Fake Game Cheats Become Dangerous Spyware: 11 Malicious NuGet Packages Secretly Spy on Windows Gamers + Video

Listen to this Post

Featured ImageIntroduction: A New Supply Chain Threat Hidden Behind Gaming Tools

Cybercriminals continue to abuse trusted software ecosystems to distribute malware, and the latest campaign uncovered by Socket’s Threat Research Team demonstrates just how dangerous this trend has become. Instead of targeting developers with traditional backdoors or cryptocurrency stealers, the attackers disguised malicious NuGet packages as popular gaming utilities, cheat engines, bots, and management panels for widely played online games.

What appears to be a harmless .NET command-line tool quickly transforms into a sophisticated spyware platform capable of collecting extensive system information, enforcing hardware licensing, communicating with cloud infrastructure, and even capturing screenshots through Telegram commands. The campaign highlights a growing shift where attackers exploit open-source package repositories to reach gamers, developers, and enthusiasts who often trust package managers without carefully inspecting their contents.

Although the packages pretend to enhance gameplay for titles like Albion Online, GTA5RP, GrandRP, Majestic RP, Lineage 2, Throne and Liberty, and Russian Fishing 4, their true purpose is surveillance. The discovery once again proves that software supply chain attacks are no longer limited to enterprise environments—they now target everyday users through communities built around gaming.

Malicious NuGet Packages Disguised as Gaming Utilities

Socket researchers identified 11 malicious NuGet packages uploaded as DotnetTool (.NET CLI) packages. These packages impersonate useful gaming utilities including bots, automation tools, cheat software, and administration panels.

Rather than delivering legitimate functionality, each package installs a hidden downloader responsible for retrieving a second-stage malware payload called pepesoft.exe.

The researchers immediately reported all identified packages to NuGet while requesting both package removal and suspension of the publisher responsible for uploading them.

A Two-Stage Infection Chain Designed for Stealth

The malware operates through a carefully designed two-stage infection process.

Initially, the victim installs what appears to be a normal .NET tool. Hidden inside the package is a malicious downloader located within the tools/net8.0/any/ directory.

When executed, the downloader displays convincing Russian-language messages such as:

Launching, please wait

Downloading assets

These messages imitate legitimate software updates, reducing suspicion while the downloader secretly contacts attacker-controlled infrastructure.

After establishing communication, it downloads pepesoft.exe, launches it automatically, and begins the real surveillance operation.

Windows Mutex Prevents Multiple Infections

To avoid conflicts between multiple running instances, the downloader creates the Windows mutex:

Global{5BD61028-3D9C-4B4E-AD45-CA4F1B35D0F4}

If another copy is already running, the malware exits silently.

This simple technique is commonly used by professional malware families to improve operational stability while avoiding duplicate executions.

Dormant BitTorrent Components Raise Questions

Researchers also discovered bundled libraries including:

MonoTorrent

Mono.Nat

Interestingly, none of the analyzed malware samples actively used BitTorrent functionality.

This suggests the attackers may have planned future peer-to-peer payload delivery or abandoned an earlier distribution mechanism during development.

Dormant code often indicates that malware continues evolving long after initial deployment.

Payload Downloaded from Trusted Cloud Services

One particularly concerning aspect of the campaign is the abuse of trusted online platforms.

Instead of using suspicious servers, the downloader retrieves pepesoft.exe from repositories hosted on:

GitHub Releases

Hugging Face

The infrastructure is associated with the username:

pepegit666

Different gaming packages reference different release tags, making each package appear unique while delivering nearly identical malware.

Examples include release names referencing Albion Online, GTA5RP, Throne, and other games.

Using reputable cloud services makes blocking the campaign significantly harder because security products often trust these domains.

Python Malware Hidden Inside PyInstaller

The downloaded payload is not a traditional Windows executable written in C++.

Instead, researchers found that pepesoft.exe is actually a Python application packaged with PyInstaller.

PyInstaller allows attackers to distribute Python malware as standalone Windows executables without requiring Python to be installed on the victim’s machine.

