11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
Eleven malicious NuGet packages masquerade as game cheats for popular games and act as first-stage downloaders. They use DNS-over-HTTPS to evade local controls, request UAC elevation to resync system time, and download a second-stage PyInstaller payload named pepesoft.exe. The payload performs hardware fingerprinting, enforces licensing via Google Sheets telemetry, respects remote ban-lists, and some variants enable remote control and screenshot capture via Telegram bot commands. All packages share AWS credentials and mutex identifiers, linking them to a single Russian-speaking operator offering a commercial game-automation service.
AI Analysis
Technical Summary
This threat involves eleven malicious NuGet packages distributed as .NET command-line tools that impersonate game utilities and cheats for games such as Albion Online, GTA5RP, GrandRP, and Throne and Liberty. Each package acts as a first-stage downloader using DNS-over-HTTPS to bypass local network controls and requests UAC elevation to resynchronize system time. They then fetch a second-stage PyInstaller payload named pepesoft.exe from GitHub and Hugging Face repositories under the username pepegit666. The payload binds to hardware fingerprints, enforces licensing through telemetry data stored in Google Sheets, and honors remote ban-lists. Three variants include Telegram bot command functionality enabling screenshot capture and remote control of infected hosts. The packages share identical AWS credentials and mutex identifiers, indicating a single Russian-speaking operator running a commercial game-automation service marketed via pepesoft.ru and a Telegram channel.
Potential Impact
The malicious NuGet packages can lead to unauthorized remote control of Windows hosts, including screenshot capture and execution of commands via Telegram bots. The use of DNS-over-HTTPS and UAC elevation requests facilitates evasion of local security controls. Hardware fingerprinting and licensing enforcement mechanisms complicate detection and removal. The threat enables persistent surveillance and potential data exfiltration on infected systems.
Mitigation Recommendations
No official patch or remediation is available as this is a supply chain malware campaign involving malicious NuGet packages. Users should avoid installing untrusted or unofficial NuGet packages, especially those purporting to be game cheats or utilities. Security teams should monitor for installation of suspicious .NET command-line tools and investigate any processes requesting UAC elevation to resync system time. Blocking DNS-over-HTTPS traffic to untrusted endpoints and restricting execution of unknown PyInstaller payloads can help mitigate risk. Since this is not a cloud service, remediation depends on user and organizational vigilance. Patch status is not yet confirmed — check vendor advisories and security community updates for current guidance.
Indicators of Compromise
- hash: d5385526f2f3e52c7d96087611c6cd4e479bf61828400efdb3ca09406d981609
- hash: 9a2091e6625fc11cfd8f39c17aa271604e66322ee045028946274b988103e35b
- hash: 900ddb81d27e03967209fee4d17d13deb68eef0e1f10936eb520ca10575cb49e
- hash: ab58a90eb3682c6dc3389cd700a64f68a19c0dac3d0fa8e3df97ae041f96d4e1
- hash: e6e1049158ceb1971c61388349c81fa6047a7aecb4ff2089ef54a50dcc35dbc0
- hash: d9f7ca9f93a7d188d51db308877b15d0beae932ca0bf4705384fbedf54b454c1
- hash: 4d13f1136b13c871c65141b77ec7208488334ac4be511800196adcd328666305
- hash: 011926de3d0cc2b970627b9bf0de003e731f8576602dff756d2ab54a9de61972
- hash: 79c09e1ffb4804c14ff27d41ec08d4390455c92d65717be0aeeec2697297d76a
- hash: 5f3a9ebf7039097b3cdbca8609b5b68af07eeb1dbf716ba2817a97fc7c543854
- hash: 23808e7638f7a00b1ef9b9f4ca524f8a46cf63be6f6b79fec8e4a3fd1cc82a1e
- hash: e8c2618565aa31d7ffe909ebc99040bafcc0ea8df7f5d92fa673bb7ffacb14c9
