ScarCruft Compromises Gaming Platform to Deploy Multi-Platform BirdCall Malware
The North Korean state-sponsored group ScarCruft has compromised a regional gaming platform to distribute trojanized Windows and Android software, enabling long-term espionage against ethnic Koreans in China.
The North Korea-aligned threat actor ScarCruft, also known as APT37, has compromised the gaming platform `sqgame[.]net` to distribute trojanized software to Windows and Android users. The campaign, which researchers believe has been active since late 2024, specifically targets ethnic Koreans residing in China's Yanbian region—a demographic that includes many North Korean defectors and refugees.
On Windows systems, the attack utilizes a sophisticated multi-stage chain. Users downloading updates from the platform were served a trojanized `mono.dll` library. This malicious component acts as a downloader, performing environment checks to evade analysis tools and virtual machines before fetching shellcode from compromised South Korean websites. This shellcode deploys the RokRAT backdoor, which subsequently installs the BirdCall implant. To maintain persistence and avoid detection, the malicious DLL is eventually replaced with a clean version fetched from another compromised site Help Net Security.
The Android component of the campaign involves repackaged APKs for two games, "Yanbian Red Ten" and "New Drawing." Lacking access to the original source code, the attackers modified the `AndroidManifest.xml` files to redirect the application's entry point to the malicious payload before launching the legitimate game Help Net Security. This Android variant of BirdCall, internally referred to as "zhuagou," is a port of the Windows backdoor and has evolved through at least seven versions since October 2024 BleepingComputer Help Net Security.
The Android malware functions as comprehensive spyware. It collects sensitive data including contact lists, SMS messages, call logs, and device metadata such as IMEI, MAC address, and rooted status. It also exfiltrates specific file types, including `.hwp` (Hancom Office), `.doc`, and `.pdf`, and performs periodic screen captures. To maintain background execution, the malware plays a silent MP3 file in a loop, preventing the Android system from suspending the process. Additionally, it records ambient audio via the microphone during a specific window between 7 p.m. and 10 p.m. local time BleepingComputer Help Net Security.
Command-and-control (C2) operations for the Android variant rely on HTTPS traffic directed at Zoho WorkDrive accounts, with researchers identifying twelve such accounts used in the campaign. While the Windows version of BirdCall has been documented since 2021 and supports a wider array of commands—including shell command execution and process manipulation—the Android port currently implements a more limited, albeit highly invasive, subset of these features BleepingComputer The Hacker News.
ESET researchers discovered the campaign in October 2025 and notified the platform operators in December 2025, though they received no response. While the malicious Windows update package is no longer active, the trojanized Android APKs remained available for download as of early May 2026 Help Net Security.
This operation underscores ScarCruft’s continued focus on high-value targets, including defectors and human rights activists. By leveraging a regional gaming platform as a supply-chain vector, the group effectively bypasses traditional security controls, demonstrating a persistent and evolving strategy to maintain espionage capabilities across multiple platforms The Hacker News.