just an FYI i had the AMD black screen and been helping out a mod on discord and we have fixed the black screen and i can now run it perfectly so hopefully there will be a fix coming out very very soon
Agent Denton
New Member
- Oct 21, 2025
- 5
- 58
- 13
DO NOT RUN THIS GAME THROUGH TrueFacials.exe IT CONTAINS AN INFO STEALING MALWARE / VIRUS
The genuine executable for the game is bin.exe, while the fake TrueFacials.exe is a malicious file intentionally renamed to appear legitimate and trick users into running it. In reality, it is an info-stealing malware that extracts and executes a batch script in your temporary folder with elevated permissions, patches your default browser with a fake updater (updater.exe), and steals sensitive personal data.
This malware was first seen in the wild on 2021-08-27 13:21:44 UTC, and remains active in the distributed build. If you ran it and your antivirus did not block the payload, assume your information has been compromised.
I personally tested the executable in an isolated virtual machine to verify the earlier analysis by user poopybutt77 and can confirm with 100% certainty that it is an info stealer.
Do not try to reproduce this on a real host machine, only test in an isolated VM or sandbox. Run it on your main system and you'll get your shit rocked and your data looted.
Key evidence I observed inside an isolated VM
Sample batch content observed (exact snippet reproduced from legit TrueFacials.bat launcher):
Echo off
cd ntleas\x64
ntleas.exe ../../bin.exe "L1041"
cls
This is what the legitimate launcher should do. Instead, TrueFacials.exe extracts and runs a malicious batch that patches the browser and runs updater.exe
Why “false positive” claims are wrong
Here is a video of the analysis with a guide on how to verify it yourself.
View attachment output2.mp4
Original analysis by:
The genuine executable for the game is bin.exe, while the fake TrueFacials.exe is a malicious file intentionally renamed to appear legitimate and trick users into running it. In reality, it is an info-stealing malware that extracts and executes a batch script in your temporary folder with elevated permissions, patches your default browser with a fake updater (updater.exe), and steals sensitive personal data.
This malware was first seen in the wild on 2021-08-27 13:21:44 UTC, and remains active in the distributed build. If you ran it and your antivirus did not block the payload, assume your information has been compromised.
I personally tested the executable in an isolated virtual machine to verify the earlier analysis by user poopybutt77 and can confirm with 100% certainty that it is an info stealer.
Do not try to reproduce this on a real host machine, only test in an isolated VM or sandbox. Run it on your main system and you'll get your shit rocked and your data looted.
Key evidence I observed inside an isolated VM
- Two files observed:
You must be registered to see the links(legitimate Unity executable) andYou must be registered to see the links(malicious impersonator).
- Malicious behavior reproduced in a VM: extraction of a .bat into the temporary folder and execution via cmd.exe.
- The malware attempts to download / place updater.exe in a path that impersonates a browser updater (e.g. C:\Program Files (x86)\Google...\updater.exe) and launch it.
- Registry modifications observed targeting persistence and service manipulation:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run (adds startup entry).
- HKLM\SYSTEM\CurrentControlSet\Services (modifies/creates service entries).
- HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE (modified).
- etc... all files created and accessed can be seen at the
You must be registered to see the links
- Network activity: connections to numerous external IPs consistent with C2 behavior.
- Spawns additional processes/services and creates multiple .tmp files and batch scripts in %LOCALAPPDATA%\Temp.
- Associated file hashes/parents noted in analysis indicate affiliation with keygens and random archives (IOCs that increase suspicion).
- Earliest seen timestamp in the wild (per the provided analysis): 2021-08-27 13:21:44 UTC indicates this malicious build has been available for years.
Sample batch content observed (exact snippet reproduced from legit TrueFacials.bat launcher):
Echo off
cd ntleas\x64
ntleas.exe ../../bin.exe "L1041"
cls
This is what the legitimate launcher should do. Instead, TrueFacials.exe extracts and runs a malicious batch that patches the browser and runs updater.exe
Why “false positive” claims are wrong
- This is not a heuristic alert with no side effects. The binary actively modifies registry keys, creates & executes batch files, spawns processes/services, and downloads/places a payload that impersonates a browser updater. Those are explicit malicious behaviors, not a heuristics mistake.
- Behavior reproducible in an isolated VM.
Here is a video of the analysis with a guide on how to verify it yourself.
View attachment output2.mp4
Original analysis by:
Agent Denton
New Member
- Oct 21, 2025
- 5
- 58
- 13
Anyone got a working clean link for 0.42 that doesn't come with a virus? I'm trying to run the latest version and getting 10 FPS on a 4060. This new version is outright Unity slander. It's rendering at less than quarter resolution and upscales to your resolution. It's hilariously bad. Like worse than yandere dev levels bad. Honestly, if the dev slipped in an Ethereum miner, I doubt anyone would notice or care.
No wonder people think every Unity game is an asset flip held together with duct tape that runs like dogshit.
No wonder people think every Unity game is an asset flip held together with duct tape that runs like dogshit.
SkoZi
Newbie
- Nov 12, 2019
- 54
- 69
- 216
I don't know how you can have 10 fps on 4060 if my friend has 60 fps on 4070 stable with 3-4 players.
Agent Denton
New Member
- Oct 21, 2025
- 5
- 58
- 13
Interesting. You'll have to ask the developer why the game performs like this on modern hardware. I'm running a 4060 at 4K and it's struggling to maintain double-digit frames.
Could be the aggressive upscaling. Could be whatever post-processing pipeline they duct-taped in at the last minute. Or maybe it's the Ethereum miner quietly benchmarking my system in the background. Hard to say.
