mediumStealer

StarDev's ACE-Tray Rootkit: A Chinese Cheat-as-a-Service Operation Running Dual Kernel Drivers Since 2016

InvestigatedMarch 16, 2026PublishedMarch 16, 2026

stealersocial-engineeringc2apt

Published: 2026-03-16 | Author: BGI | Investigation Date: 2026-03-15

TL;DR

A 6.4 MB dropper packed behind Safengine Shielden v2.3.9.0 and VMProtect double-layer commercial protection contains six embedded PE binaries -- including two kernel-mode drivers (x86 WDF and x64 VMProtect-wrapped), a .NET 4.0 RAT/infostealer with AES-encrypted C2 (key: glQoU1huBua0WywyDaLemEY18KZ3), a process injector using WriteProcessMemory + CreateRemoteThread, an input emulation DLL for game cheat delivery, and an NT named port IPC bridge for kernel-to-user communication. The entire package masquerades as Tencent's ACE (Anti-Cheat Expert) system via an ACE-Tray.exe system tray process, communicates with a C2 at 106.52.51.128 (Tencent Cloud, Beijing) encoded with a subtract-6 Caesar cipher, uses WMI BaseBoard SerialNumber fingerprinting for license enforcement, and operates as a subscription-based rootkit-as-a-service platform by the "StarDev" brand with compile timestamps spanning 2016 to 2025 -- a decade of continuous development.

The Big Picture: When Your Aimbot Is Also a RAT

This is not a game cheat. It is dressed like one, sold like one, and the users who download it believe it is one. But behind the subscription login screen and the mouse emulation DLL sits a complete remote access trojan with keylogging, screen capture, clipboard theft, and file exfiltration capabilities -- all running under the cover of kernel-mode drivers that give the operator ring-0 access to the victim's machine.

The sample (program.exe, SHA-256: 4c3cd771f427cb7bb6319313710af43e464e4227e007296961e3fd6877ed4027) surfaced on March 15, 2026. What makes it noteworthy is not any single capability but the layered operational maturity. Component compile timestamps span 2016 to 2025. The kernel drivers predate the outer dropper by years. Two commercial packing tools -- Safengine Shielden and VMProtect -- protect the payload at different layers, with VMProtect reserved for the crown jewels: the kernel drivers and input emulation logic. A dedicated C2 on Tencent Cloud Beijing provides domestic Chinese infrastructure that foreign law enforcement cannot easily act against.

This is a subscription business with kernel engineering, multi-architecture driver support, encoded C2 communications, hardware-based license enforcement, and a decade of iterative development. The operator -- self-branded as "StarDev" -- is running a rootkit-as-a-service platform for the Chinese gaming cheat market, and every subscriber is also an unwitting victim.

The Dropper: Safengine Shielden + Six Embedded PEs

The outer binary is an NSIS-style installer protected by Safengine Shielden v2.3.9.0, a commercial packer popular in the Chinese malware ecosystem. Safengine provides anti-debug, anti-dump, code virtualization, and import table reconstruction -- a significant barrier to static analysis. The section layout reveals the Shielden structure immediately:

Section	Purpose
`.nsp0`	Shielden loader stub
`.nsp1`	Compressed/encrypted payload body
`.nsp2`	Auxiliary data
`.imports`	Runtime IAT reconstruction

The .nsp0/.nsp1/.nsp2 section naming convention is Shielden's fingerprint. Any PE exhibiting all three sections is either protected by Safengine or deliberately mimicking it.

A PDB path leaked in the binary reveals the build environment:

F:\Code\Leadwerks-Template-master\Source\Get\x64\Release\Get.pdb

Leadwerks is a legitimate 3D game engine. The template project is being used as a build scaffold -- a shell to produce a valid PE binary with game-engine imports that looks innocuous at first glance. The real payload is six PE files unpacked from the Shielden container at runtime. Two of those PEs carry an additional layer of VMProtect -- the author applies the most expensive protection to the components that matter most.

