11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
Blog post from Socket
Socket's Threat Research Team identified 11 malicious NuGet packages masquerading as game utilities and bots, which are actually first-stage downloaders that fetch a secondary payload named pepesoft.exe. These packages, presented as .NET tools, use DNS-over-HTTPS to bypass system resolvers and aim to retrieve and execute a secondary payload from GitHub and Hugging Face, with a BitTorrent fallback code present but inactive. The payloads utilize AWS-style keys to access configurations, authenticate to Google Sheets, and can bind activations to hardware, with the ability to enforce a remote hardware ban-list. Notably, the direct-bytecode payloads include Telegram bot commands for remote control, such as capturing screenshots, posing a threat to privacy by potentially exposing sensitive information. The shared infrastructure and indicators point to a Russian-speaking operator using these tools for game-automation cheating services rather than legitimate development. The report has led to requests for the removal of these packages from NuGet and account suspension for the publisher.
No tracked trend matches for this post yet.
Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.