ScarCruft Compromises Gaming Platform in Supply Chain Attack to Deploy BirdCall Backdoor on Android and Windows Against Ethnic Koreans in China
ESET researchers have uncovered a supply chain espionage campaign by North Korean APT group ScarCruft that compromised a video game platform popular with ethnic Koreans living in China's Yanbian region — a border area known as a primary transit point for North Korean defectors crossing the Tumen River into China and Russia.
The attack targeted sqgame[.]net, a platform hosting Yanbian-themed games, and has likely been ongoing since late 2024. ScarCruft trojanized both Android and Windows components of the platform with BirdCall, an advanced backdoor evolved from the group's long-running RokRAT malware family. While BirdCall has been observed targeting Windows systems since 2021, this supply chain compromise marks its expansion to Android — turning it into a true multi-platform surveillance tool.
The target selection is deliberate. ScarCruft has a well-documented history of targeting North Korean defectors, human rights activists, and university professors — exactly the demographic likely to use a Korean-language gaming platform in a border region with active defector movement.
The supply chain attack specifically poisoned Android APKs available for download from the platform, with two game download pages altered to serve malicious packages. The iOS games and Windows desktop client downloads were left untouched. However, evidence indicates that a Windows desktop client update package also delivered a trojanized DLL since at least November 2024 for an unspecified period, though that update is no longer malicious.
The Windows infection chain starts with the trojanized DLL, which functions as a downloader. It first checks running processes for analysis tools and virtual machine environments before downloading and executing shellcode containing RokRAT. The backdoor then fetches and installs BirdCall on the infected host. BirdCall's Windows variant supports screenshot capture, keystroke logging, clipboard theft, shell command execution, and data collection. Deployment uses a multistage loading chain starting with Ruby or Python scripts, with components encrypted using a computer-specific key.
The Android variant incorporates a subset of the Windows capabilities while adding mobile-specific surveillance: contact list harvesting, SMS and call log collection, media file and document exfiltration, screenshots, and ambient audio recording. ESET identified seven versions of the Android backdoor dating back to October 2024, confirming active and ongoing development.
Both platforms rely on legitimate cloud storage services for command-and-control — Dropbox and pCloud for Windows, with the Android variant adding Yandex Disk and Zoho WorkDrive. The use of Zoho WorkDrive has become an increasingly common pattern across multiple ScarCruft campaigns.
Defensive Guidance:
Organizations and individuals in the Korean diaspora community, particularly those in border regions or involved in human rights and defector support work, should be aware that gaming platforms and cultural community sites are being actively weaponized as delivery vectors. Avoid sideloading APKs from websites — even trusted community platforms — and install apps exclusively through official stores. Monitor Android devices for unexpected permissions requests, particularly audio recording and SMS access. On Windows, watch for suspicious DLL loading patterns and outbound connections to cloud storage APIs (Dropbox, pCloud, Yandex, Zoho) from unexpected processes. Block the identified malicious download URLs sqgame.com[.]cn/ybht.apk and sqgame.com[.]cn/sqybhs.apk.