Embedded PE Inventory

+------+--------+-------+------------------------------------------+-------------+
|  PE  |  Arch  | Prot  |  Purpose                                 | Compile Era |
+------+--------+-------+------------------------------------------+-------------+
|  PE1 |  x64   |  WDF  |  Kernel driver (WDF framework)           |    2018     |
|  PE2 |  x86   |  --   |  ACE main DLL (system tray, C2, UI)      |    2025     |
|  PE3 |  x86   |  VMP  |  StarDev input emulation (mouse/kbd)     |    ----     |
|  PE4 |  x64   |  VMP  |  Raw NT kernel driver (MDL memory map)   |    2016     |
|  PE5 |  x64   |  --   |  Process injector (CreateRemoteThread)   |    ----     |
|  PE6 |  x64   |  --   |  NT named port IPC bridge                |    ----     |
+------+--------+-------+------------------------------------------+-------------+
|  .NET module  |  --   |  RAT/infostealer (AES C2, keylog, exfil) |    ----     |
+------+--------+-------+------------------------------------------+-------------+

The architecture split is deliberate. x86 components handle user-mode operations (tray UI, input emulation), while x64 components handle kernel-mode operations and process injection. This is a mature, modular design.

Kernel Architecture: Two Drivers, Two Eras

The rootkit deploys two kernel-mode drivers targeting Windows systems. Their compile timestamps are years apart, suggesting either reuse of commercially licensed components or a long-running internal development pipeline. Both are critical to the operation: they provide the ring-0 memory access that makes the cheat undetectable by user-mode anti-cheat systems and simultaneously enable the covert surveillance capabilities of the .NET RAT.

PE1 -- WDF Kernel Driver (2018)

Built against the Windows Driver Framework. Signed with a WDK test certificate (serial: 1291184732425754330, CN: WDKTestCert Administrator). This certificate will not pass Driver Signature Enforcement on a default Windows 10/11 installation -- but the target demographic is gamers, and a surprising number of gaming machines run with test signing mode enabled (either for custom driver support or specifically to enable cheat tools). The driver instructions that come with cheat services routinely include bcdedit /set testsigning on.

Key kernel imports:

ExAllocatePoolWithTag    -- kernel pool allocation
ZwQuerySystemInformation -- system info queries (process/module hiding)
ProbeForRead             -- user-mode buffer validation
WdfVersionBind           -- WDF framework binding (WDFLDR.SYS)

The ZwQuerySystemInformation import is the tell. This API is the standard hook point for hiding processes, threads, and loaded modules from user-mode enumeration. When anti-cheat software calls NtQuerySystemInformation to list running processes, the hooked version returns a filtered list with StarDev components removed.

PE4 -- Raw NT Kernel Driver (2016)

The older, more dangerous driver. Bypasses WDF entirely and calls raw NT kernel APIs directly. VMProtect-wrapped, which tells you the author considers this component the crown jewel of the operation.

ExAllocatePool                 -- kernel pool allocation (legacy, no tag)
NtQuerySystemInformation       -- intercept/modify system information
IoAllocateMdl                  -- MDL allocation for memory mapping
MmProbeAndLockPages            -- lock user pages into kernel memory
MmMapLockedPagesSpecifyCache   -- map locked pages into address space
MmUnlockPages                  -- unlock pages post-operation
HalMakeBeep                    -- hardware beep (timing/signaling?)

The MDL manipulation chain is the real payload:

IoAllocateMdl
    |
    v
MmProbeAndLockPages
    |
    v
MmMapLockedPagesSpecifyCache
    |
    v
[direct read/write to mapped game memory]
    |
    v
MmUnlockPages

This is direct physical memory mapping. The driver can map any game process's virtual memory pages into kernel address space, read and write them without triggering user-mode anti-cheat hooks, copy-on-write protections, or VAD (Virtual Address Descriptor) monitoring. From the perspective of a game's anti-cheat system running in user mode, nothing happened -- the modification occurred entirely above its privilege level.

The HalMakeBeep import is unusual for a rootkit. HAL (Hardware Abstraction Layer) calls execute at DISPATCH_LEVEL or higher, which provides a covert timing mechanism that cannot be intercepted by user-mode instrumentation. It may serve as a synchronization primitive between the kernel driver and user-mode components, or as a signal that a particular memory operation completed. Alternatively, it could be a debug artifact from development that was never removed.

Together, these two drivers provide: ring-0 read/write access to any process on the system; NtQuerySystemInformation interception to hide processes and modules from anti-cheat scanners; and a communication channel to user-mode components via NT named ports.

