All network packets between client and server are encrypted. Even if you intercept them, altering values (e.g., changing Primogems from 0 to 9999) triggers immediate server validation failure.
uses multiple layers of security to prevent tampering, most notably (a kernel-level driver) and HoYoKProtect
Attackers can use the driver's kernel-level access to terminate endpoint protection (antivirus) and encrypt user files.
They want to automate farming (spiral abyss, ore routes) via macros. Macros are easier to bypass (emulating input via hardware) but still detectable via pattern analysis of mouse movements. Banned after a wave.
Advanced cheats manipulate the EPROCESS structure of the cheat process, removing it from the linked list of active processes that the anticheat iterates. The cheat runs, but the anticheat’s scan function never sees it.