Recent OTX pulses reveal a diverse set of high-risk threats targeting the software supply chain, AI infrastructure, and workforce trust. A sophisticated supply chain attack involves 11 malicious NuGet packages masquerading as game cheats (e.g., for Albion Online, GTA5RP) to deliver a surveillance payload (pepesoft.exe) capable of exfiltration via Telegram and Google Sheets. Simultaneously, threat actors are actively jailbreaking Large Language Models (LLMs) by framing malicious requests as legitimate CTF or CVE-hunting exercises to generate exploit code for applications like PraisonAI and LiteLLM. In parallel, a massive credential harvesting campaign dubbed "Operation Fake KickOff" (linked to adversary O-UNC-038) is abusing recruitment brands like Robert Half to infiltrate enterprise SaaS environments. The collective objective spans intelligence gathering, credential theft, and the automation of exploit generation.
Threat Actor / Malware Profile
Malware: Pepesoft.exe (Surveillance Dropper)
- Distribution: Malicious .NET NuGet packages posing as game utilities/cheats.
- Payload Behavior: Acts as a first-stage downloader. Requests UAC elevation to resync system time and fetches a second-stage PyInstaller payload (
pepesoft.exe). - C2 Communication: Uses Telegram bot control and Google Sheets for telemetry. Employs DNS-over-HTTPS (DoH) to bypass local network controls.
- Capabilities: Hardware fingerprinting, screenshot exfiltration, and host surveillance.
Adversary: O-UNC-038 (Operation Fake KickOff)
- Profile: A financially motivated threat actor active since April 2025.
- Tactics: Sophisticated multi-stage phishing, Adversary-in-the-Middle (AiTM) attacks, MFA bypass, and SaaS abuse.
- Infrastructure: Utilizes over 232 phishing domains and 80 C2 servers, heavily impersonating HR consulting firms (Robert Half, Aquent).
Technique: LLM Jailbreaking via CTF Framing
- Method: Manipulates upstream AI safety guardrails by presenting exploit requests as "Capture The Flag" challenges or security research tasks.
- Target: AI platforms and specific applications (PraisonAI, LiteLLM, FastChat).
- Outcome: Forces LLMs to generate functional exploit code leveraging vulnerabilities such as CVE-2026-39987.
IOC Analysis
The indicators provided cover a broad spectrum of the attack surface:
- FileHash-SHA256: 39 hashes associated with the malicious NuGet packages and the
pepesoft.exepayload. SOC teams should ingest these into EDR detection engines to block execution. - CVEs: 8 distinct CVEs (e.g., CVE-2026-39987, CVE-2026-42271) related to the LLM targeting. Vulnerability management teams must prioritize patching for these specific IDs in AI/ML platforms.
- Domains: 2 sample phishing domains (
fifahr-careers.com,adidas-hiring.com) representative of the O-UNC-038 infrastructure. These should be added to DNS sinkholes and web proxy blocklists immediately. - Operationalization: Hashes should be scanned for using EDR (CrowdStrike, SentinelOne). Domains require immediate DNS blocking. CVEs need scanning via Qualys/Tenable against the specific AI platforms mentioned.
Detection Engineering
---
title: Potential Malicious NuGet Package Execution - Pepesoft
id: 2c8f3a1b-4d5e-6f7a-8b9c-0d1e2f3a4b5c
description: Detects execution of suspicious processes often associated with the Pepesoft malware family delivered via malicious NuGet packages. Looks for pyinstaller-related processes and unusual use of system time resync.
status: experimental
author: Security Arsenal
references:
- https://otx.alienvault.com/
date: 2026/07/15
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\python.exe'
- '\pyinstaller.exe'
CommandLine|contains:
- 'pepesoft'
- '--uac'
condition: selection
falsepositives:
- Legitimate Python development
level: high
---
title: DNS-over-HTTPS (DoH) to Suspicious Endpoints
id: 3d9g4b2c-5e6f-7g8h-9i0j-1e2f3g4h5i6j
description: Detects processes utilizing DNS-over-HTTPS, a technique used by the Pepesoft dropper to bypass local controls and fetch payloads.
status: experimental
author: Security Arsenal
date: 2026/07/15
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort: 443
DestinationHostname|contains:
- 'dns.google'
- 'cloudflare-dns.com'
filter_main_legit:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
condition: selection and not filter_main_legit
falsepositives:
- Legitimate applications using DoH for privacy
level: medium
---
title: Credential Harvesting - Recruitment Phishing Domains
id: 4e0h5c3d-6f7g-8h9i-0j1k-2f3g4h5i6j7k
description: Identifies connections to domains mimicking recruitment firms, associated with O-UNC-038's Fake KickOff campaign.