But if your friend's getting 60 FPS on a 4070, he should consider himself lucky. You should probably tell him to try running the game with something better than a 800x600 CRT monitor. Most people I've talked to are getting performance somewhere between a screensaver and a slideshow.
JhonLui
Well-Known Member
- Jan 13, 2020
- 1,180
- 1,172
- 284
What Cpu?
cuz you and the guy with the 4070 seem to be seriously Cpu bottlenecked..
Not saying the game is running fine, infact lost around 15% fps with the new update, but it still runs smoothly.
Hunterxred
Member
- Apr 26, 2023
- 166
- 135
- 127
Agent Denton
New Member
- Oct 21, 2025
- 5
- 58
- 13
Ryzen 7 7700X. Eight cores, plenty of headroom. Not exactly vintage hardware.
If you chalk this up to just a "CPU bottleneck" then the industry's in trouble. GPU utilization barely cracks 50%. Something's rotten, and it's not my silicon.
You're right about one thing and that's the new update tanking performance. But the issue isn't the hardware. It's the design decisions made by this incompetent and malicious developer if you can even call him that.
The real problem is the 1.5 GB bin_Data/data.unity3d. Used to be just 200 MB in 0.42, now it's ballooned to over a gigabyte. Unity dumps everything stored in data.unity3d into RAM and VRAM at startup whether it's needed or not. No asset streaming implemented by the dev. No scene-based loading. Just brute force. Also love the uncompressed PNG skyboxes. It's not even stored as a GPU compatible texture which means it decompresses into 4 bytes per pixel at runtime which is over 256MB for a single texture useless skybox texture. That's mental.
Then there's the character models ripped straight from
You must be registered to see the links
. High-poly monstrosities with about a trillion polygons and 16K textures that could probably be used to texture the surface of the moon. Great for a Pixar short film. Horrible for real-time game rendering in Unity.On top of that, he's using Unity's heaviest rendering pipeline. Now we're stuck with forced upscaling and DLSS smearing lube on your screen, trying to clean up the mess.
But sure. Tell me more about my CPU bottleneck woes.
You must be registered to see the links
Just a heads up, don't run TrueFacials.exe unless you want your personal data stolen and sent to the basement of some dirty wet market in the outskirts of Wuhan. Use bin.exe instead.
Last edited:
one of there team sorted my black screen today so they now know how to fix it on AMD rigs, so a fix/patch should come out very soon
nutz104
Newbie
- Feb 7, 2018
- 33
- 8
- 192
Thanks, fingers crossed it helps. I am running Intel iRIS xe however so I am crossing my fingers
JhonLui
Well-Known Member
- Jan 13, 2020
- 1,180
- 1,172
- 284
I agree, but something doesn't add up...
with a system almost equivalent (just a 4060Ti) I get stable 70+ on 4k DSR with game Native AA in any map.
Even with no optimization of any kind you should be well above 40fps
Maybe it has to do with the AMD problem?
-edit-
Unless you set the screen AND the game at 4K, but that's nonsense you (we) don't have enough Vram nor power to run effective 4K
Last edited:
So now I'm concerned since I ran the program numerous times throughout the past few days, what do I do now? Is there a way to purge my computer of these files? Or as I understood are they gone after the game launches as they already stole everything? I uninstalled truefacials.exe but I know that's obviously not the end of it. I'm currently deep scanning with malwarebytes and about to reset my passwords on everything. Is a factory reset needed? I'd really rather not deal with that mess of backing everything up and reinstalling all my games and shit. any help would be appreciated brother.
TFfan1
Member
- Jul 8, 2024
- 342
- 425
- 149
Okey, I don´t usually post answers to posts like this but after reading and testing (more times than i would like to admit) i´ll give my two cents. I have downloaded TF several times from this site and a different one and only once have i had problems with the .exe. Granted the only time i had an incident it was from a 0.5 version that was posted here and i posted what i found and how i noticed the .exe had been tampered with. That specific version was uploaded by an user that left this site after that issue gained traction.
Now, this latest version, 0.57, was also downloaded from this site too and i haven´t and any issues so far. I downloaded the "modless" version and neither the .exe nor the .bin have done anything to my PC.
I think the truth lies somewhere in the middle. It is true that a "legit" TF.exe sometimes triggers a false positive, and we have the evidence and explanation straight from the devs as well as some of the more technical users from this forum on why this happens.
*If* what you´re saying is true, and the .exe *is* doing all the things you´re mentioning, then yes, there is something going on and i will say that file was most likely modified by a third party. We have evidence, lots of it, that some sites (Chinese mainly but not only them) have modified both .exes. What i think is going on here is that a "legit" .exe was modified by someone else and then was posted here. I will keep an eye on this and share with you, the community, what i find. Is my opinion that this was not something done by Henry nor the team. This was done by someone else who is aware of both, the game´s popularity and has the "know how" to infect as many PC´s as possible
TFfan1
Member
- Jul 8, 2024
- 342
- 425
- 149
I gave my two cents on this. If the posting member is trolling, then he got me, but i gave an argument with hard evidence (years now of evidence found on this forum and Discord) on why i think this is mostly propaganda or a scare tactic. Also, back to zero.
Last edited:
I always run it from the default bin.exe, the other exe triggers all my AVs as soon as game is unpacked, it's def shady, something is up with it, could be just some odd behaviour AVs detect as malware, can't verify what the file does, but just to be safe, I don't even extract it, just the bin.exe, run from it and yall should be fine... probably... hopefully 