Home / Companies / Socket / Blog / Post Details
Content Deep Dive

11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload

Blog post from Socket

Post Details
Company
Date Published
Author
Kush Pandya
Word Count
4,726
Company Posts That Month
11
Language
English
Hacker News Points
-
Post removed?
No
Summary

Socket's Threat Research Team identified 11 malicious NuGet packages masquerading as game utilities and bots, which are actually first-stage downloaders that fetch a secondary payload named pepesoft.exe. These packages, presented as .NET tools, use DNS-over-HTTPS to bypass system resolvers and aim to retrieve and execute a secondary payload from GitHub and Hugging Face, with a BitTorrent fallback code present but inactive. The payloads utilize AWS-style keys to access configurations, authenticate to Google Sheets, and can bind activations to hardware, with the ability to enforce a remote hardware ban-list. Notably, the direct-bytecode payloads include Telegram bot commands for remote control, such as capturing screenshots, posing a threat to privacy by potentially exposing sensitive information. The shared infrastructure and indicators point to a Russian-speaking operator using these tools for game-automation cheating services rather than legitimate development. The report has led to requests for the removal of these packages from NuGet and account suspension for the publisher.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.