The .NET RAT Nobody Expected

Buried at offset 0x21048B in the raw binary sits a .NET Framework 4.0 assembly that goes well beyond game cheating. This is a full-featured remote access trojan with infostealer capabilities. Users downloading what they believe is an aimbot are simultaneously installing a comprehensive surveillance tool.

Capability Matrix

Capability	Implementation	Evidence
Encrypted HTTP C2	HTTPS with SSL certificate bypass	`HttpWebRequest`, `ServicePointManager`
AES-256 encryption	PBKDF2 key derivation	`CreateEncryptor`, `Rfc2898DeriveBytes`
HMAC authentication	Channel integrity verification	`HMACSHA1`
Keylogging	Win32 input hooks	`SendKeys`, `SendInput`, `user32.dll`
Screen capture	GDI+ desktop capture	`GetDesktopWindow`, `BitBlt`, `CreateCompatibleDC`
Clipboard theft	File drop and text interception	`ContainsFileDropList`, `Clipboard`
Registry persistence	Run key / service creation	`RegistryKey`, `OpenBaseKey`, `CreateSubKey`
File exfiltration	Recursive directory enumeration	`GetFiles`, `GetDirectories`, `FileStream`
Data compression	GZip transit compression	`GZipStream`
Embedded payloads	Resource-based payload extraction	`GetManifestResourceStream`

Encryption Protocol

An embedded encryption key was recovered from the assembly:

glQoU1huBua0WywyDaLemEY18KZ3

Base64-decoded: 82542853586e06e6b45b2c320da2de984635f0a677 (21 bytes). This value is passed to Rfc2898DeriveBytes (PBKDF2) for AES key derivation. The derived key encrypts all C2 traffic. HMAC-SHA1 provides message authentication on top of the AES layer, preventing tampering with C2 commands in transit.

The SSL bypass via ServicePointManager means the RAT will connect to the C2 even if the server presents an invalid, self-signed, or expired certificate. This is standard for malware C2 that needs to operate through corporate HTTPS inspection proxies.

The Dual-Purpose Problem

This transforms the "game cheat tool" narrative entirely. The subscription model provides plausible deniability -- "it's just a cheat service" -- while the .NET module silently harvests everything on the machine. Every keystroke. Every screen. Every file the operator decides to pull. And because the cheat requires elevated privileges and kernel driver installation to function, the RAT inherits those privileges automatically. The user grants root access willingly, believing they are enabling an aimbot.

The cheat functionality is real. The kernel drivers do provide the memory access needed for game manipulation. The input emulation DLL does inject mouse movements below the anti-cheat detection layer. But none of that requires a keylogger, screen capture, or file exfiltration module. Those capabilities exist solely for the operator's benefit.

Process Injection and Input Emulation

PE5 -- The Process Injector

Classic but effective. PE5 enumerates running processes via CreateToolhelp32Snapshot, identifies game targets by process name, and injects code using the textbook chain:

CreateToolhelp32Snapshot   -- enumerate all processes
    |
    v
Process32First/Next        -- walk process list, match target
    |
    v
OpenProcess                -- obtain handle to game process
    |
    v
VirtualAllocEx             -- allocate memory in target (PAGE_EXECUTE_READWRITE)
    |
    v
WriteProcessMemory         -- write payload shellcode/DLL
    |
    v
CreateRemoteThread         -- execute injected code in game context

The UAC manifest embedded in PE5 requests highestAvailable -- this means on a default Windows administrator account (which most gamers run), the process silently receives elevated privileges without triggering a UAC prompt. Combined with the privilege escalation commands the dropper fires before injection:

cmd /c takeown /f <target_path>
cmd /c icacls <target_path> /e /t /p Everyone:F
cmd /c cacls.exe <target_path> /e /t /g Everyone:F

These commands seize ownership of protected files and grant full permissions. The takeown + icacls/cacls combination is a standard privilege escalation pattern used to bypass file ACLs on system-protected directories. Defenders should alert on any process running this sequence outside of legitimate system administration contexts.

