Cyber Incident Victim: BigNox

In September 2020, a threat actor compromised the official API and file-hosting servers of BigNox, the Hong Kong-based developer of the NoxPlayer Android emulator. Attackers manipulated download URLs for software updates on the compromised API server to distribute malicious updates to selected users. Evidence indicated the attackers maintained access to BigNox infrastructure for several months, though the malicious activity remained undetected until cybersecurity firm ESET investigated and disclosed the incident in February 2021. The attackers exclusively targeted a limited number of users across specific geographic regions, with confirmed victims located in Taiwan, Hong Kong, and Sri Lanka. ESET telemetry identified only five compromised devices receiving tampered updates during the campaign. The operation exhibited deliberate victim selection rather than broad exploitation, suggesting objectives focused on surveillance of particular individuals or organizations.

Three distinct malware families were delivered through the hijacked update mechanism, all exhibiting capabilities consistent with espionage operations rather than financial theft. Forensic analysis revealed similarities between these payloads and malware strains previously associated with a group tracked as Stellera, though ESET did not conclusively attribute the attack to any specific entity. BigNox implemented corrective measures after being notified, including enforcing HTTPS for all update deliveries, adding MD5 hash verification and digital signature validation for update files, and encrypting sensitive data on their servers. The company confirmed no widespread compromise of its user base occurred due to the highly targeted nature of the attack. ESET published technical indicators and remediation guidance for affected users while noting the absence of observable financial motives in the campaign’s execution.