the user u/Next-Profession-7495 on Reddit in the post Malware Analysis: NetworkGraphicsSetup.exe (Trojanized Node.js App). While the thread contained several objectively wrong information in the threat report and I did not see the actual threat in it that I see now, it was still a great discovery.

After a confirmation from Struppigel (Malware researcher for G DATA) that the sample indeed matches patterns of AppSuites - a PDF editor that were backdoored, for these, you can check out article AppSuite PDF Editor Backdoor: A Detailed Technical Analysis by G DATA, precisely from Karsten Hahn (Struppigel) and Louis Sorita.

Shortly after, the certificate for Danylo Babenko that was used by both Network Graphics and FiveMods (now ModsHub) was revoked.

I have had both ModsHub and NTW Graphics on my watch and during the 2 months after the initial Reddit post a lot have actually changed. I have reported both domains as malware payload delivery sources and the domains they reach out to.

Not only they got their previously revoked certificate Danylo Babenko back:

  • Network Graphics seems to have rebuilt their infrastructure: On the right, we can see previous version configuration and on left the current up-to-date configuration of Network Graphics

    • Because the domain https://ntw.graphics (8/95) with api.ntw.graphics (13/94) was slowly becoming known to security and antivirus vendors, they rebuilt their infrastructure with new domains, new installers and updated software variants to avoid detection:

      • I have confirmed that the mainHost, extraHosts and other important endpoints have changed, except https://ntw.graphics/app-reserve, which is supposed to redirect to the new C2 server.

      • A new software variant was released; the chat had an outbreak about a high number of users complaining and claiming that the website and software does not work anymore - this forced them to download a new version, which was already adapted to the new infrastructure: Users complaining on the official Discord server of Network Graphics

      • Many new extraHosts. Instead of 1 in the previous version, the new version now has a total of 4 extraHosts, where the 1 is ntw.graphics itself and 3 other undetected on VirusTotal .ru domains. It seems like they are preparing for the possibility of having to swap to a extraHost eventually.

Antivirus recognitions

fivemods.io VirusTotal (5/95) modshub.io VirusTotal (13/94)

TamperedChef patterns for ModsHub:

Like we have mentioned previously, ModsHub and especially Network Graphics behave similarly to samples that fall under TamperedChef.

Note: Same deobfuscation process was applied to this variant. The reverse engineering process was described in a previous report Reverse engineering - Obtaining unobfuscated source code from Electron malware delivered via NSIS installer.

ModsHubSetup.exe - 0c934d4d04bbbd163e8a43eee5db54d80a8578753f0c5a1884c3bca9e9355217

Inspected file: ModsHubSetup\$PLUGINSDIR\app-64\resources\app\packages\main\dist\index.cjs

NOTE: This is a documentation only of it's malicious behaviour and patterns. It is possible that for example for persistency you may find more of persistency mechanisms that however aren't related to it's malicious activity.

Backup URL's

The following function bn():
1. Tries mainHost first
2. If mainHost does not reply, it tries from extraHosts
3. If none in extraHosts reply, it tries from backupHostUrl
4. If backupHostUrl does not reply, the software will break

From source code:

  • updateHost: fivemods.app
  • mainHost: fivemods.app
  • extraHosts: fivemods.fun (NXDOMAIN)
  • backupHostUrl: https://fivemods.io/app-reserve
  • homePage: https://fivemods.io/
  • api: https://fivemods.app/api

Extensive logging

The software performs an extensive logging of each step, error and creates a unique identifier for each device.

In the const Da = function (t):

  • It uses a regex to find an IP address and MAC address in arp -a output:
    const e = /((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\s+(([0-9a-fA-F]{2}(:|-)){5}[0-9a-fA-F]{2})/iu;

  • It stores the following:

    • In e.user it stores the devices username
    • In e.memory it stores the OS's total memory, which is prior converted to GB
    • In e.hostname it stores the hostname/computer name
    • In e.os it stores information about the operating system
    • In e.cpu it stores the CPU manufacturer and brand
    • In e.motherboard it stores the systems motherboard
    • In e.system_uuid it stores a system UUID
    • In e.graphics it stores the graphic cards models
    • In e.arp it stores the ARP list
  • The stored data is sent to the endpoint /user/info
  • The line let i = uuidByString(n, 5); allows it to create a unique identifier

Obfuscated communication with C2

The software obfuscates it's communication with it's command and control server.

