{ "id": "7b3538f5-b26f-4498-9429-f01d2d701a8f", "created_at": "2026-04-06T00:21:03.571496Z", "updated_at": "2026-04-10T03:32:20.870776Z", "deleted_at": null, "sha1_hash": "3335c3bb49dc819873428edaa12e1a8bb9c6e40f", "title": "Gaming industry still in the scope of attackers in Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 706571, "plain_text": "Gaming industry still in the scope of attackers in Asia\r\nBy Marc-Etienne M.Léveillé\r\nArchived: 2026-04-05 13:15:59 UTC\r\nThis is not the first time the gaming industry has been targeted by attackers who compromise game developers, insert\r\nbackdoors into a game’s build environment, and then have their malware distributed as legitimate software. In April 2013,\r\nKaspersky Lab reported that a popular game was altered to include a backdoor in 2011. That attack was attributed to\r\nperpetrators Kaspersky called the Winnti Group.\r\nYet again, new supply-chain attacks recently caught the attention of ESET Researchers. This time, two games and one\r\ngaming platform application were compromised to include a backdoor. Given that these attacks were mostly targeted against\r\nAsia and the gaming industry, it shouldn’t be surprising they are the work of the group described in Kaspersky’s “Winnti –\r\nMore than just a game”.\r\nThree Cases, Same Backdoor\r\nAlthough the malware uses different configurations in each case, the three affected software products included the same\r\nbackdoor code and were launched using the same mechanism. While two of the compromised products no longer include the\r\nbackdoor, one of the affected developers is still distributing the trojanized version: ironically, the game is named Infestation,\r\nand is produced by Thai developer Electronics Extreme. We have tried informing them several times, through various\r\nchannels, since early February, but without apparent success.\r\nLet’s look at how the malicious payload is embedded and then look into the details of the backdoor itself.\r\nEmbedding the payload\r\nThe payload code is started very early during the execution of the backdoored executable file. Right after the PE entry point,\r\nthe standard call to the C Runtime initialization (__scrt_common_main_seh in Figure 1) is hooked to launch the malicious\r\npayload before everything else (Figure 2). This may suggest that the malefactor changed a build configuration rather than\r\nthe source code itself.\r\nFigure 1 Clean executable file entry point\r\nhttps://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/\r\nPage 1 of 7\n\nFigure 2 Compromised executable file entry point\r\nThe code added to the executable decrypts and launches the backdoor in-memory before resuming normal execution of the\r\nC Runtime initialization code and all the subsequent code of the host application. The embedded payload data has a specific\r\nstructure, seen in Figure 3, that is parsed by the added unpacking code.\r\nFigure 3 Embedded payload structure\r\nIt includes an RC4 key (which is XORed with 0x37) that is used to decrypt a filename and the embedded DLL file.\r\nThe malicious payload\r\nThe actual malicious payload is quite small and only contains about 17 KB of code and data.\r\nConfiguration\r\nIllustrated in Figure 4, the configuration data is simply a whitespace-separated list of strings.\r\nFigure 4 Payload configuration data\r\nThe configuration consists of four fields:\r\n1. C\u0026C server URL.\r\nhttps://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/\r\nPage 2 of 7\n\n2. Variable (t) used to determine the time to sleep in milliseconds before continuing the execution. Wait time is chosen\r\nrandomly in the range 2/3 t to 5/3 t.\r\n3. A string identifying a campaign.\r\n4. A semicolon-separated list of executable filenames. If any of them are running, the backdoor stops its execution.\r\nESET researchers have identified five versions of the payload:\r\nTruncated\r\nSHA-1\r\nPE Compile time\r\n(UTC)\r\nC\u0026C server URL\r\na045939f\r\n2018-07-11\r\n15:45:57\r\nhttps://bugcheck.xigncodeservice[.]com/Common/Lib/Common_bsod.php\r\na260dcf1\r\n2018-07-11\r\n15:45:57\r\nhttps://bugcheck.xigncodeservice[.]com/Common/Lib/Common_Include.php\r\ndde82093\r\n2018-07-11\r\n15:45:57\r\nhttps://bugcheck.xigncodeservice[.]com/Common/Lib/common.php\r\n44260a1d\r\n2018-08-15\r\n10:59:09\r\nhttps://dump.gxxservice[.]com/common/up/up_base.php\r\n8272c1f4\r\n2018-11-01\r\n13:16:24\r\nhttps://nw.infestexe[.]com/version/last.php\r\nIn the first three variants, the code was not recompiled, but the configuration data was edited in the DLL file itself. The rest\r\nof the content is a byte for byte copy.