Although echo is great, especially for simple cheats, anyone can make a custom mod cheat with a few lines of code that make an auto clicker, that's where decompiling mods come in.

If you have mod info on your server then you’ll be able to see what mods they’re using:


Otherwise, you will have frozen them from AntiCheat Alerts or Reports.

After you’ve run echo, if you suspect they may have been using a mod cheat you will want to download either:

https://github.com/deathmarine/Luyten/releases/download/v0.4.5/luyten-0.4.5.exe



Or

https://github.com/java-decompiler/jd-gui/releases/download/v1.6.6/jd-gui-1.6.6.jar



Once it's Downloaded Launch it and it should Look like the screenshots above.

Then go to their resource packs and find their mods folder or just go to %appdata% and find it through that.
(Be aware that some Minecraft launchers use different file locations like:

)


After that just drag and drop their mods into JDGUI or Luyten.



It will bring up some orange boxes with Meta Information and mcmod.info, if you click the middle one it will bring up all the classes, then go through and read the functions: Check for anything that looks to be changing the game values (Usually for reach it'll look like Range: 3.01 - 3.4 or something. - You can CTRL + F and search for keywords like Reach, Autoclicker, Clicker ECT.)





Another thing to note, if a mod looks like this when decompiled:



This means it is a ghost mod/client that has either been self-destructed or is Obfuscated by default and you can safely ban for this.