Recent research has unveiled a troubling cybersecurity threat targeting gaming communities. Hackers have embedded 11 malicious NuGet packages in what appear to be game cheats and management tools for popular online games. The affected games include Albion Online, GTA5RP, GrandRP, Majestic RP, and Throne and Liberty. Once installed, these packages enable attackers to gain remote control over users’ Windows PCs, capturing live screenshots and compromising sensitive data.
How the Attack Works
This malicious campaign employs a sophisticated two-stage attack method. Initially, a .NET tool downloader is used, followed by the deployment of a Python payload through PyInstaller. The campaign utilizes .NET command-line tools classified under the DotnetTool package type. These tools act as first-stage components that download and execute a Windows executable named pepesoft.exe.
To circumvent local systems and network DNS protections, the downloader uses DNS-over-HTTPS to resolve GitHub hosts. Additionally, most samples request User Account Control (UAC) elevation to sync the Windows clock before downloading the main payload.
Technical Infrastructure and Threat Analysis
All involved downloaders share identical AWS-style credentials and a common process mutex GUID, linking them to a centralized toolchain. These credentials are passed to the secondary payload via environment variables, enabling the malware to configure its cloud storage engine without embedding secrets directly.
Research indicates a rising trend in credential-harvesting malware targeting open-source repositories. Once operational on a compromised machine, pepesoft.exe connects to Google Sheets to log victim data, including hardware specifics, system hostnames, and geolocation. This enables the operator to manage infected systems using a centralized kill switch.
Impact and Evidence
The attack affects various game titles, with some payloads delivered as Python bytecode, featuring Telegram bot command integration. These commands can trigger unauthorized screenshot captures, exfiltrating visible data from password managers, browser sessions, and more.
The PyArmor-protected payloads reroute blocked Google Sheets traffic via authenticated proxies, further complicating network-level defenses. Some variants alter Windows Installer policies to execute destructive cleanup routines upon exit.
Indicators such as Russian-language console output and targeting of Russian-speaking gaming communities suggest a Russian-speaking operator is behind this campaign. These findings have been reported to the NuGet security team for urgent action.
This threat highlights the critical need for vigilance in cybersecurity, especially within gaming communities. Users are advised to be wary of downloading tools from untrusted sources and to employ robust security measures to protect their systems.
