{"id":14312,"date":"2026-07-15T10:03:38","date_gmt":"2026-07-15T10:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/15\/gamers-download-fake-cheats-and-hand-attackers-a-live-remote-control-of-their-windows-pcs\/"},"modified":"2026-07-15T10:03:38","modified_gmt":"2026-07-15T10:03:38","slug":"gamers-download-fake-cheats-and-hand-attackers-a-live-remote-control-of-their-windows-pcs","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/15\/gamers-download-fake-cheats-and-hand-attackers-a-live-remote-control-of-their-windows-pcs\/","title":{"rendered":"Gamers Download Fake Cheats and Hand Attackers a Live Remote Control of Their Windows PCs"},"content":{"rendered":"<p>    Gamers Download Fake Cheats and Hand Attackers a Live Remote Control of Their Windows PCs<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">New research uncovered 11 <a href=\"https:\/\/cybersecuritynews.com\/malicious-nuget-packages-target-browser-credentials\/\" target=\"_blank\" rel=\"noreferrer noopener\">malicious NuGet packages disguised<\/a> as game cheats, bots, and management panels for popular online titles. The campaign targets gaming communities playing titles such as Albion Online, GTA5RP, GrandRP, Majestic RP, and Throne and Liberty.<\/p>\n<p class=\"wp-block-paragraph\">Once installed, these packages quietly deploy a remote-access payload that captures live screenshots of victims\u2019 machines, exposing sensitive information directly to malicious actors.<\/p>\n<p class=\"wp-block-paragraph\">According to Socket\u2019s research, the campaign splits into a structured two-stage attack chain consisting of a .NET tool downloader stage and a PyInstaller-packed Python payload.<\/p>\n<p class=\"wp-block-paragraph\">Distributed as .NET command-line tools under the <code>DotnetTool<\/code> package type, each package acts as a first-stage component that fetches and runs a second-stage Windows executable named <code>pepesoft.exe<\/code>. <\/p>\n<p class=\"wp-block-paragraph\">To ensure successful execution, the downloader resolves GitHub hosts using DNS-over-HTTPS to completely bypass the local system resolver and network DNS sinkholes. <\/p>\n<p class=\"wp-block-paragraph\">Additionally, 10 of the 11 samples aggressively <a href=\"https:\/\/cybersecuritynews.com\/windows-user-account-control-bypassed\/\" target=\"_blank\" rel=\"noreferrer noopener\">request User Account Control (UAC)<\/a> elevation to resync the Windows clock before fetching the primary payload.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" height=\"1117\" width=\"2048\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiYbiGxVnzw8q1DaC7Iu0vGzeHWCkeZ5xPXzQIHI_xjbHHjhNyLOl6WDX_edNdph_0ulvctNqtHognDMEXOv1WwpmO5-WOfSKstFtna3uombEsTRI5ZZ_3HQjCTmcbzR1b2joYWqB4ipsnEGF81FC08JQOyuAPH2KbpnlJkoYOGQNa1cN33Axa4jl2zYp0\/s1600\/63e1e25e666fa2e5fe34219ab735cd0cf0b3a3a6-2048x1117.webp?resize=2048%2C1117&#038;ssl=1\" alt=\"Attack chain flow: NuGet DotnetTool downloader stages and launches\u00a0pepesoft.exe\"><figcaption class=\"wp-element-caption\"><em>Attack chain flow<\/em> (Image Source: Socket)<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">All 11 downloaders share identical hardcoded AWS-style key material and the same process mutex GUID, tying the entire infrastructure to a single toolchain. <\/p>\n<p class=\"wp-block-paragraph\">The downloader passes these cloud credentials to the child payload as environment variables, allowing the malware\u2019s cloud storage engine to configure itself without embedding secrets directly within the secondary executable. <\/p>\n<p class=\"wp-block-paragraph\">Similar supply chain campaigns show that threat actors increasingly leverage credential-harvesting malware to target open-source repository environments.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" height=\"2049\" width=\"2000\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi0N2ae3y_5kD9ncihu5V6aTIBloXvGts6_tQ0hA0gAnl-r_2GZNtYoUEBNbJIhSbkfcIfsU74Xk6Yk41R-vmGNEnNtEDql16CkaZT6e9Xwr6zFN7geBbkbMZ_8CMontNeO6AYQaDEyXwcAEStiVdcOYXm6lWh_Dej1j2USC6KlDdMol-9OiEUHxMNteXs\/s1600\/2170b2cfe2fd6f323ede0ab8745d0aced5b5df33-2000x2049.webp?resize=2000%2C2049&#038;ssl=1\" alt=\"Operator staging on GitHub Releases under\u00a0pepegit666\/123f53y45ysdf34\"><figcaption class=\"wp-element-caption\"><em>Operator staging on GitHub Releases<\/em>(Image Source: Socket)<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Once running on the compromised machine, <code>pepesoft.exe<\/code> authenticates to Google Sheets to compile a persistent log of victim data. <\/p>\n<p class=\"wp-block-paragraph\">The telemetry <a href=\"https:\/\/socket.dev\/blog\/11-malicious-nuget-tools-pose-as-game-cheats\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">gathered by Socket research includes<\/a> hardware fingerprints, system hostnames, GPU and CPU models, IP-based geolocation, and OS activation status. The malware checks a remote HWID\/UUID ban-list on every launch, giving the operator a centralized server-side kill switch to manage infected endpoints.<\/p>\n<p class=\"wp-block-paragraph\">Three of the payloads, specifically those targeting Albion, Calculator, and Throne, ship as direct Python bytecode. They expose a large-scale game automation framework with integrated Telegram bot commands.<\/p>\n<p class=\"wp-block-paragraph\">Any external user completing the <code>\/start<\/code> command in the attacker\u2019s chat can trigger an unauthorized screenshot capture of the active game window, the full desktop, or targeted program processes. <\/p>\n<p class=\"wp-block-paragraph\">These stealth administrative exposures mirror modern remote execution exploits that target corporate and consumer endpoints alike.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" height=\"1116\" width=\"1146\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEikknATmywvu5OZB6RgvmkX6wVh1PCW78_VauYcyG28-hLAvJ3C06V3Atxccc-BSbh7-znnTOKCi6lAH1T-YruboMJD-X8jTw338VRExwp5rodh9eYwV3u44OBj0XFt658Nm7gTsFZofn6zAL9OWh6NJ4omRHy5wB3lzmzwt3SN_KRbugEFeTTr2Qxl3o8\/s1600\/18887f9158bc827b1867286a5edcd25bb0eabafe-1146x1116.webp?resize=1146%2C1116&#038;ssl=1\" alt=\"Socket\u2019s AI Scanner flagging\u00a0amazing-x-x@7.7.8\u00a0as known malware.\"><figcaption class=\"wp-element-caption\"><em>AI Scanner flagging\u00a0<code>amazing-x-x@7.7.8<\/code>\u00a0as known malware<\/em> (Image Source: Socket)<\/figcaption><\/figure>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<td><strong>Target Application Variant<\/strong><\/td>\n<td><strong>Obfuscation \/ Payload Style<\/strong><\/td>\n<td><strong>Primary Ingestion Target<\/strong><\/td>\n<td><strong>Unique Behavioral Trait<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Albion, Calculator, Throne<\/strong><\/td>\n<td>Direct Python Bytecode<\/td>\n<td>Telegram command handlers<\/td>\n<td>Exposes unauthenticated <code>\/start<\/code> remote screenshot loops<\/td>\n<\/tr>\n<tr>\n<td><strong>Amazing RP, GTA5RP, Lineage 2, RMRP<\/strong><\/td>\n<td>PyArmor-Protected Binary<\/td>\n<td>Authenticated proxy fallback<\/td>\n<td>Re-routes blocked Google Sheets traffic via proxy layers<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\">Because the screenshot routines record whatever is active on the display, any open password managers, browser sessions, crypto wallets, or private messages visible at capture time are immediately exfiltrated to the attacker\u2019s Telegram interface. <\/p>\n<p class=\"wp-block-paragraph\">The eight PyArmor-protected payloads add an automated fallback that reroutes blocked Google Sheets traffic through a hardcoded authenticated proxy, undermining basic network-level indicator blocking. <\/p>\n<p class=\"wp-block-paragraph\">Furthermore, the direct-bytecode variants modify Windows Installer registry policy on exit and can trigger a destructive cleanup routine that recursively wipes subdirectories in the application\u2019s working folder.<\/p>\n<p class=\"wp-block-paragraph\">Multiple tracking indicators, including Russian-language console output, Russian build comments, targeting of Russian-speaking roleplay game communities, and a storefront (<code>bots.pepesoft[.]ru<\/code>) advertising \u201cbots without bans\u201d strongly point to a Russian-speaking operator running a commercial paid-cheat service.<\/p>\n<p class=\"wp-block-paragraph\">Socket has reported the packages to the NuGet security team for immediate remediation.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer \u2013 <\/strong><a href=\"https:\/\/blackpointcyber.com\/webinar\/webinar-blackpoint-ai-a-decade-in-the-making\/?utm_source=3s_cybersecuritynews&amp;utm_medium=&amp;utm_campaign=26q3_webinar_blackpoint-ai-a-decade-in-the-making&amp;utm_content=&amp;utm_term=\"><strong>Attend a Free Webinar<\/strong><\/a><strong> on AI SOC Agent to contain a live attack.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/game-fake-cheats-remote-access\/\">Gamers Download Fake Cheats and Hand Attackers a Live Remote Control of Their Windows PCs<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Kavichselvan<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/game-fake-cheats-remote-access\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gamers Download Fake Cheats and Hand Attackers a Live Remote Control of Their Windows PCs New research uncovered 11 malicious NuGet packages disguised as game cheats, bots, and management panels for popular online titles. The campaign targets gaming communities playing titles such as Albion Online, GTA5RP, GrandRP, Majestic RP, and Throne and Liberty. Once installed, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[701,1636,63],"tags":[130],"class_list":["post-14312","post","type-post","status-publish","format-standard","hentry","category-cyber-attack","category-cyber-attack-news","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14312"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14312"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14312\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}