Confirmed malicious behavior in the deobfuscated code:
Downloads a second-stage executable (literally named payl.exe) from a GitHub releases URL at runtime — classic dropper pattern.
Runs hidden PowerShell to add Windows Defender exclusions (Add-MpPreference -ExclusionPath) — defense evasion.
Has a hardcoded Telegram bot token and posts data out via Telegram's sendPhoto API — an exfiltration channel (consistent with stealer logs/screenshots).
Generates random filenames via crypto.randomBytes and self-deletes artifacts (unlinkSync) — anti-forensics/evasion.
Drops .vbs scripts, likely for stealthy execution.
This is an infostealer/dropper, full stop — not a cracked or "risky" cheat, but a trojan using "free CS2 cheat" as bait.
Recommendation:
Delete the zip, don't extract/run it again.
If you already ran Package.exe on a real machine at any point: run a full Defender/Malwarebytes scan, check Defender → Exclusions for anything you didn't add, and rotate browser-saved/Discord/crypto credentials as a precaution.
Worth reporting the repo to GitHub (it's a TOS violation regardless of the malware angle).
Confirmed malicious behavior in the deobfuscated code:
Downloads a second-stage executable (literally named payl.exe) from a GitHub releases URL at runtime — classic dropper pattern.
Runs hidden PowerShell to add Windows Defender exclusions (Add-MpPreference -ExclusionPath) — defense evasion.
Has a hardcoded Telegram bot token and posts data out via Telegram's sendPhoto API — an exfiltration channel (consistent with stealer logs/screenshots).
Generates random filenames via crypto.randomBytes and self-deletes artifacts (unlinkSync) — anti-forensics/evasion.
Drops .vbs scripts, likely for stealthy execution.
This is an infostealer/dropper, full stop — not a cracked or "risky" cheat, but a trojan using "free CS2 cheat" as bait.
Recommendation:
Delete the zip, don't extract/run it again.
If you already ran Package.exe on a real machine at any point: run a full Defender/Malwarebytes scan, check Defender → Exclusions for anything you didn't add, and rotate browser-saved/Discord/crypto credentials as a precaution.
Worth reporting the repo to GitHub (it's a TOS violation regardless of the malware angle).