11 Malicious NuGet Packages Disguised as Game Cheats Deploy Windows Surveillance Malware

Researchers have uncovered 11 malicious NuGet packages posing as game cheats and utilities that deploy Windows surveillance malware capable of device fingerprinting and remote screenshot capture.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region4 min read
Developer workstation representing a maliDeveloper workstation representing a malicious package discovered in a software repositorycious package discovered in a software repository

Developer workstation representing a maliDeveloper workstation representing a malicious package discovered in a software repositorycious package discovered in a software repository

Security researchers at Socket have uncovered 11 malicious NuGet packages masquerading as game cheats, bots, and management panels that deliver a Windows surveillance capable payload. The packages were uploaded as .NET command line tools and targeted players of several popular online games, including Albion Online, GTA5RP, GrandRP, Majestic RP, Lineage 2, Throne and Liberty, and Russian Fishing 4. Researchers have reported the packages to NuGet and requested removal of both the packages and the publisher account.

A two stage delivery chain

The campaign works in two stages. A malicious .NET downloader, installed directly through NuGet, retrieves and launches a second stage executable named pepesoft.exe. All 11 packages contain this downloader assembly, displaying Russian language messages resembling a normal software updater, such as prompts to wait while assets download, to avoid raising suspicion during installation. The packages share a Windows mutex to prevent multiple instances running simultaneously, and bundle legitimate networking libraries, though the BitTorrent delivery mechanism they include appears dormant in the samples analysed so far.

This kind of clean looking package that quietly stages a second payload after install fits a trend we have been tracking closely. Our recent coverage of how AI turned script kiddies into enterprise grade threat actors documented malicious package volume growing 725 percent over three years, and this campaign is another entry in that same growth curve. It also echoes the PolinRider campaign against npm, Go and Chrome packages we covered earlier this week, where the same core technique, a trusted package repository used as a distribution channel, did the heavy lifting.

What the payload actually does

The second stage, a PyInstaller packed Python application, retrieves its configuration through a Cloudflare Worker, with a fallback to cloud storage infrastructure if that fails. It then authenticates against Google Sheets using embedded service account credentials, using operator controlled spreadsheets to log licensing and system status. The malware can bind an activation key to a specific device using identifiers including the hardware UUID, disk serial number, MAC address, CPU and motherboard details, and GPU information, and checks a remote ban list before deciding whether to continue running.

Screenshot capture in the most invasive variants

Three of the recovered builds, tied to Albion, a calculator utility, and Throne, go considerably further than licensing enforcement. These variants collect username, hostname, Windows version, screen resolution, processor and GPU details, active window metadata, network connection counts, and IP based location information. They also include Telegram bot handlers capable of capturing and transmitting screenshots on command, in some cases capturing the full screen rather than just the game window. Any sensitive material visible at the time, including browser sessions, cryptocurrency wallets, passwords, or private messages, could be exposed through this mechanism. The screenshot and session exposure risk here is comparable to what we documented in NoVoice, the Android malware that infected 2.3 million devices through Google Play, where trusted app store distribution again turned into a session theft vector at scale.

Why this matters beyond gamers

While the lure here is game cheats rather than enterprise software, the delivery mechanism is exactly the kind of software supply chain risk that matters to any organisation using NuGet and the wider .NET ecosystem. Developer machines frequently mix personal and work activity, and a compromised developer workstation with active screen capture and credential exposure capability is a meaningful risk regardless of how the initial infection occurred. Package repository trust remains a weak point across the industry, and this campaign is a reminder that malicious uploads reach production quickly enough to affect real users before takedown requests are processed.

What to do

Organisations should reinforce policies against installing unvetted packages or third party utilities on any device with access to corporate resources, including developer workstations used for gaming or personal projects outside working hours. Security teams should consider blocklisting known indicators from this campaign, monitoring for outbound connections to Google Sheets APIs and Cloudflare Worker endpoints from developer environments where that traffic pattern would be unusual, and reviewing endpoint protection coverage on any machine where NuGet tooling runs with elevated privileges.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Threat IntelligenceSoftware Supply Chain Security