- hash: 6eefe9d5f030d403c72bd4e4caf5bbb9dbc2bd5e15ebb07de153494f458e5eb9
- hash: 8ab256dd839aec6638cd46374f4a6664e534b9341bbcdfd9b763e5a27c51ddb7
- hash: 6c1f828e4d8395dde8293868c65ba8d86b3b9672ebbbb16e932624706d37d832
- hash: 6cbd4bc491deb11040e2b2f91b0b4e129af551a802fc78cb42e0e985297ef44c
- hash: 5d9843126db4223dc2a8a9cd4a627286fe1a6345e33b28e9c98b5fe56fe89da6
- hash: c9f3e7766dbe728d84a1243447faa5f5eba0645bf13089074d128ea7663e7f5b
- hash: a2a5e473dba85959b21b7e8a184bc255d5f2dacdf7411b91d212fb1217d2518b
- hash: ba7fc544994f126cb7485ce52d265d2f32e93c4f1ea1fcd6fcdee3918f271979
- hash: 567952daf0ab7b36b017aac9963791188dea0fbf2e99c7cc6f6652ee540f4840
- hash: cc853b3e4504c890d275ac2327f18acd7e4c5b99ca056181f3f5694781f2cf45
- hash: 476c6f36a22156e53548a87291989a21d6c905dcbd9e1bf68ff5bc12e5c8bb07
- hash: 774e40046f353e3f916f39e3d13d6499da35705a479cfb89288c21017aaf5461
- hash: 23e4d8af5425dae022793450190c8d30809b2986dd879eb4bff557cdacf49c86
- hash: 95577498d23fe750221a5badfc25b5e9f020dcf4d80c79a019b090e3c3b0a32a
- hash: 2a4fed04d792b9c2fdf9c1456a08ca23eda5fef50c0b409ab294ad489e12d801
- hash: 7e42d25e707d29d5d185a4c5dc71019f744e88a30b66bbf06949194ff32dbc48
- hash: d59e1914d76499fa51bf861f418c84bda0b48913dc39bd2e73756e326e4ccbb0
- hash: 17b1d836c2f15a97be0350879943b04e14bc076cf09e31df0d73258ee10f7e7c
- hash: 01d2afea0f2201a3b59765a1a60ba324ff4b8fdd25f23a0e05824b97f195b27c
- domain: s3.ru-3.storage.selcloud.ru
- domain: bots.pepesoft.ru
- hash: 21b4be57bd3743738393f44d9464e212
- hash: 5bd610283d9c4b4ead45ca4f1b35d0f4
- hash: d6b2c2d2851a63b90e7210a943d0fdf6
- hash: 642bfeae924b9d4e6ed642b5946ac8e745cfc531
- url: https://s3.ru-3.storage.selcloud.ru
- domain: grandrp.su
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
Description
Eleven malicious NuGet packages masquerade as game cheats for popular games and act as first-stage downloaders. They use DNS-over-HTTPS to evade local controls, request UAC elevation to resync system time, and download a second-stage PyInstaller payload named pepesoft.exe. The payload performs hardware fingerprinting, enforces licensing via Google Sheets telemetry, respects remote ban-lists, and some variants enable remote control and screenshot capture via Telegram bot commands. All packages share AWS credentials and mutex identifiers, linking them to a single Russian-speaking operator offering a commercial game-automation service.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves eleven malicious NuGet packages distributed as .NET command-line tools that impersonate game utilities and cheats for games such as Albion Online, GTA5RP, GrandRP, and Throne and Liberty. Each package acts as a first-stage downloader using DNS-over-HTTPS to bypass local network controls and requests UAC elevation to resynchronize system time. They then fetch a second-stage PyInstaller payload named pepesoft.exe from GitHub and Hugging Face repositories under the username pepegit666. The payload binds to hardware fingerprints, enforces licensing through telemetry data stored in Google Sheets, and honors remote ban-lists. Three variants include Telegram bot command functionality enabling screenshot capture and remote control of infected hosts. The packages share identical AWS credentials and mutex identifiers, indicating a single Russian-speaking operator running a commercial game-automation service marketed via pepesoft.ru and a Telegram channel.
Potential Impact
The malicious NuGet packages can lead to unauthorized remote control of Windows hosts, including screenshot capture and execution of commands via Telegram bots. The use of DNS-over-HTTPS and UAC elevation requests facilitates evasion of local security controls. Hardware fingerprinting and licensing enforcement mechanisms complicate detection and removal. The threat enables persistent surveillance and potential data exfiltration on infected systems.