status: experimental
author: Security Arsenal
date: 2026/07/15
tags:
- attack.initial_access
- attack.t1566.002
logsource:
category: dns_query
product: windows
detection:
selection_keywords:
QueryName|contains:
- 'careers'
- 'hiring'
- 'jobs'
- 'recruitment'
selection_tlds:
QueryName|endswith:
- '.com'
- '.net'
- '.org'
condition: selection_keywords and selection_tlds
falsepositives:
- Legitimate job searching activity
level: low
kql
// Hunt for malicious NuGet-related processes and file creation
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessVersionInfoOriginalFileName =~ "nuget.exe" or FileName =~ "nuget.exe"
| where ProcessCommandLine contains "restore" or ProcessCommandLine contains "install"
| join kind=inner (DeviceFileEvents
| where Timestamp >= ago(7d)
| where SHA256 in (
"d5385526f2f3e52c7d96087611c6cd4e479bf61828400efdb3ca09406d981609",
"9a2091e6625fc11cfd8f39c17aa271604e66322ee045028946274b988103e35b",
"900ddb81d27e03967209fee4d17d13deb68eef0e1f10936eb520ca10575cb49e",
"ab58a90eb3682c6dc3389cd700a64f68a19c0dac3d0fa8e3df97ae041f96d4e1",
"e6e1049158ceb1971c61388349c81fa6047a7aecb4ff2089ef54a50dcc35dbc0",
"d9f7ca9f93a7d188d51db308877b15d0beae932ca0bf4705384fbedf54b454c1",
"4d13f1136b13c871c65141b77ec7208488334ac4be511800196adcd328666305",
"011926de3d0cc2b970627b9bf0de003e731f8576602dff756d2ab54a9de61972"
))
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, SHA256
powershell
# IOC Hunt Script for Pepesoft and Phishing Domains
# Requires Administrator privileges
Write-Host "Starting Threat Hunt: Pepesoft & Fake KickOff" -ForegroundColor Cyan
# 1. Check for file hashes
$maliciousHashes = @(
"d5385526f2f3e52c7d96087611c6cd4e479bf61828400efdb3ca09406d981609",
"9a2091e6625fc11cfd8f39c17aa271604e66322ee045028946274b988103e35b",
"900ddb81d27e03967209fee4d17d13deb68eef0e1f10936eb520ca10575cb49e",
"ab58a90eb3682c6dc3389cd700a64f68a19c0dac3d0fa8e3df97ae041f96d4e1",
"e6e1049158ceb1971c61388349c81fa6047a7aecb4ff2089ef54a50dcc35dbc0",
"d9f7ca9f93a7d188d51db308877b15d0beae932ca0bf4705384fbedf54b454c1",
"4d13f1136b13c871c65141b77ec7208488334ac4be511800196adcd328666305",
"011926de3d0cc2b970627b9bf0de003e731f8576602dff756d2ab54a9de61972"
)
$drives = Get-PSDrive -PSProvider FileSystem
foreach ($drive in $drives) {
Write-Host "Scanning drive $($drive.Root)..." -ForegroundColor Yellow
Get-ChildItem -Path $drive.Root -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $maliciousHashes) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
}
# 2. Check hosts file for phishing domains
$phishingDomains = @(
"fifahr-careers.com",
"adidas-hiring.com"
)
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $hostsPath) {
$hostsContent = Get-Content $hostsPath
foreach ($domain in $phishingDomains) {
if ($hostsContent -match $domain) {
Write-Host "[!] PHISHING DOMAIN FOUND IN HOSTS FILE: $domain" -ForegroundColor Red
}
}
}
Write-Host "Hunt Complete." -ForegroundColor Green
Response Priorities
-
Immediate:
- Block all 39 SHA256 file hashes at the endpoint via EDR isolation policies.
- Sinkhole the sample phishing domains (
fifahr-careers.com,adidas-hiring.com) and hunt for broader*-careers.comor*-hiring.comtypos in DNS logs. - Review outbound DNS-over-HTTPS traffic for anomalies not originating from approved browsers.
-
24 Hours:
- If credential-harvesting malware is suspected (O-UNC-038), initiate identity verification checks for HR and Finance staff.
- Scan internal code repositories and build pipelines for the malicious NuGet package names mentioned.
- Audit LLM/AI platform logs (PraisonAI, LiteLLM) for prompts containing "CTF", "CVE", or "exploit" to detect jailbreak attempts.
-
1 Week:
- Harden the software supply chain by enforcing package signing verification for all NuGet/PyPI repositories.
- Implement strict input validation and sandboxing for LLM integrations within the development environment.
- Conduct security awareness training focused on advanced phishing techniques mimicking recruitment workflows.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.