PE3 -- StarDev Input Emulation

The actual cheat delivery mechanism. VMProtect-protected (the author values this component's secrecy), PE3 exports three functions that constitute the cheat's user-facing capability:

kbb_mouse_relative   -- relative mouse movement (aimbot tracking)
kmouse_event         -- mouse button event injection (auto-fire)
kmouse_move          -- absolute mouse movement (snap-to-target)

These exports route through npdll.dll (a companion StarDev library) and ultimately through the kernel drivers, injecting mouse and keyboard inputs below the Windows input stack. The injection occurs at the kernel level via the MDL-mapped memory access in PE4, meaning user-mode anti-cheat hooks on SendInput, mouse_event, and the Windows message queue never see the synthetic inputs.

This is the technical moat that justifies StarDev's subscription pricing. Script-level cheats that call SendInput or PostMessage are trivially detected by any anti-cheat system. Kernel-level input injection through mapped physical memory requires exactly the kind of dual-driver architecture this rootkit provides.

PE6 -- NT Named Port IPC Bridge

The glue between kernel and user mode. PE6 uses NT named ports -- a low-level IPC mechanism below the Win32 API that legitimate software almost never touches. These are not named pipes. Named ports are an NT kernel-level message-passing mechanism (LPC/ALPC precursors) that operates entirely below the Win32 subsystem:

NtCreatePort              -- create named port object
NtAcceptConnectPort       -- accept incoming connection
NtCompleteConnectPort     -- complete three-way handshake
NtReplyWaitReceivePort    -- receive messages (blocking)

The IsWow64Process check in PE6 allows it to handle both 32-bit and 64-bit game processes, dynamically adjusting the IPC protocol for the target's architecture. The kernel device path \....\TemporaryFile serves as the communication endpoint -- a deliberately generic name that blends into the noise of legitimate system device objects.

This IPC channel serves multiple purposes:

Kernel-to-user data relay: the kernel drivers communicate memory read results and hook status to user-mode components
Command dispatch: user-mode components (the .NET RAT, the input emulation DLL) send requests to the kernel drivers
Synchronization: the port's blocking receive semantics provide a natural synchronization primitive between components running at different privilege levels

The choice of NT named ports over more common IPC mechanisms (named pipes, shared memory sections, IOCTLs) is a deliberate anti-forensics decision. Monitoring tools that hook CreateNamedPipe or DeviceIoControl will miss this communication channel entirely. Only tools that instrument the raw NT system call table would observe the traffic.

C2 Infrastructure

Subtract-6 Caesar Encoding

The C2 IP address is stored in the binary with a byte-level subtract-6 encoding applied to each ASCII character:

Encoded bytes:  7  6  <  4  ;  8  4  ;  7  4  7  8  >
Subtract 6:     1  0  6  .  5  2  .  5  1  .  1  2  8
Decoded IP:     106.52.51.128

This is a trivial cipher, but it defeats two common analysis shortcuts: naive string extraction (the encoded form contains no dots or digits) and YARA rules matching IP address patterns. A secondary 82-byte encoded field (41 decoded bytes after the same cipher) likely contains an authentication token or session key for the C2 protocol.

Server Profile

Field	Value
IP	`106.52.51.128`
Provider	Tencent Cloud
Region	Beijing, China
ASN	AS45090 (TENCENT-NET-AP)
Status at analysis	No open ports detected (offline or filtering)

Hosting on Tencent Cloud is a deliberate infrastructure choice:

Domestic access: Chinese ISPs will not block traffic to Tencent Cloud IPs, ensuring reliable C2 connectivity for the target demographic (Chinese gamers)
Legal barrier: Foreign law enforcement cannot easily serve takedown requests to a Chinese cloud provider
Reputation cover: Tencent Cloud hosts millions of legitimate services; IP-based blocking would cause unacceptable collateral damage
Cost: Tencent Cloud is cheap for low-bandwidth C2 -- the operator is optimizing for operational security, not throughput

At the time of analysis, no open ports were detected on the C2 IP. This could indicate the server is temporarily offline, behind Tencent Cloud's security group filtering (only accepting connections from authenticated clients), or has been rotated to a new IP with the encoded configuration updated in a newer build.

