Point Blank executable shipped backdoor

ESET reported a cluster of Asian gaming supply-chain compromises in March 2019. Two games and one gaming platform carried the same backdoor code, launched by the same early-entry mechanism. Later reporting named Point Blank as one of the affected games.

The backdoor ran before normal program startup. Added code hooked the C runtime initialization path, decrypted an embedded DLL with RC4, executed it in memory, and then resumed the host application. That shape pointed toward build configuration or build environment compromise.

The payload was small but useful. It reported host identity, operating system, language, and a MAC-derived bot identifier, then accepted commands to download files, run downloaded binaries, execute a binary in memory, or disable callbacks through a registry flag.

ESET's telemetry placed victims mostly in Asia, with Thailand prominent. The record remains cautious about exact Point Blank versions because public reports did not publish a clean package list for that title.

Motive

Espionage

Attribution

State

Cause

Build System Compromise

Transitive

No

Actor

BARIUM (APT17, Axiom, Deputy Dog)

Actor Country

China

Target Country

Asia

• Point Blank gamers targeted with backdoor malwaremalwaretips.com
• Point Blank gamers targeted with backdoor malwarethreatpost.com
• Operation ShadowHammersecurelist.com
• ShadowHammer spreads across online gaming supply chainbankinfosecurity.com
• Gaming industry still in the scope of attackers in Asiawelivesecurity.com