Mitigation Recommendations
No official patch or remediation is available as this is a supply chain malware campaign involving malicious NuGet packages. Users should avoid installing untrusted or unofficial NuGet packages, especially those purporting to be game cheats or utilities. Security teams should monitor for installation of suspicious .NET command-line tools and investigate any processes requesting UAC elevation to resync system time. Blocking DNS-over-HTTPS traffic to untrusted endpoints and restricting execution of unknown PyInstaller payloads can help mitigate risk. Since this is not a cloud service, remediation depends on user and organizational vigilance. Patch status is not yet confirmed — check vendor advisories and security community updates for current guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/11-malicious-nuget-tools-pose-as-game-cheats"]
- Adversary
- null
- Pulse Id
- 6a57b568d98a7ae03ccd6071
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashd5385526f2f3e52c7d96087611c6cd4e479bf61828400efdb3ca09406d981609 | — | |
hash9a2091e6625fc11cfd8f39c17aa271604e66322ee045028946274b988103e35b | — | |
hash900ddb81d27e03967209fee4d17d13deb68eef0e1f10936eb520ca10575cb49e | — | |
hashab58a90eb3682c6dc3389cd700a64f68a19c0dac3d0fa8e3df97ae041f96d4e1 | — | |
hashe6e1049158ceb1971c61388349c81fa6047a7aecb4ff2089ef54a50dcc35dbc0 | — | |
hashd9f7ca9f93a7d188d51db308877b15d0beae932ca0bf4705384fbedf54b454c1 | — | |
hash4d13f1136b13c871c65141b77ec7208488334ac4be511800196adcd328666305 | — | |
hash011926de3d0cc2b970627b9bf0de003e731f8576602dff756d2ab54a9de61972 | — | |
hash79c09e1ffb4804c14ff27d41ec08d4390455c92d65717be0aeeec2697297d76a | — | |
hash5f3a9ebf7039097b3cdbca8609b5b68af07eeb1dbf716ba2817a97fc7c543854 | — | |
hash23808e7638f7a00b1ef9b9f4ca524f8a46cf63be6f6b79fec8e4a3fd1cc82a1e | — | |
hashe8c2618565aa31d7ffe909ebc99040bafcc0ea8df7f5d92fa673bb7ffacb14c9 | — | |
hash6eefe9d5f030d403c72bd4e4caf5bbb9dbc2bd5e15ebb07de153494f458e5eb9 | — | |
hash8ab256dd839aec6638cd46374f4a6664e534b9341bbcdfd9b763e5a27c51ddb7 | — | |
hash6c1f828e4d8395dde8293868c65ba8d86b3b9672ebbbb16e932624706d37d832 | — | |
hash6cbd4bc491deb11040e2b2f91b0b4e129af551a802fc78cb42e0e985297ef44c | — | |
hash5d9843126db4223dc2a8a9cd4a627286fe1a6345e33b28e9c98b5fe56fe89da6 | — | |
hashc9f3e7766dbe728d84a1243447faa5f5eba0645bf13089074d128ea7663e7f5b | — | |
hasha2a5e473dba85959b21b7e8a184bc255d5f2dacdf7411b91d212fb1217d2518b | — | |
hashba7fc544994f126cb7485ce52d265d2f32e93c4f1ea1fcd6fcdee3918f271979 | — | |
hash567952daf0ab7b36b017aac9963791188dea0fbf2e99c7cc6f6652ee540f4840 | — | |
hashcc853b3e4504c890d275ac2327f18acd7e4c5b99ca056181f3f5694781f2cf45 | — | |
hash476c6f36a22156e53548a87291989a21d6c905dcbd9e1bf68ff5bc12e5c8bb07 | — | |
hash774e40046f353e3f916f39e3d13d6499da35705a479cfb89288c21017aaf5461 | — | |
hash23e4d8af5425dae022793450190c8d30809b2986dd879eb4bff557cdacf49c86 | — | |
hash95577498d23fe750221a5badfc25b5e9f020dcf4d80c79a019b090e3c3b0a32a | — | |
hash2a4fed04d792b9c2fdf9c1456a08ca23eda5fef50c0b409ab294ad489e12d801 | — | |
hash7e42d25e707d29d5d185a4c5dc71019f744e88a30b66bbf06949194ff32dbc48 | — | |
hashd59e1914d76499fa51bf861f418c84bda0b48913dc39bd2e73756e326e4ccbb0 | — | |
hash17b1d836c2f15a97be0350879943b04e14bc076cf09e31df0d73258ee10f7e7c | — | |
hash01d2afea0f2201a3b59765a1a60ba324ff4b8fdd25f23a0e05824b97f195b27c | — | |
hash21b4be57bd3743738393f44d9464e212 | — | |
hash5bd610283d9c4b4ead45ca4f1b35d0f4 | — | |
hashd6b2c2d2851a63b90e7210a943d0fdf6 | — | |
hash642bfeae924b9d4e6ed642b5946ac8e745cfc531 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domains3.ru-3.storage.selcloud.ru | — | |
domainbots.pepesoft.ru | — | |
domaingrandrp.su | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://s3.ru-3.storage.selcloud.ru | — |
Threat ID: 6a5803ac68715ace4390f612
Added to database: 07/15/2026, 22:03:24 UTC
Last enriched: 07/15/2026, 22:17:38 UTC
Last updated: 07/15/2026, 22:17:38 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.