11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
Essential information
- Published
- 15/07/2026 18:29
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- dns-over-https evasion game cheats google sheets telemetry hardware fingerprinting nuget supply chain pepesoft.exe pyinstaller payload screenshot exfiltration telegram bot control
- Related entities
- 35 indicators, 4 observables, 25 techniques (mitre), 1 malware
Description
Eleven malicious NuGet packages distributed as .NET command-line tools masquerade as game utilities and cheats for popular games including Albion Online, GTA5RP, GrandRP, and Throne and Liberty. Each package functions as a first-stage downloader that uses DNS-over-HTTPS to bypass local controls, requests UAC elevation to resync system time, and fetches a second-stage PyInstaller payload named pepesoft.exe from GitHub and Hugging Face under username pepegit666. The payload binds to hardware fingerprints, enforces licensing through Google Sheets telemetry, honors remote ban-lists, and in three variants exposes Telegram bot commands enabling screenshot capture and remote control. All packages share identical AWS credentials and mutex identifiers, linking them to a single Russian-speaking operator running a commercial game-automation service marketed through pepesoft.ru and Telegram channel pepesoft777.