Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload

0
Medium
Published: 07/15/2026 (07/15/2026, 16:29:28 UTC)
Source: AlienVault OTX General

Description

Eleven malicious NuGet packages masquerade as game cheats for popular games and act as first-stage downloaders. They use DNS-over-HTTPS to evade local controls, request UAC elevation to resync system time, and download a second-stage PyInstaller payload named pepesoft.exe. The payload performs hardware fingerprinting, enforces licensing via Google Sheets telemetry, respects remote ban-lists, and some variants enable remote control and screenshot capture via Telegram bot commands. All packages share AWS credentials and mutex identifiers, linking them to a single Russian-speaking operator offering a commercial game-automation service.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 22:17:38 UTC

Technical Analysis

This threat involves eleven malicious NuGet packages distributed as .NET command-line tools that impersonate game utilities and cheats for games such as Albion Online, GTA5RP, GrandRP, and Throne and Liberty. Each package acts as a first-stage downloader using DNS-over-HTTPS to bypass local network controls and requests UAC elevation to resynchronize system time. They then fetch a second-stage PyInstaller payload named pepesoft.exe from GitHub and Hugging Face repositories under the username pepegit666. The payload binds to hardware fingerprints, enforces licensing through telemetry data stored in Google Sheets, and honors remote ban-lists. Three variants include Telegram bot command functionality enabling screenshot capture and remote control of infected hosts. The packages share identical AWS credentials and mutex identifiers, indicating a single Russian-speaking operator running a commercial game-automation service marketed via pepesoft.ru and a Telegram channel.

Potential Impact

The malicious NuGet packages can lead to unauthorized remote control of Windows hosts, including screenshot capture and execution of commands via Telegram bots. The use of DNS-over-HTTPS and UAC elevation requests facilitates evasion of local security controls. Hardware fingerprinting and licensing enforcement mechanisms complicate detection and removal. The threat enables persistent surveillance and potential data exfiltration on infected systems.

Mitigation Recommendations

No official patch or remediation is available as this is a supply chain malware campaign involving malicious NuGet packages. Users should avoid installing untrusted or unofficial NuGet packages, especially those purporting to be game cheats or utilities. Security teams should monitor for installation of suspicious .NET command-line tools and investigate any processes requesting UAC elevation to resync system time. Blocking DNS-over-HTTPS traffic to untrusted endpoints and restricting execution of unknown PyInstaller payloads can help mitigate risk. Since this is not a cloud service, remediation depends on user and organizational vigilance. Patch status is not yet confirmed — check vendor advisories and security community updates for current guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://socket.dev/blog/11-malicious-nuget-tools-pose-as-game-cheats"]
Adversary
null
Pulse Id
6a57b568d98a7ae03ccd6071
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashd5385526f2f3e52c7d96087611c6cd4e479bf61828400efdb3ca09406d981609
hash9a2091e6625fc11cfd8f39c17aa271604e66322ee045028946274b988103e35b
hash900ddb81d27e03967209fee4d17d13deb68eef0e1f10936eb520ca10575cb49e
hashab58a90eb3682c6dc3389cd700a64f68a19c0dac3d0fa8e3df97ae041f96d4e1
hashe6e1049158ceb1971c61388349c81fa6047a7aecb4ff2089ef54a50dcc35dbc0
hashd9f7ca9f93a7d188d51db308877b15d0beae932ca0bf4705384fbedf54b454c1
hash4d13f1136b13c871c65141b77ec7208488334ac4be511800196adcd328666305
hash011926de3d0cc2b970627b9bf0de003e731f8576602dff756d2ab54a9de61972
hash79c09e1ffb4804c14ff27d41ec08d4390455c92d65717be0aeeec2697297d76a
hash5f3a9ebf7039097b3cdbca8609b5b68af07eeb1dbf716ba2817a97fc7c543854
hash23808e7638f7a00b1ef9b9f4ca524f8a46cf63be6f6b79fec8e4a3fd1cc82a1e
hashe8c2618565aa31d7ffe909ebc99040bafcc0ea8df7f5d92fa673bb7ffacb14c9
hash6eefe9d5f030d403c72bd4e4caf5bbb9dbc2bd5e15ebb07de153494f458e5eb9
hash8ab256dd839aec6638cd46374f4a6664e534b9341bbcdfd9b763e5a27c51ddb7
hash6c1f828e4d8395dde8293868c65ba8d86b3b9672ebbbb16e932624706d37d832
hash6cbd4bc491deb11040e2b2f91b0b4e129af551a802fc78cb42e0e985297ef44c
hash5d9843126db4223dc2a8a9cd4a627286fe1a6345e33b28e9c98b5fe56fe89da6
hashc9f3e7766dbe728d84a1243447faa5f5eba0645bf13089074d128ea7663e7f5b
hasha2a5e473dba85959b21b7e8a184bc255d5f2dacdf7411b91d212fb1217d2518b
hashba7fc544994f126cb7485ce52d265d2f32e93c4f1ea1fcd6fcdee3918f271979
hash567952daf0ab7b36b017aac9963791188dea0fbf2e99c7cc6f6652ee540f4840
hashcc853b3e4504c890d275ac2327f18acd7e4c5b99ca056181f3f5694781f2cf45
hash476c6f36a22156e53548a87291989a21d6c905dcbd9e1bf68ff5bc12e5c8bb07
hash774e40046f353e3f916f39e3d13d6499da35705a479cfb89288c21017aaf5461
hash23e4d8af5425dae022793450190c8d30809b2986dd879eb4bff557cdacf49c86
hash95577498d23fe750221a5badfc25b5e9f020dcf4d80c79a019b090e3c3b0a32a
hash2a4fed04d792b9c2fdf9c1456a08ca23eda5fef50c0b409ab294ad489e12d801
hash7e42d25e707d29d5d185a4c5dc71019f744e88a30b66bbf06949194ff32dbc48
hashd59e1914d76499fa51bf861f418c84bda0b48913dc39bd2e73756e326e4ccbb0
hash17b1d836c2f15a97be0350879943b04e14bc076cf09e31df0d73258ee10f7e7c
hash01d2afea0f2201a3b59765a1a60ba324ff4b8fdd25f23a0e05824b97f195b27c
hash21b4be57bd3743738393f44d9464e212
hash5bd610283d9c4b4ead45ca4f1b35d0f4
hashd6b2c2d2851a63b90e7210a943d0fdf6
hash642bfeae924b9d4e6ed642b5946ac8e745cfc531

Domain

ValueDescriptionCopy
domains3.ru-3.storage.selcloud.ru
domainbots.pepesoft.ru
domaingrandrp.su

Url

ValueDescriptionCopy
urlhttps://s3.ru-3.storage.selcloud.ru

Threat ID: 6a5803ac68715ace4390f612

Added to database: 07/15/2026, 22:03:24 UTC

Last enriched: 07/15/2026, 22:17:38 UTC

Last updated: 07/15/2026, 22:17:38 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses