Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Flaw in EU Age Verification App Lets Attackers Bypass Checks
July 15, 2026
Critical SonicWall Firewall CVE-2021-20021, CVE-2021-20022 Zero-Days Actively Exploited
July 15, 2026
Chinese Hackers Use Claude, DeepSeek AI in Government Cyberattacks
July 15, 2026
Home/CyberSecurity News/Fake Game Cheats Deliver Warzone RAT to Gamers’ Windows PCs
CyberSecurity News

Fake Game Cheats Deliver Warzone RAT to Gamers’ Windows PCs

Key Takeaways A new campaign distributes 11 malicious NuGet packages disguised as game cheats and utilities for popular online role-playing games. These packages install a remote access trojan (RAT)...

Emy Elsamnoudy
Emy Elsamnoudy
July 15, 2026 4 Min Read
2 0

Key Takeaways

  • A new campaign distributes 11 malicious NuGet packages disguised as game cheats and utilities for popular online role-playing games.
  • These packages install a remote access trojan (RAT) capable of capturing screenshots and exfiltrating sensitive system data.
  • The attack employs a two-stage process: a .NET downloader followed by a Python-based payload, pepesoft.exe.
  • The threat actors appear to be Russian-speaking and operate a commercial “paid-cheat” service.
  • Users are advised to exercise extreme caution when downloading third-party game utilities and to verify the authenticity of all software sources.

Malicious NuGet Packages Impersonate Game Cheats, Deploy RAT

Recent cybersecurity research has uncovered a sophisticated campaign involving eleven malicious NuGet packages, cunningly disguised as cheats, bots, and management tools for several prominent online games. This operation specifically targets players of titles such as Albion Online, GTA5RP, GrandRP, Majestic RP, and Throne and Liberty, aiming to compromise their Windows PCs.

Table Of Content

  • Key Takeaways
  • Malicious NuGet Packages Impersonate Game Cheats, Deploy RAT
  • Two-Stage Attack Chain Detailed
  • Payload Functionality: Data Exfiltration and Remote Control
  • What You Should Do

Upon installation, these deceptive packages stealthily deploy a remote access payload. This malware is designed to capture live screenshots of the victim’s machine, effectively exposing sensitive personal and system information directly to the attackers.

Two-Stage Attack Chain Detailed

According to comprehensive analysis by Socket, the attack unfolds in a meticulously structured two-stage process. The initial stage involves a .NET tool downloader, which subsequently retrieves and executes a Python payload, packed with PyInstaller, identified as pepesoft.exe.

These packages are distributed as .NET command-line tools under the DotnetTool package type. Each functions as a first-stage component, responsible for fetching and launching the second-stage Windows executable, pepesoft.exe. To ensure the successful delivery of this payload, the downloader employs DNS-over-HTTPS for GitHub host resolution, a technique that bypasses local system resolvers and network DNS sinkholes, enhancing stealth and resilience.

Furthermore, ten of the eleven identified samples aggressively request User Account Control (UAC) elevation. This elevated privilege is sought to synchronize the Windows clock before the primary payload is retrieved, a tactic that can help ensure certificate validity and evade time-based detection mechanisms.

All eleven downloaders share identical hardcoded AWS-style key material and the same process mutex GUID, strongly linking the entire malicious infrastructure to a singular toolchain. The downloader passes these cloud credentials to the child payload as environment variables, enabling the malware’s cloud storage engine to configure itself without embedding sensitive secrets directly within the secondary executable. This approach mirrors other supply chain attacks where threat actors increasingly weaponize credential-harvesting malware to target open-source repository environments.

Payload Functionality: Data Exfiltration and Remote Control

Once pepesoft.exe is active on a compromised system, it authenticates with Google Sheets to maintain a persistent log of victim data. The telemetry gathered by Socket research includes hardware fingerprints, system hostnames, GPU and CPU models, IP-based geolocation, and the operating system’s activation status. The malware also incorporates a remote hardware ID (HWID)/UUID ban-list check at every launch, providing the operator with a centralized server-side kill switch to manage infected endpoints.

Notably, three of the payloads—specifically those targeting Albion, Calculator, and Throne—are delivered as direct Python bytecode. These variants expose an extensive game automation framework with integrated Telegram bot commands. An external user can initiate an unauthorized screenshot capture of the active game window, the full desktop, or specific program processes by simply issuing the /start command in the attacker’s Telegram chat. These covert administrative exposures are reminiscent of modern remote execution exploits targeting both corporate and consumer endpoints.

The screenshot routines are particularly insidious, as they record whatever is visible on the display. This means any open password managers, active browser sessions, cryptocurrency wallets, or private messages present at the time of capture are immediately exfiltrated to the attacker’s Telegram interface.

The remaining eight PyArmor-protected payloads include an automated fallback mechanism. This feature reroutes blocked Google Sheets traffic through a hardcoded authenticated proxy, effectively undermining basic network-level indicator blocking. Moreover, the direct-bytecode variants alter Windows Installer registry policy upon exit and can trigger a destructive cleanup routine that recursively wipes subdirectories within the application’s working folder.

Multiple indicators point to a Russian-speaking operator behind this campaign. These include Russian-language console output, Russian build comments, the specific targeting of Russian-speaking role-play game communities, and an online storefront (bots.pepesoft[.]ru) advertising “bots without bans.” This evidence strongly suggests a commercial paid-cheat service run by Russian-speaking actors.

Socket has proactively reported these malicious packages to the NuGet security team for prompt remediation.

What You Should Do

  • Avoid Untrusted Sources: Only download game cheats, bots, or utility tools from official game developers or highly reputable and verified sources.
  • Verify Package Authenticity: If using NuGet or similar package managers, always verify the publisher and integrity of packages before installation. Look for official documentation and community reviews.
  • Run Antivirus/Anti-Malware Scans: Ensure your antivirus and anti-malware software are up-to-date and perform regular scans of your system.
  • Enable UAC: Keep User Account Control (UAC) enabled on Windows to be prompted before unauthorized changes are made to your system.
  • Monitor Network Activity: Be vigilant for unusual network connections, especially those bypassing standard DNS resolution or connecting to suspicious cloud services.
  • Educate Yourself: Understand the risks associated with downloading and executing third-party software, particularly “cheats” or “hacks” that promise an unfair advantage in games.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical LegacyHive Windows 0-Day Lets Attackers Load Other User Registries

Next Post

Chinese Hackers Use Claude, DeepSeek AI in Government Cyberattacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Active Directory Zero-Day Actively Exploited
July 15, 2026
Critical BitLocker Vulnerability Lets Attackers Bypass Windows Security
July 15, 2026
Notepad++ Vulnerabilities Enable PowerShell Command Injection
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us