\r\nC\u0026C infrastructure\r\nDomain names were carefully chosen to look like they are related to the game or application publisher. The apex domain\r\nwas set to redirect to a relevant legitimate site using the Namecheap redirection service, while the subdomain points to the\r\nmalicious C\u0026C server.\r\nDomain name Registration date Redirection target\r\nxigncodeservice.com 2018-07-10 09:18:17 https://namu.wiki/[w]/XIGNCODE\r\ngxxservice.com 2018-08-14 13:53:41 None or unknown\r\ninfestexe.com 2018-11-07 08:46:44 https://www.facebook.com/infest.[in].[th]\r\nSubdomain name IP addresses Provider\r\nbugcheck.xigncodeservice.com 167.99.106[.]49, 178.128.180[.]206 DigitalOcean\r\ndump.gxxservice.com 142.93.204[.]230 DigitalOcean\r\nnw.infestexe.com 138.68.14[.]195 DigitalOcean\r\nAt the time of writing, none of the domains resolve and the C\u0026C servers are not responding.\r\nReconnaissance report\r\nhttps://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/\r\nPage 3 of 7\n\nA bot identifier is generated from the machine’s MAC address. The backdoor reports information about the machine such as\r\nthe user name, computer name, Windows version and system language to the C\u0026C server and awaits commands.  The data\r\nis XOR encrypted with the key “*\u0026b0i0rong2Y7un1” and base64-encoded. The data received from the C\u0026C server is\r\nencrypted using the same key.\r\nCommands\r\nThis simple backdoor has only four commands that can be used by the attacker:\r\nDownUrlFile\r\nDownRunUrlFile\r\nRunUrlBinInMem\r\nUnInstall\r\nThe commands are pretty much self-explanatory. They allow the attacker to run additional executables from a given URL.\r\nThe last one is perhaps less obvious. The UnInstall command doesn’t remove the malware from the system. After all, it is\r\nembedded inside a legitimate executable that still needs to run. Rather than removing anything, it disables the malicious\r\ncode by setting the following registry value to 1:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ImageFlag\r\nWhen the payload is started, the registry value is queried and execution is aborted if set. Perhaps the attackers are trying to\r\nreduce the load from their C\u0026C servers by avoiding callbacks from uninteresting victims.\r\nSecond stage\r\nBased on ESET telemetry, one of the second stage payload delivered to victims is Win64/Winnti.BN. As far as we can tell,\r\nits dropper was downloaded over HTTPS from api.goallbandungtravel[.]com. We have seen it installed as a Windows\r\nservice and as a DLL in C:\\Windows\\System32 using the following file names:\r\ncscsrv.dll\r\ndwmsvc.dll\r\niassrv.dll\r\nmprsvc.dll\r\nnlasrv.dll\r\npowfsvc.dll\r\nracsvc.dll\r\nslcsvc.dll\r\nsnmpsvc.dll\r\nsspisvc.dll\r\nThe samples we have analyzed were actually quite large, each of them about 60 MB. This is, however, only for appearance\r\nbecause the real size or the PE file is between 63 KB and 72 KB, depending on the version. The malware files simply have\r\nlots of clean files appended to them. This is probably done by the component that drops and installs this malicious service.\r\nOnce the service runs, it appends the extension .mui to its DLL path, reads that file and decrypts it using RC5. The decrypted\r\nMUI file contains position-independent code at offset 0. The RC5 key is derived from the hard drive serial number and the\r\nstring “f@Ukd!rCto R$.” — we were not able to obtain any MUI files nor the code that installs them in the first place. Thus,\r\nwe do not know the exact purpose of this malicious service.\r\nhttps://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/\r\nPage 4 of 7\n\nRecent versions of the malware include an “auto-update” mechanism, using C\u0026C server\r\nhttp://checkin.travelsanignacio[.]com. That C\u0026C server served the latest version of the MUI files encrypted with a static\r\nRC5 key. The C\u0026C server was not responding during our analysis.\r\nTargets\r\nLet’s start with who is not targeted. Early in the payload, the malware checks to see if the system language is Russian or\r\nChinese (Figure 5). In either case, the malware stops running. There is no way around this: the attackers are simply not\r\ninterested in computers configured with those languages.\r\nFigure 5 Language checks before running the payload\r\nDistribution statistics\r\nESET telemetry shows victims are mostly located in Asia, with Thailand having the largest part of the pie. Given the\r\npopularity of the compromised application that is still being distributed by its developer, it wouldn’t be surprising if the\r\nnumber of victims is in the tens or hundreds of thousands.\r\nhttps://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/\r\nPage 5 of 7\n\nConclusion\r\nSupply-chain attacks are hard to detect from the consumer perspective. It is impossible to start analyzing every piece of\r\nsoftware we run, especially with all the regular updates we are encouraged or required to install. So, we put our trust in\r\nsoftware vendors that the files they distribute don’t include malware. Perhaps that’s the reason multiple groups target\r\nsoftware developers: compromising the vendor results in a botnet as popular as the software that is hacked. However, there\r\nis a downside of using such a technique: once the scheme is uncovered, the attacker loses control and computers can be\r\ncleaned through regular updates.\r\nWe do not know the motives of the attackers at this point. Is it simply financial gain? Are there any reasons why the three\r\naffected products are from Asian developers and for the Asian market? Do these  attackers use a botnet as part of a larger\r\nespionage operation?\r\nESET products detect this threat as Win32/HackedApp.Winnti.A, Win32/HackedApp.Winnti.B, the payload as\r\nWin32/Winnti.AG, and the second stage as Win64/Winnti.BN.\r\nIndicators of Compromise (IoCs)\r\nCompromised file samples (Win32/HackedApp.Winnti.A and B)\r\nSHA-1 Compile Time (UTC) RC4 key Payload SHA-1\r\n474b1c81de1eafe93602c297d701418658cf6feb Mon Jul 16 07:37:14 2018 207792894 a045939f\r\n47dd117fb07cd06c8c6faa2a085e0d484703f5fd Wed Jul 25 06:44:09 2018 207792894 a045939f\r\n54b161d446789c6096362ab1649edbddaf7145be Tue Sep 4 08:02:38 2018 165122939 a260dcf1\r\n67111518fe2982726064ada5b23fd91d1eb3d48e Wed Sep 19 09:51:44 2018 17858542 dde82093\r\n0f31ed081ccc18816ca1e3c87fe488c9b360d02f Fri Sep 28 05:32:30 2018 17858542 dde82093\r\n5e2b7b929471ac3ba22a1dfa851fac1044a698dc Tue Oct 16 05:09:15 2018 17858542 dde82093\r\n132e699e837698ef090e3f5ad12400df1b1e98fa Thu Oct 18 02:53:03 2018 17858542 dde82093\r\nd4eaf47253fe59f11a06517bb9e2d5e8b785abf8 Thu Nov 1 07:00:55 2018 17858542 dde82093\r\n7cf41b1acfb05064518a2ad9e4c16fde9185cd4b Tue Nov 13 10:12:58 2018 1729131071 8272c1f4\r\n7f73def251fcc34cbd6f5ac61822913479124a2a Wed Nov 14 03:50:18 2018 19317120 44260a1d\r\ndac0bd8972f23c9b5f7f8f06c5d629eac7926269 Tue Nov 27 03:05:16 2018 1729131071 8272c1f4\r\nSome hashes were redacted per request from one of the vendor. If for a particular reason you need them, reach out to us at\r\nthreatintel@eset.com.\r\nPayload Samples (Win32/Winnti.AG)\r\nSHA-1 C\u0026C server URL\r\na045939f53c5ad2c0f7368b082aa7b0bd7b116da https://bugcheck.xigncodeservice[.]com/Common/Lib/Common_bsod.php\r\nhttps://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/\r\nPage 6 of 7\n\nSHA-1 C\u0026C server URL\r\na260dcf193e747cee49ae83568eea6c04bf93cb3 https://bugcheck.xigncodeservice[.]com/Common/Lib/Common_Include.php\r\ndde82093decde6371eb852a5e9a1aa4acf3b56ba https://bugcheck.xigncodeservice[.]com/Common/Lib/common.php\r\n8272c1f41f7c223316c0d78bd3bd5744e25c2e9f https://nw.infestexe[.]com/version/last.php\r\n44260a1dfd92922a621124640015160e621f32d5 https://dump.gxxservice[.]com/common/up/up_base.php\r\nSecond stage samples (Win64/Winnti.BN)\r\nDropper delivered by api.goallbandungtravel[.]com.\r\nSHA-1 Compile Time (UTC) C\u0026C server URL prefix\r\n4256fa6f6a39add6a1fa10ef1497a74088f12be0 2018-07-25 10:13:41 None\r\nbb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81 2018-10-10 09:57:31 http://checkin.travelsanignacio[.]com\r\nMITRE ATT\u0026CK matrix\r\nID Description\r\nT1195 Supply Chain Compromise\r\nT1050 New Service\r\nT1022 Data Encrypted\r\nT1079 Multilayer Encryption\r\nT1032 Standard Cryptographic Protocol (RC4, RC5)\r\nT1043 Commonly Used Port (80,443)\r\nT1009 Binary Padding\r\nSource: https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/\r\nhttps://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/" ], "report_names": [ "gaming-industry-scope-attackers-asia" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434863, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3335c3bb49dc819873428edaa12e1a8bb9c6e40f.pdf", "text": "https://archive.orkl.eu/3335c3bb49dc819873428edaa12e1a8bb9c6e40f.txt", "img": "https://archive.orkl.eu/3335c3bb49dc819873428edaa12e1a8bb9c6e40f.jpg" } }