Chinese PC-maker Acemagic Customized Its Own Machines To Get Infected With Malware

Chinese PC maker Acemagic has admitted some of its products shipped with pre-installed malware.

YouTuber The Net Guy found malware on Acemagic mini PCs when he tested them in early February. He didn't have to work hard to find it: within a few minutes of booting the machine, Windows Defender reported the presence of the Bladabindi malware – a known backdoor that steals users' info and can also install other malicious programs.

Last week Acemagic quietly confirmed Bladabindi made it onto some of its PCs, and admitted that the Redline malware may also have hitched a ride. Redline is an info-stealer that can conduct a system inventory, lift info from browsers, and recently added the ability to steal cryptocurrency.

Acemagic's explanation for the infection was curious and a little inconsistent. In a statement dated February 21 the box builder explained the malware as follows:

"Our software developers, in an effort to enhance user experience by reducing initial boot time, made adjustments to the Microsoft source code, including network settings, without obtaining software digital signatures, and the RGB lighting control software was also without one. This oversight led to isolated reports of virus-infected mini PCs manufactured before November 18, 2023."

But in a statement sent to The Register and dated February 27, we were told "The incident stemmed from software adjustments made by developers to reduce boot times, which inadvertently affected network settings and omitted digital signatures."

Acemagic has promised to strengthen its use of digital certificates "to prevent unauthorized modifications," suggesting parties unknown may have been able to access its machines – or perhaps even its master copy of Windows – to deliver the malware.

Whatever the developers did, and whoever they worked for, it remains unclear if the infections occurred at the factory or became possible when the boxes were booted by their new owners.

• A cheap Chinese PC with odd components. What could go wrong?
• China warns of fake digital currency wallets fleecing netizens
• Chinese Coathanger malware hung out to dry by Dutch defense department
• China’s gambling crackdown spawned wave of illegal online casinos and crypto-crime in Asia

Acemagic will refund the cost of machines made between September and November 2023, and has advised owners the date of manufacture is recorded on stickers affixed to the relevant models: the AD08, AD15, and S1.

In a neat coincidence, the night before The Register received Acemagic's malware confession, a review unit for one of its PCs arrived. The labels on that unit do not contain information about date of manufacture. Nor do the QR codes on the labels offer that information.

Owners who disinfect their machines – Acemagic has posted clean system images to do the job – can apply for a 25 percent purchase price rebate. Anyone with an infected machine can also apply for a voucher that applies a ten percent discount to any future Acemagic purchase – if they’re brave enough to revisit the brand.

The Register planned to test the Acemagic machine we were sent – an AM18 packing an AMD Ryzen 7 7840HS CPU – for our Desktop Tourism PC review column. Suffice to say that's on hold for now. ®