Connect with us

Hi, what are you looking for?



Cyberspies Delivered Malware to Gamers via Supply Chain Attack

Researchers at cybersecurity firm ESET say they have uncovered an espionage campaign that has targeted online gamers in Asia through a compromised software company.

Researchers at cybersecurity firm ESET say they have uncovered an espionage campaign that has targeted online gamers in Asia through a compromised software company.

Called Operation NightScout, the campaign apparently involved a breach at BigNox, the company behind NoxPlayer, an Android emulator that allows users to run mobile apps on PCs or Macs, and which claims to have more than 150 million users worldwide, most of them located in Asia.

After compromising the update mechanism for NoxPlayer, the threat actor behind the attack pushed a series of tailored malicious updates that resulted in three different malware families being installed on the devices of a handful of selected victims.

The highly targeted nature of the attack, ESET’s security researchers say, suggests that the purpose of this campaign is surveillance, and not financial gain: only five out of 100,000 ESET users running NoxPlayer on their machines received a malicious update.

The updates were delivered to victims in Hong Kong, Sri Lanka, and Taiwan, but ESET was unable to find connections between the victims, aside from the use of the same gaming emulator.

In addition to compromising the BigNox infrastructure to host malware, the threat actor might have compromised the company’s HTTP API infrastructure, ESET says, explaining that additional payloads were observed being downloaded by the BigNox updater from attacker’s servers.

“This suggests that the URL field, provided in the reply from the BigNox API, was tampered with by the attackers,” the researchers note.

Advertisement. Scroll to continue reading.

ESET says it has notified BigNox about its findings, but the company has apparently denied being breached.

The malicious updates were sent to victims in September 2020, with additional payloads downloaded from attacker-controlled infrastructure at the end of 2020 and in early 2021, most likely through the BigNox API mechanism.

Undocumented before, the first malware variant delivered in the attack allows adversaries to monitor victims, but can also execute commands received from the command and control (C&C) server, to delete files, run commands, download or upload files, or download a directory.

The second malware, ESET says, was found to be a variant of the Gh0st RAT that includes keylogger capabilities.

Only delivered as part of activity subsequent to the initial malicious updates, the third malware was an instance of the PoisonIvy RAT.

“The supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers. Supply-chain attacks will continue to be a common compromise vector leveraged by cyber-espionage groups, and its complexity may impact the discovery and mitigation of these type of incidents,” ESET concludes.

Related: Russian Hack of US Agencies Exposed Supply Chain Weaknesses

Related: Over 250 Organizations Breached via SolarWinds Supply Chain Hack: Report

Related: Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing ‘Grave Risk

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.