Yesterday, after a report at Simtropolis, the NAM Team made the alarming discovery that a hacker appeared to have “updated” the copy of NAM Version 48 on ModDB to “Version 48.1”, adding a malicious Windows Control Panel extension file, and editing the installation batch script to install that file alongside the normal routines to apply the 4GB Patch and run the NAM’s installer. While we don’t entirely know the nature of the threat, a VirusTotal scan of the Control Panel file seems to suggest it is a Shelood Trojan, which is the same family of malware that was involved in the recent situation with the Traffic Mod for Cities: Skylines 2 on Paradox Mods.
The hack appears to have occurred on October 4th, 2024, and ModDB did not issue any notice of the file being updated, or any suspicious account logins, which led to it going undetected until now. The NAM Team has removed all of its files from ModDB, including those that did not appear to be affected, and we have indefinitely suspended our longstanding distribution partnership with the site accordingly.
As Simtropolis had not been hosting the NAM directly, the download link from the STEX had been referring users to ModDB, and Simtropolis users are similarly affected. The version of the NAM at SC4Evermore (SC4E) was NOT affected by the hack, and is safe to download. The STEX link has been redirected to SC4E in the meanwhile. As the malicious files are involved with the Windows installation process, users running the Aspyr Mac port would appear to be unaffected, but users running the Windows version on Mac or Linux may be impacted if they used the .bat file as part of their installation process. NAM Lite appears to also be unaffected.
If you downloaded the NAM from ModDB between October 4th, 2024 and November 26, 2024, either directly from that source, or via referral from Simtropolis, you would have downloaded the malicious “Version 48.1”, and if you ran the .bat file as part of your installation process, your system is most likely infected.
We recommend immediately scanning your system with Windows Defender or another reliable antivirus program to find and remove the malware, and as an additional precaution, changing site passwords and utilizing Two-Factor Authentication (2FA) when possible. The hacked version does not appear to have altered any of the actual game-readable files in the NAM, nor any parts of SC4 itself. Even if you are not infected, if you are on Windows and downloaded NAM 48 recently, we recommend deleting the downloaded files and your NAM installation, and redownloading and reinstalling the mod from SC4Evermore.
This story is still developing, and updates will be provided as they become available. My colleague Ulisse Wolf has opened a Simtropolis thread regarding the situation here, which will likely prove to be the most up-to-date source of information.
-Tarkus