ScarCruft APT Compromises Gaming Platform in Targeted Supply-Chain Attack
The North Korean-aligned APT group ScarCruft has compromised a regional gaming platform to distribute sophisticated Windows and Android backdoors in a targeted supply-chain attack.
The North Korea-aligned advanced persistent threat (APT) group ScarCruft, also known as APT37 or Reaper, has launched a sophisticated supply-chain attack targeting a regional gaming platform. By compromising the official distribution channels of a gaming site popular among ethnic Koreans in China’s Yanbian region, the attackers successfully deployed malicious backdoors to both Windows and Android users ESET WeLiveSecurity.
The campaign, which ESET researchers believe has been active since at least late 2024, centers on the gaming platform sqgame[.net](https://www.sqgame.net). This site hosts traditional games tailored for the Yanbian community. For Windows users, the attackers compromised the platform's update mechanism to deliver the RokRAT backdoor, which subsequently deployed a more advanced tool known as BirdCall. For Android users, the attackers trojanized legitimate game applications—such as the card game "Yanbian Red Ten"—with a newly discovered Android-specific variant of the BirdCall backdoor ESET WeLiveSecurity.
BirdCall is a highly capable espionage tool. The Windows version, written in C++, supports a wide array of malicious functions, including keystroke logging, clipboard monitoring, credential and file theft, and the execution of arbitrary shell commands. It typically employs a multi-stage loading chain that utilizes encrypted components and leverages legitimate cloud services like Dropbox or pCloud for command-and-control (C&C) communications ESET WeLiveSecurity.
The Android iteration of BirdCall, which ESET researchers observed evolving through seven distinct versions between October 2024 and June 2025, mirrors the Windows version's intent. It is designed to exfiltrate sensitive personal data, including SMS messages, contact lists, call logs, private keys, and various media files. Additionally, the malware can capture screenshots and record audio from the device's surroundings, providing the attackers with persistent surveillance capabilities ESET WeLiveSecurity.
The discovery of this campaign began when researchers identified a suspicious APK file on VirusTotal, which was subsequently traced back to the official sqgame[.net](https://www.sqgame.net) portal. The fact that the malicious APK found on VirusTotal matched the one available for direct download from the platform's official website indicates a successful compromise of the developer's distribution infrastructure ESET WeLiveSecurity.
ScarCruft has been active since at least 2012, primarily focusing on government, military, and industrial targets that align with North Korean state interests. This specific operation highlights the group's continued interest in targeting North Korean defectors and ethnic Korean populations in neighboring regions. As threat actors increasingly leverage supply-chain compromises to reach specific demographics, this incident serves as a reminder of the risks associated with niche software platforms and the importance of verifying the integrity of downloaded applications ESET WeLiveSecurity.