An unrelated program (Clash for Windows) links to FFmpeg libraries. Can it be spyware?

Question

Update: today I found some decisive evidence on its misbehaviour. Sandbox analysis from VirusTotal on its installer reports video capturing capability using webcam.

See the link to its analysis here.

---

I recently found that a proxy program (Clash for Windows) that I installed on my Windows PC always links to DLLs that are unrelated to its function.

It has DLLs of FFmpeg, DirectX, OpenGL, and Vulkan in its installation directory. And through Process Explorer, I confirmed that it indeed loads such DLLs (Always FFmpeg, but not always all of the other three).

As I mentioned, it should only serve as a proxy program, and the only legitimate reason (that I can think of) why it loads the DLLs of low-level graphics APIs is for hardware acceleration of its UI -- but I have not found related settings in it. Most importantly, I cannot think of a reason to justify its loading FFmpeg.

FFmpeg is known to be able to stream videos to a remote client, and I suspect that the program is spyware -- that it uses the low-level Graphics APIs to capture the screen and stream it via FFmpeg.

That of course is my speculation. So my questions are,

1. Can the DLLs it loaded be used in other legitimate ways that I have not thought of?
2. Is there any way to investigate it further to obtain decisive evidence on its being spyware?
3. The program has only run as a Normal User on my PC. If it was indeed spyware, how much damage could it have caused, and how could I possibly mitigate from the damage (e.g. What kinds of backdoors could it have left as a Normal User)?

I sincerely appreciate any insight you provide and your time in advance.

Answer 1

From the app's overall appearance in its official screenshots as well as the presence of en-US.pak and GPUCache in your DLL list (that is, not just "GPU cache" generally but that specific name), I am going to guess that the program's interface has been written in something that uses CEF (possibly Electron) – the former is "Chrome Embedded Framework", which is essentially just the Chrome web browser packaged into something that looks like an app, while Electron is CEF+NodeJS.

(It's an extremely popular option these days. For example, Discord uses CEF via Electron; VSCode and Steam use CEF directly; Dropbox uses CEF via QtWebEngine... that's why you run out of RAM.)

CEF being literally Chrome-in-a-box, the whole app interface is a HTML/CSS/JS "webpage" and it still has the same features that Chrome would normally have: the GPU-accelerated HTML rendering (with CSS shaders and other fancy stuff), the video playback support (Chrome uses FFMPEG for <video> tags), and so on.

It might not necessarily be the entire UI, however; there are also apps that just need to embed a web-view for some specific purpose (like a sign-in screen or a help document), and those will almost always end up using CEF through QtWebEngine or Microsoft's WebView2.

You can recognize CEF from the various .pak archive files that it uses for its internal assets; the folder named GPUCache is also a symptom of CEF usage. (At the moment, my user directory on Linux has twenty-four separate 'GPUCache' directories, each belonging to a different app that is either wholly CEF-based or just uses CEF for some specific purpose.)