Proprietary 2020-09-01 · 146 days ·Backdoor, Remote Access, Spyware

NoxPlayer updates delivered targeted malware

BigNox's NoxPlayer update mechanism delivered tailored malware to a few Asian users. The payloads favored surveillance, not mass monetization.

Story

Operation NightScout used NoxPlayer's own update flow. On launch, Nox.exe queried api.bignox.com for update metadata, then passed the returned URL, size, and hash to NoxPack.exe, which downloaded and installed the update.

ESET found enough evidence to say BigNox infrastructure was part of the delivery path. res06.bignox.com hosted malware, and the API response may have been changed so selected clients received attacker-chosen update URLs. ESET could reproduce malware downloads from BigNox infrastructure over HTTPS, which made a simple network-manipulation explanation unlikely.

The campaign stayed narrow. ESET saw more than 100,000 protected machines with NoxPlayer installed, but only five received malicious updates, in Taiwan, Hong Kong, and Sri Lanka. The malware families included a custom monitor, Gh0st RAT, and PoisonIvy, all consistent with surveillance.

BigNox first denied compromise, then told ESET it would use HTTPS for updates, add MD5 and signature checks, and scan installed application files at startup. Later ESET research linked victims from the supply-chain attack to Gelsemium tooling, but the original NightScout report left attribution cautious.

Affected Artifacts

NoxPlayer malicious update variant 1

NoxPlayer update service · bignox.com · Installer

Observed: 2020-09-01 to 2020-09-30
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha1:ca4276033a7cbdccde26105dec911b215a1ce5cf
Evidence: distribution: api.bignox.com, distribution: res06.bignox.com/player/upgrade/202009/6c99c19d6da741af943a35016bb05b35.exe, distribution: res06.bignox.com/player/upgrade/202009/42af40f99512443cbee03d090658da64.exe, mirror: welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia , +6 more

ESET described this as a preliminary malicious update hosted on compromised BigNox infrastructure.

NoxPlayer malicious update variant 2

NoxPlayer update service · bignox.com · Installer

Observed: 2020-09-01 to 2020-09-30
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha1:e45a5d9b03cfbe7eb2e90181756fdf0dd690c00c
Evidence: distribution: api.bignox.com, distribution: res06.bignox.com, mirror: welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia, file: C:\ProgramData\Sandboxie\SandboxieBITS.exe , +6 more

This variant used a trident-style bundle with a signed Sandboxie executable, a malicious DLL, and an encrypted payload.

NoxPlayer malicious update variant 3

NoxPlayer update service · bignox.com · Installer

Observed: 2020-10-20 to 2021-01-25
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha1:5732126743640525680c1f9460e52d361acf6bb0
Evidence: distribution: api.bignox.com, distribution: cdn.cloudfronte.com/player/upgrade/ext/20201020/1/c697ad8c21ce7aca0a98e6bbd1b81dff.exe, distribution: cdn.cloudfronter.com/player/upgrade/ext/20201030/1/35e3797508c555d5f5e19f721cf94700.exe, distribution: cdn.cloudfronter.com/player/upgrade/ext/20201101/1/bf571cb46afc144cab53bf940da88fe2.exe , +10 more

ESET saw this variant downloaded from attacker-controlled infrastructure after the initial malicious updates. The domains mimicked the BigNox CDN naming pattern.
ESET also published AA3D31A1A6FE6888E4B455DADDA4755A6D42BEEB as a SHA-1, but it is 41 hexadecimal characters and is not stored as a normalized hash.

Incident Context

Motive: Espionage Targeted Surveillance
Attribution: State
Cause: Update Infrastructure Compromise
Transitive: No
Actor: Nation-state
User Impact: 5

Notes

ESET found no evidence that BigNox's build system was compromised; malicious files were unsigned, pointing to update distribution rather than source or build tampering.
ESET later linked victims originally compromised by NightScout to Gelsemium tooling, but the original report did not attribute the supply-chain compromise to a named group.

External References

Operation NightScout: Supply-chain attack targets online gaming in Asiawelivesecurity.com
ESET uncovers Operation NightScout: Cyberespionage supply-chain attack on gamers in Asiaeset.com
Hacker group inserted malware in NoxPlayer Android emulatorzdnet.com
Operation NightScout: supply chain attack on NoxPlayer Android emulatorsecurityaffairs.com
NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackersthehackernews.com

Source record: proprietary/noxplayer/meta.yaml