11 malicious NuGet packages masquerading as game cheats, automation bots, and management “panels” that deploy a Windows payload called pepesoft.exe.
The packages were published as .NET command-line tools, enabling users to install them through the dotnet tool install workflow and execute bundled commands such as throne-run.
The affected packages target communities around Albion Online, GTA5RP, GrandRP, Majestic RP, Lineage 2, Russian Fishing 4, Throne and Liberty, and generic trigger-bot tools.
Socket reported the packages to NuGet’s security team and requested their removal and suspension of the publisher account.
Each package contains a first-stage .NET downloader stored under tools/net8.0/any/. It displays Russian-language updater messages, creates a shared mutex to prevent multiple executions, and downloads pepesoft.exe from attacker-controlled GitHub Releases and Hugging Face locations associated with the pepegit666 username.
The downloader preferentially retrieves payloads from Hugging Face, followed by GitHub Releases. It also includes dormant BitTorrent transfer functionality through the bundled MonoTorrent and Mono.
Nat libraries, although the analyzed builds contained empty magnet-link values.
A notable evasion feature is the use of Google DNS-over-HTTPS to resolve domains for GitHub downloads. Rather than relying on the victim’s configured DNS resolver, the malware queries dns.google and connects to the returned address.
This may evade local hosts-file blocks and DNS sinkholes, though it remains detectable through network, proxy, TLS SNI, and IP-based controls.
Ten of the 11 samples also invoke hidden PowerShell with the runas verb to start the Windows Time service and force a clock resynchronization.
While this can reduce TLS failures caused by clock drift, it also produces an unexpected UAC elevation prompt before payload retrieval.
The second-stage executable is a PyInstaller-packed Python application. Socket recovered payloads from eight PyArmor-protected releases and three direct-bytecode builds tied to Albion, Calculator, and Throne.

pepesoft.exe (Source : Socket).Across the full payload set, Pepesoft retrieves remote configuration through a Cloudflare Worker and an S3-compatible Selectel storage fallback.
Socket’s Threat Research Team analyzed 11 malicious NuGet packages published as .NET command-line tools (DotnetTool package type) that present themselves as game utilities, bots, and “panels”.
11 Malicious NuGet Game Cheat Packages
The downloader passes AWS-style access credentials and configuration URLs to the payload through environment variables, linking the stages through shared infrastructure and code constants.

pepegit666/123f53y45ysdf34: one release per game tag (Source : Socket).The malware uses Google Sheets as a backend for activation, licensing, host status, and telemetry. It generates hardware identifiers from system UUIDs, disk data, MAC addresses, and host attributes, allowing the operator to bind an activation to a particular device.
It also checks a remotely maintained hardware-ID and UUID ban list, giving the operators a server-side mechanism to turn off selected installations.
Socket found that the three direct-bytecode variants collect substantially richer system data.
This includes usernames, hostnames, CPU and GPU details, motherboard information, display configuration, network status, active-window metadata, public IP address, approximate geolocation, and runtime information.
The Albion, Calculator, and Throne payloads also contain Telegram bot functionality implemented with aiogram.
Users who interact with the bot’s /start command can be added to a local chat-ID list, after which predefined commands can trigger game-window, application-window, or full-screen screenshots.
This creates an obvious privacy risk: screenshots can capture browser sessions, password managers, cryptocurrency wallets, authentication prompts, private chats, recovery phrases, or other sensitive content visible on the desktop.
The same variants include OCR routines, enabling screen content to be processed as text for automation functions.
The campaign’s infrastructure includes GitHub releases under pepegit666/123f53y45ysdf34, Hugging Face paths under pepegit666, the Pepesoft storefront at bots.pepesoft[.]ru, and a Telegram channel at t[.]me/pepesoft777.
The payload also references a Cloudflare Worker and Selectel S3 endpoint for configuration delivery.
Organizations should review NuGet tool installations, investigate unexpected execution of pepesoft.exe, monitor DNS-over-HTTPS requests to dns.google made by developer-tool processes, and block known staging infrastructure.
IOCs
| Type | Identifier |
|---|---|
| Malicious NuGet package | albion-x-x |
| Malicious NuGet package | amazing-x-x |
| Malicious NuGet package | calc-x-x |
| Malicious NuGet package | grandrp-x-x |
| Malicious NuGet package | gta5rp-x-x |
| Malicious NuGet package | l2-x-x |
| Malicious NuGet package | majestic-x-x |
| Malicious NuGet package | rmrp-x-x |
| Malicious NuGet package | rusfish4-x-x |
| Malicious NuGet package | throne-x-x |
| Malicious NuGet package | trigger-x-x |
| Operator username / NuGet account | pepegit666 |
| GitHub profile | github[.]com/pepegit666 |
| GitHub repository | github[.]com/pepegit666/123f53y45ysdf34 |
| Hugging Face profile / bucket path | huggingface[.]co/buckets/pepegit666 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide

