Researchers found that NoxPlayer’s latest updated mechanism, which is an android emulator for macOS and Windows, was attacked by hackers. The attacker used the hack to corrupt gamer systems with malware. BigNox, a Hongkong based company, makes these emulators. Gamers across 150 countries around the world use NoxPlayer.

The attacker used three different malware strains. The threat actor behind the attack is currently named “Nightscout.” Which becoming like a supply chain attack

To plant corrupt payloads in their victims’ systems, Nightscout attacked BigNox’s “res06.bignox.com storage infrastructure” to store the trojan and “api.bignox.com API infrastructure” to run the payloads. ESET report says, “A new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range of users worldwide. This software is generally used by gamers in order to play mobile games from their PCs, making this incident somewhat unusual.”

BigNox’s infrastructure compromise used to host malware, along with the compromise of their API infrastructure. In few cases, attacker used BigNox updater to download additional payloads using hacker-controlled servers.Operation Nightscout is slightly different, and more dangerous, as it attacked the gaming community to gain intelligence. It is rare to collect information through espionage attacks on the gaming community, which makes operation Nightscout a bigger threat.

We spotted similarities in loaders we have been monitoring in the past with some of the ones used in this operation, such as instances we discovered in a Myanmar presidential office website supply-chain compromise on 2018, and in early 2020 in an intrusion into a Hong Kong university. Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities, researches added