The ACE Masquerade

The malware's persistence mechanism is clever social engineering at the file system level. It drops as ACE-Tray.exe and creates a system tray icon via Shell_NotifyIconA -- mimicking Tencent's legitimate Anti-Cheat Expert (ACE) system. ACE is the anti-cheat framework used by Tencent's games (PUBG Mobile, Honor of Kings, CrossFire, and dozens of others). Millions of Chinese gamers have the real ACE process running in their system tray at all times. An extra process with the right name and a tray icon? Nobody blinks.

The subscription model reinforces the masquerade. Chinese UI strings extracted from the binary reveal the business logic:

Chinese	English	Purpose
请输入您的登陆卡号	Please enter your login card number	Authentication
链接服务器失败！	Failed to connect to server!	C2 error handling
版本已更新，请使用新版本！	Version updated, use new version!	Update enforcement
鼠标驱动安装失败！	Mouse driver installation failed!	Driver load error
软件公告	Software announcement	Update/news channel

The "card number" authentication model is standard in Chinese black-market cheat services. Users purchase time-limited access codes ("cards") from the operator's distribution network -- typically QQ groups, Taobao listings, or dedicated storefronts. The USERBASE1.DAT file stored at C:\ serves as the local user database, tracking active subscriptions and license state.

Hardware Fingerprinting

The dropper queries Win32_BaseBoard via WMI to retrieve the motherboard serial number:

SELECT SerialNumber FROM Win32_BaseBoard

This serves as a hardware fingerprint for license enforcement. Each subscription "card" is bound to a specific machine. If a user tries to use the same card on a different machine, the serial number mismatch causes authentication failure. This prevents card sharing and resale -- standard DRM for a criminal enterprise.

Attribution: StarDev

Attribute	Assessment
Name	StarDev (self-branded in PE3 exports)
Language	Simplified Chinese (GBK/CP936 encoding)
Motivation	Financial -- subscription cheat service with embedded surveillance
Operating model	Rootkit-as-a-Service / Cheat-as-a-Service
Sophistication	High -- kernel engineering, commercial packers, multi-arch support
Active since	At least 2016 (PE4 compile timestamp)
Infrastructure	Tencent Cloud, Beijing
Target market	Chinese online gaming community

Development Timeline

Year	Evidence
2016	PE4 raw NT kernel driver compile timestamp
2018	PE1 WDF kernel driver compile timestamp
2025	PE2 main DLL compile timestamp (2025-06-10)
2025	Outer dropper compile timestamp (2025-06-10)
2026	Sample surfaced in the wild (2026-03-15)

The kernel drivers predate the outer dropper by years. This suggests either: (a) the drivers were commercially licensed from another developer and wrapped into the StarDev package, or (b) StarDev has been developing kernel components since 2016 and only recently updated the user-mode dropper and DLL components.

The development environment points to a dedicated operation: the F:\ drive path (a secondary drive, not the system drive), the Leadwerks game engine template (a legitimate game development scaffold), a Safengine Shielden commercial license (contact: shielden_user@safengine.com), and a VMProtect commercial license. These are paid tools. This is a business, not a hobby.

Indicators of Compromise

File Hashes

Hash	Type	Description
`4c3cd771f427cb7bb6319313710af43e464e4227e007296961e3fd6877ed4027`	SHA-256	Main dropper (program.exe)
`57b317db73c66b45fa8e7a4081ed4e3e`	MD5	Main dropper
`71d1ea770a67f51d3c2d0469c6ceec1872a7d3bd`	SHA-1	Main dropper
`cf150b20eeefa581629700e5fb1a2c21a2938826316339a2fd798fa65d26141e`	SHA-256	PE1 -- x64 WDF kernel driver
`d9512c76e988ac703c57a04367ff646f83071d21bbe3f2aa5900a23ea678843b`	SHA-256	PE2 -- x86 ACE main DLL
`c495a028ee6a7a3bca32c6e501a5cf1cd25a9b57cc2b3f42d371cadd3ce0a5c5`	SHA-256	PE3 -- x86 StarDev input emulation DLL
`1af3b0a5b18a25db0589731064554bd7e6a24677b3f1c213eaddfb23548a95cc`	SHA-256	PE4 -- x64 kernel driver (VMProtect)
`169b18f3e7823a38bf2adb3cacf6dceb4f755a9a79424e3b556ac2cb91f06011`	SHA-256	PE5 -- x64 code injector
`3ef7c12a880b8d6664c21a06d63bf2d4f18afb8d70c8fec8497c7d99a88bb8e8`	SHA-256	PE6 -- x64 NT port communicator
`e74e1a8c7fb9301e0cd38e1fbf5ae23d522636b243090855a35395d72688250c`	SHA-256	.NET RAT/infostealer module
`7e0a41d59ba54e58bba3b2ed088cbc65`	MD5	.NET RAT/infostealer module