This technique has become increasingly popular because Python enables rapid malware development while remaining highly portable.

Cloud Infrastructure Coordinates Every Infection

Once active, the malware downloads a configuration file named:

service.json

The configuration is retrieved through a Cloudflare Worker with a backup storage location hosted on an S3-compatible Selectel bucket.

This redundant infrastructure ensures malware remains functional even if one hosting provider disables the malicious content.

Cloudflare Workers also make attribution significantly more difficult because they hide backend infrastructure.

Google Sheets Used as a Malware Command Database

Instead of deploying expensive command-and-control servers, the attackers leveraged Google Sheets as part of their operational infrastructure.

Embedded service account credentials authenticate directly with Google APIs.

Researchers discovered that infected systems upload licensing status, hardware fingerprints, and victim information into operator-controlled spreadsheets.

Using cloud productivity platforms for malware management blends malicious traffic with legitimate encrypted HTTPS communications.

Hardware Fingerprinting Locks Victims to One Device

The spyware generates a detailed hardware fingerprint using multiple identifiers including:

Hardware UUID

Disk serial number

MAC address

CPU information

Motherboard details

GPU information

These identifiers are combined to create a unique device profile.

The attackers then bind activation keys to specific hardware while maintaining centralized tracking of infected systems.

Remote Ban Lists Control Malware Execution

An unusual feature of the campaign is remote license enforcement.

The malware downloads a worksheet containing banned hardware fingerprints.

If a

This capability allows operators to selectively disable infections, revoke access, or avoid executing on unwanted targets.

Extensive System Surveillance

Several malware variants dramatically expand surveillance capabilities.

Researchers observed collection of:

Windows username

Computer hostname

Windows version

Screen resolution

Processor specifications

GPU information

Active application window

Internet connectivity

Network statistics

IP-based geolocation

This creates a comprehensive profile of every infected computer.

Such intelligence can later support credential theft, identity profiling, or targeted attacks.

Telegram-Controlled Screenshot Collection

The most alarming capability is remote screenshot collection.

Certain malware variants integrate Telegram bot functionality allowing operators to issue commands remotely.

Commands include:

/screen

and

/pscreen

Depending on the malware version, attackers can capture:

Active game windows

Pepesoft application windows

Entire desktop sessions

If browser windows, cryptocurrency wallets, password managers, banking portals, recovery phrases, or private conversations are visible, they become exposed instantly.

Unlike traditional keyloggers, screenshot malware can bypass many protections by capturing exactly what users see.

Gamers Are No Longer the Only Targets

Although these packages impersonate gaming tools, the underlying techniques are equally dangerous for developers and IT professionals.

Anyone installing unverified NuGet packages could unknowingly introduce malware into personal workstations or development environments.

Because the malware abuses legitimate package repositories and trusted cloud services, traditional security awareness alone may not be enough to prevent compromise.

Indicators of Compromise (IOCs)

Known malicious packages include:

albion-x-x

amazing-x-x

Additional package variants target multiple online games using similar naming conventions.

Security teams should verify installed NuGet tools, inspect recent package activity, and investigate any unexpected outbound connections to cloud-hosted resources associated with the campaign.

Deep Analysis

This campaign represents a modern software supply chain attack where trust is weaponized instead of broken through obvious exploits. Rather than exploiting Windows vulnerabilities, the attackers rely on victims voluntarily installing malicious packages from a trusted ecosystem. This significantly lowers detection rates because package managers themselves remain uncompromised.

The use of GitHub Releases, Hugging Face, Cloudflare Workers, Google Sheets, and Selectel storage demonstrates how threat actors increasingly hide within legitimate cloud infrastructure. Security products cannot simply block these providers without disrupting normal business operations.

The hardware licensing mechanism is also unusual. While licensing systems are common in commercial software, integrating them into spyware allows operators to manage victims like paying customers. This indicates the malware may support subscription-based cheat communities where access is controlled through activation keys.

The Telegram screenshot capability introduces substantial privacy risks. Screenshots frequently expose sensitive information that traditional credential stealers cannot access, including QR authentication codes, cryptocurrency seed phrases, confidential documents, cloud dashboards, and corporate messaging platforms.

