216.73.217.19

11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload

· Published 15/07/2026 18:29

Export JSON

Essential information

Published
15/07/2026 18:29
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
dns-over-https evasion game cheats google sheets telemetry hardware fingerprinting nuget supply chain pepesoft.exe pyinstaller payload screenshot exfiltration telegram bot control
Related entities
35 indicators, 4 observables, 25 techniques (mitre), 1 malware

Description

Eleven malicious NuGet packages distributed as .NET command-line tools masquerade as game utilities and cheats for popular games including Albion Online, GTA5RP, GrandRP, and Throne and Liberty. Each package functions as a first-stage downloader that uses DNS-over-HTTPS to bypass local controls, requests UAC elevation to resync system time, and fetches a second-stage PyInstaller payload named pepesoft.exe from GitHub and Hugging Face under username pepegit666. The payload binds to hardware fingerprints, enforces licensing through Google Sheets telemetry, honors remote ban-lists, and in three variants exposes Telegram bot commands enabling screenshot capture and remote control. All packages share identical AWS credentials and mutex identifiers, linking them to a single Russian-speaking operator running a commercial game-automation service marketed through pepesoft.ru and Telegram channel pepesoft777.

External references