ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories
A week's worth of trouble starts with something familiar, but the handoff goes bad, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research.
Intelligence analysis by Llama

A week's worth of trouble starts with something familiar, but the handoff goes bad, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research.
A week's worth of trouble starts with something familiar, but the handoff goes bad, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. It's like a game, but the cheats are real, and they can drop spyware on your computer. It's like a bad game, and you don't want to play.
Analysis
A $60B Vote of Confidence
The article discusses a week's worth of trouble that starts with something familiar, but the handoff goes bad, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. The article highlights 12 more stories, including game cheats that drop spyware, 11 malicious NuGet tools, and fake installers that deploy RATs.
Why Cursor?
Game cheats drop spyware 11 Malicious NuGet Tools Masquerade as Game Cheats to Drop Windows Surveillance Payload. Cybersecurity researchers 11 malicious NuGet packages published as .NET command-line tools that present themselves as game utilities, bots, and "panels," each of which act as a first-stage downloader responsible for fetching and executing a second-stage Python payload named "pepesoft.exe" from GitHub Releases and Hugging Face paths under the username "pepegit666," along with a dormant BitTorrent fallback mechanism built into it. "The recovered payloads use downloader-supplied AWS-style key material to retrieve remote configuration, authenticate to Google Sheets, bind activations to hardware, and honor a remote HWID/UUID ban-list," Socket said . "In the three direct-bytecode payloads, the larger game-automation application also exposes Telegram bot commands that can send screenshots back to the configured chat."
The Road Ahead
The article also discusses UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary, has been observed conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025. The activity delivers a Python-based remote access tool (RAT) dubbed Starland RAT and a command-and-control (C2) memory implant known as WLDR agent using trojanized installer lures for software like developer tooling, IT administration utilities, enterprise collaboration platforms, and consumer gaming applications (e.g., MobaXterm, WebEx, Zoom, DBeaver, and FaceIT). "The WLDR agent is a sophisticated PowerShell-based C2 memory implant that features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads," Cisco Talos said . Alternatively, UAT-11795 has been linked to the deployment of CastleStealer and Remcos RAT. The malware is designed to target victims' credentials and cryptocurrency wallet assets, harvest Active Directory information, and establish a persistent connection to the victims' machines from the C2 server, likely with an aim to deliver and execute further payloads.
Key points
- Game cheats drop spyware 11 Malicious NuGet Tools Masquerade as Game Cheats to Drop Windows Surveillance Payload
- UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary, has been observed conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025
- The activity delivers a Python-based remote access tool (RAT) dubbed Starland RAT and a command-and-control (C2) memory implant known as WLDR agent
- The malware is designed to target victims' credentials and cryptocurrency wallet assets, harvest Active Directory information, and establish a persistent connection to the victims' machines from the C2 server
If the developers of the malicious NuGet tools and RATs are caught and brought to justice, it could lead to a decrease in the number of attacks and a safer online environment for users.
If the attackers are able to continue their malicious activities without being caught, it could lead to a significant increase in the number of attacks and a more vulnerable online environment for users.



