Proprietary 2018-06-01 · 182 days ·Data Theft, Remote Access, Malware Deployment

Infestation executable carried Winnti backdoor

Electronics Extreme distributed a trojanized Infestation executable. ESET found Winnti backdoor code launched before the game's normal runtime initialization.

Story

ESET described Infestation as one of three Asian gaming supply-chain cases that shared the same embedded backdoor. Infestation was the clearest active case: the Thai developer Electronics Extreme was still distributing a trojanized build when ESET published its research.

The implant ran before the game. Code added near the PE entry point hooked the C runtime initialization path, decrypted an embedded DLL with RC4, launched the backdoor in memory, then resumed normal execution. That shape suggested a build-configuration or build-environment compromise rather than a simple post-download patch.

The backdoor reported host details, including user name, computer name, Windows version, system language, and a MAC-derived bot identifier. Commands were limited but useful: download a file, download and run a file, run a downloaded binary in memory, or disable callbacks through a registry flag.

The Infestation-specific C2 used nw.infestexe.com, a domain built to look related to the game. ESET also saw a Winnti second stage delivered from related infrastructure. This record stays scoped to Infestation even though the broader ESET report covered two other compromised game or gaming-platform products.

Affected Artifacts

Infestation.exe

game launcher · infest.in.th · Binary Archive

Observed: 2018-06-01 to 2018-11-30
Compromised Versions: Unknown
Fixed: Not listed
Evidence: mirror: securelist.com/operation-shadowhammer/89083, mirror: bankinfosecurity.com/shadowhammer-spreads-across-online-gaming-supply-chain-a-12409, file_sha1: payload-8272c1f4 8272c1f41f7c223316c0d78bd3bd5744e25c2e9f

Exact affected game executable versions or patch numbers were not publicly named.
ESET redacted some compromised file hashes at a vendor's request; this record keeps only the Infestation-themed payload hash and C2 details.

Incident Context

Motive: Espionage
Attribution: State
Cause: Build System Compromise
Transitive: No
Actor: Winnti Group
Actor Country: China
Target Country: Global

Indicators

familyWinnti
familyWin32/HackedApp.Winnti
familyWin32/Winnti.AG
familyWin64/Winnti.BN
domaininfestexe.com
domainnw.infestexe.com
domainapi.goallbandungtravel.com
domaincheckin.travelsanignacio.com
ip138.68.14.195
urlhttps://nw.infestexe.com/version/last.php
fileInfestation.exe
registryHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ImageFlag
commandDownUrlFile
commandDownRunUrlFile
commandRunUrlBinInMem
commandUnInstall
observableBackdoor code ran before standard C runtime initialization.
observableMalware skipped systems configured with Russian or Chinese language.

External References

Gaming industry still in the scope of attackers in Asiawelivesecurity.com
ShadowHammer Spreads Across Online Gaming Supply Chainbankinfosecurity.com
Operation ShadowHammersecurelist.com
Infestation: Survivor Stories backdoored with malware from hacker group Bariumreddit.com

Source record: proprietary/infestation/meta.yaml