VYPR
researchPublished Jul 15, 2026· 1 source

Malicious NuGet Packages Masquerade as Game Cheats to Steal Data

Researchers have uncovered 11 malicious NuGet packages disguised as game cheats and tools, deploying a sophisticated two-stage attack to steal sensitive gamer data via Telegram bots.

Security researchers have identified a new threat targeting the gaming community, with 11 malicious NuGet packages being distributed under the guise of game cheats, bots, and management tools. These packages are designed to compromise gamers playing popular titles such as Albion Online, GTA5RP, GrandRP, Majestic RP, and Throne and Liberty. Once installed, the malicious code silently deploys a remote-access payload capable of capturing live screenshots of victims' screens, thereby exposing sensitive information directly to threat actors.

The attack chain, detailed by Socket, is structured into two distinct stages. The first stage involves a .NET tool downloader, distributed as a DotnetTool package. This downloader's primary function is to fetch and execute a second-stage Windows executable named pepesoft.exe. To ensure its operations remain undetected and bypass network defenses, the downloader resolves GitHub hosts using DNS-over-HTTPS, circumventing local system resolvers and network DNS sinkholes. Notably, 10 of the 11 samples aggressively request User Account Control (UAC) elevation, often under the pretext of syncing the Windows clock, to gain higher privileges before downloading the main payload.

All 11 downloader packages share identical hardcoded AWS-style key material and a common process mutex GUID, indicating a unified toolchain and infrastructure controlled by a single operator. These cloud credentials are then passed to the secondary payload as environment variables, allowing the malware's cloud storage engine to self-configure without embedding sensitive secrets directly into the executable. This method aligns with observed trends in supply chain attacks where threat actors leverage credential-harvesting malware within open-source repository environments.

Upon execution, the pepesoft.exe payload interacts with Google Sheets to maintain a persistent log of victim data. The telemetry collected includes hardware fingerprints, system hostnames, GPU and CPU models, IP-based geolocation, and OS activation status. The malware also implements a server-side kill switch by checking a remote HWID/UUID ban-list on each launch, enabling the operator to centrally manage compromised endpoints.

The second stage of the attack varies slightly depending on the target. Three specific payloads, targeting Albion, Calculator, and Throne, are delivered as direct Python bytecode and feature integrated Telegram bot commands. These allow external users to trigger unauthorized screenshot captures of the active game window, the full desktop, or specific program processes via a /start command in the attacker's Telegram chat. This functionality mirrors modern remote execution exploits, enabling stealthy data exfiltration.

The remaining eight payloads, protected by PyArmor, employ an automated fallback mechanism. If Google Sheets is blocked, they reroute traffic through a hardcoded, authenticated proxy, effectively undermining basic network-level blocking attempts. These variants also modify Windows Installer registry policies and can initiate a destructive cleanup routine to recursively wipe application working folders.

Evidence strongly suggests a Russian-speaking operator is behind this campaign. Indicators include Russian-language console output, Russian build comments within the code, the targeting of Russian-speaking roleplay game communities, and a storefront advertising "bots without bans." Socket has reported these malicious packages to the NuGet security team for remediation, aiming to prevent further distribution and compromise.

This campaign highlights the persistent threat posed by malicious packages in software supply chains, particularly within communities where users may be more inclined to download unofficial tools. Gamers are urged to exercise extreme caution and only download software from trusted sources to avoid falling victim to such attacks.

Synthesized by Vypr AI