Embedded Hashes (found in binary strings)

Hash	Context
`d09f2340818511d396f6aaf844c7e325`	Internal component reference
`F7FC1AE45C5C4758AF03EF19F18A395D`	Internal component reference
`52F260023059454187AF826A3C07AF2A`	Internal component reference
`A512548E76954B6E92C21055517615B0`	Internal component reference
`27bb20fdd3e145e4bee3db39ddd6e64c`	Internal component reference

Network Indicators

Type	Value	Notes
IP	`106.52.51.128`	C2 server, Tencent Cloud Beijing
ASN	AS45090 (TENCENT-NET-AP)	Hosting provider
Encoded C2	`76<4;84;7478>`	Subtract-6 encoded IP in binary
CIDR	`106.52.0.0/16`	Monitor for related infrastructure

File System Indicators

Path / Name	Description
`ACE-Tray.exe`	System tray persistence (masquerades as Tencent ACE)
`xclient.exe`	Cheat client application
`xcom.exe`	C2 communication module
`xcomu.exe`	C2 communication variant
`xcomw.exe`	C2 communication variant
`npdll.dll`	StarDev input emulation companion DLL
`C:\USERBASE1.DAT`	User/subscription database

Unique Identifiers

Type	Value
GUID	`{5a5ff204-5119-afa2-3c01-14b1c997a7f7}`
GUID	`{QFI8530F-D7F9-4FE2-B94D-2DS0695DFE19F}`
PDB path	`F:\Code\Leadwerks-Template-master\Source\Get\x64\Release\Get.pdb`
Brand	StarDev
Protector contact	`shielden_user@safengine.com`
.NET encryption key	`glQoU1huBua0WywyDaLemEY18KZ3`
Test cert serial	`1291184732425754330`
Test cert CN	`WDKTestCert Administrator`

Registry Indicators

Key	Description
`HKLM\SYSTEM\CurrentControlSet\services\<driver_name>`	Service entries for kernel drivers
`HKLM\SYSTEM\CurrentControlSet\Control\CI\`	DSE/test signing state

MITRE ATT&CK Mapping

ID	Technique	Component	Notes
T1014	Rootkit	PE1, PE4	Dual kernel-mode drivers, ring-0 memory access, process hiding
T1027.002	Software Packing	All	Safengine Shielden + VMProtect dual-layer commercial protection
T1027.003	Steganography	Dropper	Subtract-6 Caesar cipher on C2 IP and auth token
T1036	Masquerading	ACE-Tray.exe	Mimics Tencent ACE anti-cheat system tray process
T1055.001	DLL Injection	PE5	WriteProcessMemory + CreateRemoteThread into game processes
T1056.001	Keylogging	.NET RAT	SendKeys/SendInput hooks via user32.dll
T1056.004	Credential API Hooking	PE3	Kernel-level keyboard/mouse input emulation
T1057	Process Discovery	PE5	CreateToolhelp32Snapshot process enumeration
T1071.001	Web Protocols	.NET RAT	AES-encrypted HTTP C2 with SSL certificate bypass
T1082	System Information Discovery	Dropper	WMI BaseBoard SerialNumber hardware fingerprinting
T1083	File and Directory Discovery	Dropper	SHGetSpecialFolderPathA path enumeration
T1106	Native API	PE4, PE6	NtCreatePort, NtQuerySystemInformation, MDL APIs
T1113	Screen Capture	.NET RAT	GetDesktopWindow + BitBlt + CreateCompatibleDC
T1115	Clipboard Data	.NET RAT	Clipboard monitoring and file drop list interception
T1134	Access Token Manipulation	Dropper	takeown/icacls/cacls.exe privilege escalation chain
T1543.003	Windows Service	Dropper	CreateServiceA/StartServiceA for kernel driver loading
T1547.001	Registry Run Keys	.NET RAT	RegistryKey/OpenBaseKey/CreateSubKey persistence
T1548.002	Bypass UAC	PE5	highestAvailable manifest elevation
T1562.001	Disable or Modify Tools	PE1, PE4	Kernel drivers bypass/blind anti-cheat systems
T1622	Debugger Evasion	All	VMProtect anti-debug + Safengine anti-dump

