Gamers Download Fake Cheats and Hand Attackers a Live Remote Control of Their Windows PCs

Gamers Download Fake Cheats and Hand Attackers a Live Remote Control of Their Windows PCs










New research uncovered 11 malicious NuGet packages disguised as game cheats, bots, and management panels for popular online titles. The campaign targets gaming communities playing titles such as Albion Online, GTA5RP, GrandRP, Majestic RP, and Throne and Liberty.

Once installed, these packages quietly deploy a remote-access payload that captures live screenshots of victims’ machines, exposing sensitive information directly to malicious actors.

According to Socket’s research, the campaign splits into a structured two-stage attack chain consisting of a .NET tool downloader stage and a PyInstaller-packed Python payload.

Distributed as .NET command-line tools under the DotnetTool package type, each package acts as a first-stage component that fetches and runs a second-stage Windows executable named pepesoft.exe.

To ensure successful execution, the downloader resolves GitHub hosts using DNS-over-HTTPS to completely bypass the local system resolver and network DNS sinkholes.

Additionally, 10 of the 11 samples aggressively request User Account Control (UAC) elevation to resync the Windows clock before fetching the primary payload.

Attack chain flow: NuGet DotnetTool downloader stages and launches pepesoft.exe
Attack chain flow (Image Source: Socket)

All 11 downloaders share identical hardcoded AWS-style key material and the same process mutex GUID, tying the entire infrastructure to a single toolchain.

The downloader passes these cloud credentials to the child payload as environment variables, allowing the malware’s cloud storage engine to configure itself without embedding secrets directly within the secondary executable.

Similar supply chain campaigns show that threat actors increasingly leverage credential-harvesting malware to target open-source repository environments.

Operator staging on GitHub Releases under pepegit666/123f53y45ysdf34
Operator staging on GitHub Releases(Image Source: Socket)

Once running on the compromised machine, pepesoft.exe authenticates to Google Sheets to compile a persistent log of victim data.

The telemetry gathered by Socket research includes hardware fingerprints, system hostnames, GPU and CPU models, IP-based geolocation, and OS activation status. The malware checks a remote HWID/UUID ban-list on every launch, giving the operator a centralized server-side kill switch to manage infected endpoints.

Three of the payloads, specifically those targeting Albion, Calculator, and Throne, ship as direct Python bytecode. They expose a large-scale game automation framework with integrated Telegram bot commands.

Any external user completing the /start command in the attacker’s chat can trigger an unauthorized screenshot capture of the active game window, the full desktop, or targeted program processes.

These stealth administrative exposures mirror modern remote execution exploits that target corporate and consumer endpoints alike.

Socket’s AI Scanner flagging amazing-x-x@7.7.8 as known malware.
AI Scanner flagging [email protected] as known malware (Image Source: Socket)
Target Application Variant Obfuscation / Payload Style Primary Ingestion Target Unique Behavioral Trait
Albion, Calculator, Throne Direct Python Bytecode Telegram command handlers Exposes unauthenticated /start remote screenshot loops
Amazing RP, GTA5RP, Lineage 2, RMRP PyArmor-Protected Binary Authenticated proxy fallback Re-routes blocked Google Sheets traffic via proxy layers

Because the screenshot routines record whatever is active on the display, any open password managers, browser sessions, crypto wallets, or private messages visible at capture time are immediately exfiltrated to the attacker’s Telegram interface.

The eight PyArmor-protected payloads add an automated fallback that reroutes blocked Google Sheets traffic through a hardcoded authenticated proxy, undermining basic network-level indicator blocking.

Furthermore, the direct-bytecode variants modify Windows Installer registry policy on exit and can trigger a destructive cleanup routine that recursively wipes subdirectories in the application’s working folder.

Multiple tracking indicators, including Russian-language console output, Russian build comments, targeting of Russian-speaking roleplay game communities, and a storefront (bots.pepesoft[.]ru) advertising “bots without bans” strongly point to a Russian-speaking operator running a commercial paid-cheat service.

Socket has reported the packages to the NuGet security team for immediate remediation.

Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.

The post Gamers Download Fake Cheats and Hand Attackers a Live Remote Control of Their Windows PCs appeared first on Cyber Security News.






Kavichselvan





Go to cyber-security-news





by