The function F0:

  1. Reverses the text
  2. Adds space after each byte
  3. Reverses the text
  4. Encodes to Base64
  5. Reverses the text
const F0 = t => {
  t = t.split("").reverse().join("");
  let a = "";
  for (var n = new Buffer.from(t, "utf8"), i = 0; i < n.length; i++) {
    a += n[i] + " ";
  }
  t = a.split("").reverse().join("");
  t = Buffer.from(t, "utf8").toString("base64");
  t = t.split("").reverse().join("");
  return t;
};

Persistency

The scheduled task name is first defined in it's config in const d:

  • taskSchedulerDeactivatorTaskName: "\\\"Updater Task FM\\\"",

The function cn() does the following:

  1. If y0 is equal to enable (this seems like a mechanism to check license), it:
    1. Request to endpoint /user/client?mode=enable
    2. Creates a scheduled task via PowerShell (if fails, it resorts to schtasks.exe) pointing to the execution path (${d.execPath}) with configuration:
      1. Argument: --task
      2. Every day at 18:00:00
    3. Calls function Kx(), which does the following:
      1. Uses the Electron app.getLoginItemSettings() to run it persistently with the following:
        1. openAtLogin: true,
        2. openAsHidden: true,
        3. name: "ModsHub",
        4. args: ["--autostart"]
        5. Note: This should be equivalent to putting it in registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run

IMPORTANT: The registry persistency mechanism created by Kx() is not removed once the users license is invalid.

The arguments --task and --autostart cause it to start headless - hidden.

Update function

ModsHub also has an update function. This update is triggered every time the splash screen is loading.

The function Ua() does the following:

  1. Checks for existence of file ${d.roamingAppPath}\\mods_engine\\Mods Engine.exe
    1. If exists, compares it's local version with the version on C2 server
      1. If does not exist/outdated, it downloads it from the provided C2 server

The function bn() also updates the software but safely via the electronUpdater function.

This could be considered as the biggest problem, because your primary safety depends on what executable the admins decide to push next. In one case of Network Graphics, we have seen a necessary update that migrated it's infrastructure to different domains.

Because of the patterns and similarities to other previously discovered malware falling under TamperedChef, it should be at minimum classified as Riskware due to it's possibility of abuse.

Network Graphics variant

NetworkGraphicsSetup.exe 771f584f5f88c2b7eced07448e912ffc426bfb962ffe7748fd9b4c1d1c067ebc

Some variants connecting with Network Graphics C2's have different signers but those were not properly analysed and whether they are malicious or benign is unknown, these should more serve as an information on what other certificates were possibly abused.

It is important to note that these were also found to be way older (ranging from 2021 to 2024) than the samples with Danylo Babenko as signer.

This URL vrp.network VirusTotal that was frequently contacted by different-signer setups was also identified to be a redirect to ntw.graphics.

Configuration according to const _:

Default language here is set to ru -> defaultLanguage: "ru",

  • mainHost: api.networkgraphics.app
  • extraHosts: ["ntw.graphics", "networkgraphics.ru", "graphicsnetwork.ru", "ntwgraphics.ru"]
  • homePage: https://ntw.graphics/
  • backupHostUrl: https://ntw.graphics/app-reserve
  • api: https://api.networkgraphics.app/api
  • ntwGroup: https://ntw.group/
  • flagsApiUrl: https://flags.ntw.group
  • wsHost: wss://api.networkgraphics.app

Antivirus recognitions

Why are we confident in ModsHub being associated with Network Graphics?