Detection Guidance

Signature-Based Detection

Hunt for PE files with simultaneous .nsp0/.nsp1/.nsp2 sections -- this is the Safengine Shielden fingerprint. While Shielden has legitimate uses, the combination of Shielden-packed binaries with kernel driver payloads is highly suspicious. YARA rule skeleton:

rule Safengine_Shielden_Sections {
    condition:
        uint16(0) == 0x5A4D and
        for all of (".nsp0", ".nsp1", ".nsp2") : (
            pe.sections[#].name == @
        )
}

Behavioral Detection

Kernel driver service creation from non-system processes: Alert on CreateServiceA/StartServiceA calls where the calling process is not services.exe, svchost.exe, or a signed system binary.
ACE-Tray.exe without Tencent signature: Monitor for ACE-Tray.exe processes where the binary is not signed by Tencent Technology (Shenzhen). The legitimate ACE binary carries a valid Tencent code-signing certificate.
NT named port creation from user space: Flag NtCreatePort system calls from user-mode processes. Legitimate software almost never uses NT named ports -- this is a strong indicator of kernel-to-user bridging malware.
WMI BaseBoard queries from unsigned binaries: Watch for Win32_BaseBoard WMI queries (specifically SerialNumber property access) from processes that are not hardware inventory or system management tools.
Privilege escalation sequence: Alert on the takeown + icacls/cacls.exe command sequence when executed by non-administrative tools.

Network Detection

Block 106.52.51.128 at the perimeter. Monitor the broader 106.52.0.0/16 Tencent Cloud range for related C2 infrastructure -- the operator may rotate IPs within the same Tencent Cloud region. The subtract-6 encoding is trivially reversible; a Suricata rule matching the encoded byte pattern 76<4;84;7478> in HTTP payloads would catch configuration updates.

Filesystem Artifacts

The most distinctive host indicator is C:\USERBASE1.DAT. This file is the local subscription database. If you find it on a system, you have a StarDev infection. Additional high-confidence indicators are npdll.dll (the StarDev input emulation companion library) and any combination of xclient.exe, xcom.exe, xcomu.exe, or xcomw.exe in the same directory.

Conclusion

StarDev's ACE-Tray rootkit is a case study in how the gaming cheat market serves as cover for more invasive operations. The cheat functionality is real -- kernel-level memory access, input emulation below the anti-cheat detection layer, process hiding via NtQuerySystemInformation hooks -- and that reality is what makes the embedded RAT so effective. Users voluntarily disable Driver Signature Enforcement, grant administrator privileges, and install kernel drivers because they believe they are enabling a competitive advantage in a game. What they are actually enabling is full machine compromise: keylogging, screen capture, clipboard theft, file exfiltration, and persistent remote access, all encrypted with AES and authenticated with HMAC over an HTTPS channel to Tencent Cloud.

The operation's longevity (compile timestamps spanning 2016 to 2025), commercial toolchain (Safengine and VMProtect licenses), subscription infrastructure (card-based authentication, hardware fingerprinting, version update mechanism), and domestic Chinese C2 hosting all point to a mature, financially motivated operation that has been iterating for nearly a decade. The dual-driver architecture -- one WDF-based for compatibility, one raw NT for maximum capability -- demonstrates genuine kernel engineering expertise. This is not commodity malware modified from a tutorial. This is a commercial product.

For defenders, the key takeaway is that gaming cheat tools represent a real and underappreciated threat vector. Every machine running a kernel-mode cheat is a machine where an untrusted third party has ring-0 access. Whether that third party limits themselves to game manipulation or also deploys a RAT is entirely at their discretion. In StarDev's case, they chose both.

Breakglass Intelligence -- Automated Threat Hunting Investigation ID: staser-ace-tray | Sample sourced from community submission IOCs are provided for defensive use. Handle responsibly.