11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload

11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
Socket’s Threat Research Team analyzed 11 malicious NuGet DotnetTool packages that disguise themselves as game utilities, bots, and “panels” while downloading and executing a second-stage payload named pepesoft.exe from GitHub Releases and Hugging Face. The campaign uses remote configuration, Google Sheets telemetry, hardware binding, a ban-list, and in some variants Telegram screenshot automation, and it was reported to the NuGet security team for removal. #pepegit666 #pepesoft.exe #NuGet

Keypoints

  • 11 malicious NuGet DotnetTool packages were identified, each posing as a game-related utility, bot, or “panel.”
  • Each package acts as a first-stage downloader that retrieves and runs pepesoft.exe from operator-controlled GitHub Releases and Hugging Face paths under pepegit666.
  • The downloader uses DNS-over-HTTPS to resolve GitHub hosts and 10 of 11 samples request elevation to resync the Windows clock before downloading.
  • The payload uses hardcoded AWS-style credentials to fetch remote configuration, authenticate to Google Sheets, and support cloud-backed licensing and telemetry.
  • The recovered payloads implement hardware fingerprint binding, a remote ban-list, and product-sheet based activation enforcement.
  • Three direct-bytecode variants, Albion, Calculator, and Throne, also include Telegram bot handlers that can capture and send screenshots and expose additional automation features.
  • The campaign was reported to the NuGet security team, with requests to remove the packages and suspend the publisher account.

MITRE Techniques

  • [T1195.002 ] Supply Chain Compromise: Compromise Software Supply Chain – The attacker abuses NuGet DotnetTool packages as the delivery vector for malicious code (‘malicious NuGet packages published as .NET command-line tools’).
  • [T1608.001 ] Stage Capabilities: Upload Malware – The operator stages the second-stage payload on GitHub Releases and Hugging Face for retrieval (‘fetches and executes a second-stage Windows payload named pepesoft.exe’).
  • [T1105 ] Ingress Tool Transfer – The downloader pulls pepesoft.exe from remote staging locations (‘download sources for pepesoft.exe’, ‘tries them in order’).
  • [T1140 ] Deobfuscate/Decode Files or Information – The payload reconstructs and decrypts embedded data using base64, zlib, and Fernet (‘reconstructs embedded data from base64 and zlib’, ‘decrypts it with Fernet’).
  • [T1027.002 ] Obfuscated Files or Information: Software Packing – pepesoft.exe is packed with PyInstaller and some modules are protected with PyArmor (‘pepesoft.exe is a PyInstaller bundle’, ‘wrapped with pyarmor_runtime_015050’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The malware uses HTTP/S-based services such as GitHub, Hugging Face, Google Sheets, AWS-style endpoints, and a Cloudflare Worker (‘authenticate to Google Sheets’, ‘fetch service.json through the Worker URL’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – The downloader launches hidden PowerShell to start Windows Time and resync the clock (‘Start-Service w32time; w32tm /resync’).
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The downloader and payload execute commands through cmd.exe and batch files (‘cmd.exe /C’, ‘shutdown.bat kills helper processes’).
  • [T1113 ] Screen Capture – The direct-bytecode payloads capture screenshots and send them through Telegram (‘captures the GTA process window’, ‘sends it with reply_photo’).
  • [T1082 ] System Information Discovery – The payload collects system details such as CPU, GPU, memory, disk, network status, and OS data (‘writes start and exit telemetry’, ‘inventory fields’).
  • [T1057 ] Process Discovery – The decoded inner blobs gather process and window metadata (‘visible large-window metadata, including process name, window title’).
  • [T1016 ] System Network Configuration Discovery – The payload checks internet status, ping, and related network information (‘internet status’, ‘ping results’).
  • [T1567 ] Exfiltration Over Web Service – Data is written out to Google Sheets and screenshots are delivered through Telegram (‘Google Sheets telemetry’, ‘sends screenshots back to the configured chat’).
  • [T1090.002 ] Proxy: External Proxy – The PyArmor-protected payloads can route Sheets traffic through a hardcoded authenticated proxy (‘retry the same Sheets authentication and traffic through a hardcoded authenticated HTTP proxy’).
  • [T1112 ] Modify Registry – The exit handler deletes Windows Installer policy values (‘deletes DisableLogging and DisableMSI values from HKLMSoftwarePoliciesMicrosoftWindowsInstaller’).
  • [T1070.004 ] Indicator Removal: File Deletion – The payload and generated batch files delete local files and folders (‘deleted after a short delay’, ‘deletes every non-EXE file’).

Indicators of Compromise

  • [Domains and URLs ] Operator staging and command infrastructure – github[.]com/pepegit666/123f53y45ysdf34, huggingface[.]co/buckets/pepegit666, calm-voice-9797.888c888x888[.]workers[.]dev, bots.pepesoft[.]ru, t[.]me/pepesoft777, dns.google/resolve, and s3[.]ru-3[.]storage[.]selcloud[.]ru
  • [IP:Port ] Authenticated proxy used by PyArmor-protected payloads – 196[.]16[.]3[.]71:9528
  • [File names ] Downloader and payload artifacts – pepesoft.exe, albion.dll, gta5rp.dll, lineage2.dll, setup.dll, gtaobus.pyc, shutdown.bat, version.meta, chat_ids.txt, screenshot_test.png
  • [File hashes ] Downloader and payload hashes – d5385526f2f3e52c7d96087611c6cd4e479bf61828400efdb3ca09406d981609, e8c2618565aa31d7ffe909ebc99040bafcc0ea8df7f5d92fa673bb7ffacb14c9, and 2 more downloader hashes; 567952daf0ab7b36b017aac9963791188dea0fbf2e99c7cc6f6652ee540f4840, cc853b3e4504c890d275ac2327f18acd7e4c5b99ca056181f3f5694781f2cf45, and 2 more gtaobus.pyc hashes
  • [Credentials and keys ] Hardcoded cloud access material used by the campaign – 5bd610283d9c4b4ead45ca4f1b35d0f4, 21b4be57bd3743738393f44d9464e212, and AWS_CONFIG_KEY pointing to the Cloudflare Worker
  • [Process artifact ] Single-instance mutex – Global{5BD61028-3D9C-4B4E-AD45-CA4F1B35D0F4}
  • [Cloud/config objects ] Remote configuration and storage objects – service.json, google service-account credentials, and Google Sheets worksheets such as STAT, ALBIONBOTMAIN, GTA5RPCALC, THRONE, and banned


Read more: https://socket.dev/blog/11-malicious-nuget-tools-pose-as-game-cheats