This variant is considered to be a different, more capable version created by owners of ModsHub because:

  • Code similarities

    • Identical C2 communication obfuscation: Comparison of C2 communication obfuscation between Network Graphics (left) and ModsHub (right)

    • Identical persistency mechanism: Comparison of persistency mechanism between Network Graphics (left) and ModsHub (right)

    • Identical data collection mechanism: Comparison of extensive logging done by Network Graphics on the left and ModsHub on the right

    • ... And many more actual 1:1 reconstructions of code

    • Same signer (Danylo Babenko): Same signature verified by Sysinternals Sigcheck for "Danylo Babenko"

  • Abuses same techniques described by this report

Primary differences between Network Graphics and ModsHub

They are 2 completely different software when we are talking about it's legitimate features. But let's talk about the malicious ones:

Unlike ModsHub, Network Graphics contains the following additional malicious components:

  • Allows WebSockets connection to their C2 (wss://api.networkgraphics.app) via function Dt()
  • Contains Flipt integration to enable/disable functions remotely through feature flags via functions Nt(), ee(), Et()
  • Stricter user profile validation - uses Zod
  • Allows Telegram integration (ModsHub only allows Discord) -> allows them to associate Telegram ID, username, first name, last name and language code to a specific UUID

Conclusion

Both ModsHub and Network Graphics fall at minimum under riskware. Both variants are strangely not managed by the same person, even though they share plenty of undeniable similarity patterns - same signer (Danylo Babenko), identical C2 communication, persistency mechanism, data collection and various code parts that both ModsHub and Network Graphics use. Both of them have several backup URL's as well. All these patterns are associated with the behaviour of typical malware falling under TamperedChef.

Network Graphics has recently swapped to a complete new domain and API infrastructure with minor updates to the actual software after it gained more negative recognition on VirusTotal and other reputation websites. This was very likely done in order to evade detection after several large AV vendors added it to their database - G DATA, Kaspersky, BitDefender and Malwarebytes.

ModsHub (formerly FiveMods) has renamed and also changed parts of it's code to match it's new name, successfully evading at least the few detections and recognition it previously had. It unfortunately did not work out too well and their ModsHub.io domain is sitting at a 10/94 detection ratio on VirusTotal.

IoC

Note: Only IoC's directly associated with the samples we are confident are malicious will be listed here. Samples where we aren't confident (e.g. the ones with different signer) won't be listed in this section.

Files:

Filename SHA256 Hash Description VirusTotal Link
NetworkGraphicsSetup.exe 771f584f5f88c2b7eced07448e912ffc426bfb962ffe7748fd9b4c1d1c067ebc Newest Network Graphics installer obtained from ntw.graphics VT Link
ModsHubSetup.exe 0c934d4d04bbbd163e8a43eee5db54d80a8578753f0c5a1884c3bca9e9355217 Newest ModsHub installer obtained from modshub.io VT Link
NetworkGraphicsSetup.exe 2b2937df3e5ae5465058b45ddaf6e46432613fa5ac678d4d64a8daf0c2f56bfc Older version of Network Graphics to compare configuration differences, obtained previously from ntw.graphics VT Link

URL's:

URL Description
https://ntw.graphics Initial old Network Graphics variant delivery, backup extraHost listed in configuration
https://modshub.io Initial ModsHub variant delivery
https://ntwgraphics.com New infrastructure Network Graphics variant delivery
https://networkgraphics.app Redirect to old infrastructure Network Graphics variant delivery
https://api.networkgraphics.app Network Graphics main API
https://networkgraphics.ru New infrastructure backup extraHost listed in configuration
https://graphicsnetwork.ru New infrastructure backup extraHost listed in configuration
https://ntwgraphics.ru New infrastructure backup extraHost listed in configuration
https://ntw.graphics/app-reserve Endpoint to retrieve new possible mainHost as last hope
https://ntw.group "About us" type website
https://fivemods.app Classified as updateHost in newest ModsHub variant, redirects to Google, ModsHub API
https://fivemods.fun Backup host listed in extraHosts in configuration (NXDOMAIN)
https://fivemods.io/app-reserve Endpoint to retrieve new possible mainHost as last hope
https://fivemods.io Old nickname of ModsHub; now redirects to modshub.io
  • Update 03/06/2026: Owners of both software and of another software that falls under this family have reached out and worked out certain fixes for some of the concerns listed in this article. Still, poor business and security practics happened and are undeniably suspicious, even though they had answers for everything during our email communication. This is considered as suspicious/riskware but not necessarily as malicious, as the analysis is based off patterns, suspicious certificate usage and undisclosing necessary information about the software.

Thanks for reading! 👀

Want to learn more?

View my about me View all reports