Useful Detection Commands

Inspect installed .NET tools:

dotnet tool list -g

Search for suspicious packages:

dotnet tool list –global

Look for the malware executable:

Get-ChildItem -Path C:\ -Filter pepesoft.exe -Recurse

Search Windows Event Logs:

Get-WinEvent -LogName Security

Identify running processes:

tasklist

PowerShell process inspection:
Get-Process

Network connections:

netstat -ano

Check startup persistence:

Get-CimInstance Win32_StartupCommand

Inspect scheduled tasks:

Get-ScheduledTask

Hunt for the known mutex within memory using EDR or memory forensics tools.

Review outbound HTTPS traffic toward GitHub Releases, Hugging Face, Cloudflare Workers, and unexpected Google API communications associated with newly installed NuGet tools.

Organizations should implement package verification, software allowlisting, code signing validation, and repository monitoring to reduce the likelihood of similar attacks succeeding.

What Undercode Say:

This campaign is another reminder that software supply chain attacks are rapidly evolving beyond developer-focused ecosystems and into consumer communities such as online gaming. The attackers did not need sophisticated Windows exploits because they exploited something far more valuable: user trust.

The use of NuGet demonstrates that every package manager has become an attractive attack surface. Whether it is npm, PyPI, NuGet, Maven, RubyGems, or Cargo, attackers understand that many users install packages without reviewing their publishers or source code.

One of the most notable technical decisions is the heavy reliance on legitimate cloud platforms. GitHub, Hugging Face, Google Sheets, and Cloudflare all provide encrypted communication channels that blend seamlessly with normal internet traffic. This makes network-based detection considerably more difficult.

The hardware-based licensing model suggests the malware operators are running their infrastructure like a commercial software business. They can activate, revoke, and manage victims individually while tracking infected systems through cloud-hosted spreadsheets. This level of operational organization is increasingly common among financially motivated cybercriminals.

The Telegram integration is equally significant. Instead of maintaining expensive command-and-control servers, attackers simply leverage Telegram’s existing infrastructure for remote management. This reduces operational costs while providing reliable communication.

From a defensive perspective, organizations should stop assuming that open-source repositories are inherently trustworthy. Package verification, publisher reputation analysis, dependency scanning, and software composition analysis should become standard security practices.

Gamers should be especially cautious because cheat communities often normalize downloading unsigned executables from unofficial sources. Threat actors understand this culture and exploit it aggressively.

Developers should adopt package pinning, checksum verification, and internal mirrors for third-party dependencies. Automated dependency auditing can detect suspicious updates before they reach production environments.

Security vendors should also improve behavioral detection rather than relying solely on reputation systems. Malware hosted on trusted cloud providers may appear completely legitimate until runtime behavior reveals its true purpose.

Finally, this campaign illustrates a broader cybersecurity trend: modern malware increasingly resembles commercial software. It includes licensing systems, cloud dashboards, update mechanisms, redundancy, and centralized management. As attackers professionalize their operations, defenders must adopt equally sophisticated monitoring and verification strategies.

✅ Confirmed:

✅ Confirmed: The malware uses legitimate cloud services including GitHub Releases, Hugging Face, Cloudflare Workers, and Google Sheets to host payloads, retrieve configurations, and manage infected systems, making detection more challenging.

❌ Not Confirmed: There is currently no public evidence that this campaign exploited vulnerabilities within NuGet itself. The attack relied on users installing malicious packages, not on compromising the NuGet platform or bypassing Microsoft’s repository security.

Prediction

(+1) Security vendors will expand behavioral analysis for NuGet, npm, PyPI, and other package ecosystems, enabling earlier detection of malicious packages that abuse trusted cloud infrastructure.

(-1) Threat actors are likely to continue targeting gaming communities with increasingly sophisticated fake utilities, integrating stronger persistence mechanisms, encrypted communications, and AI-assisted evasion techniques to avoid traditional security controls.

▶️ Related Video (78% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube