Spies target gamers with malware inserted into software updates, ESET says

It's a supply-chain attack against a limited users of NoxPlayer, which allows people to play Android games on PCs and Macs.
NoxPlayer logo

Gamers are familiar targets for hackers, but those operations often are broadly aimed at stealing data, installing nuisances like adware or disrupting the games themselves.

Sometimes, though, attackers have other things in mind.

A malware operation in Asia appears to be “highly targeted” toward spying on only a handful of users of a popular piece of gaming software, according to cybersecurity researchers at Slovakia-based ESET. The attackers compromised the update mechanism for NoxPlayer, an emulator program that allows Android games to be played on PCs and Macs, ESET says.

It’s a supply-chain attack, not unlike others with much bigger footprints and much larger geopolitical effects. The perpetrators appear to have broken into infrastructure at Hong Kong-based BigNox, which makes NoxPlayer, to add the malware to the updates that go to customers.


The details get fuzzy from there. About 150 million people, mostly in Asia, use NoxPlayer. ESET says it discovered the attacks within the 100,000 NoxPlayer users who also use its antivirus software. Of those, only five actually received the malware, the researchers say.

Those victims are based in Taiwan, Hong Kong and Sri Lanka.

It’s unclear who’s running the spy campaign, which ESET is calling Operation NightScout, and what they might want.

“We were unsuccessful finding correlations that would suggest any relationships among victims,” ESET says. “However, based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of collecting intelligence on targets somehow involved in the gaming community.”

While ESET is unable to attribute the malware campaign to any specific hacking group or nation-state, the researchers say it appears that espionage is indeed the primary goal.


“Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities,” the researchers say.

ESET says it has seen signs of some of the malware before. The one variant that appears to be new is “not very complex,” the researchers say.

Recent examples of malicious activity aimed at gamers include adware targeted at “Minecraft” players; a data breach at game-maker Capcom; and malware passed along to players of “Valorant.”

Latest Podcasts