Bypass Record

Rootkit × Faceit Anti-Cheat

A publicly-reported instance of Rootkit bypassing Faceit Anti-Cheat, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Faceit Anti-Cheat

Technique

Rootkit

MITRE ATT&CK

T1014

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-05-21

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-05-21 · original source · via exa

Reported as

tool that allegedly bypasses Faceit Anti-Cheat by masking input macros and external overlays

Mechanism

Uses layered virtualization and process masking to cloak external overlays and input macros, preventing Faceit AC from detecting them. Includes delay-based timing patches and automatic injection prevention to avoid detection.

Detection & mitigation

Monitor for unexpected virtualization layer indicators (e.g., hypervisor presence, VM artifacts) on gaming endpoints and use integrity checks on anti-cheat components to detect tampering. Enforce kernel-level anti-cheat hardening and behavioral analysis to identify cloaked processes or input anomalies.

Rootkit has also been recorded against

Avast AVG Avira Elastic HitmanPro Kaspersky Microsoft Valve

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.