A North Korea-aligned hacking group known as ScarCruft has compromised a video game platform used by ethnic Koreans in China in a supply-chain attack. The campaign, uncovered by cybersecurity company ESET, uses a backdoor, dubbed ‘BirdCall.’
The attack has targeted sqgame[.]net, a platform popular in China’s Yanbian region, which borders North Korea and Russia. The area has a large ethnic Korean population and is also believed to be a transit point for North Korean defectors. Researchers believe the platform was deliberately targeted due to ScarCruft’s history of spying on defectors, activists, and academics.
Besides the Windows version, the BirdCall malware has now the Android variant. The malicious code was embedded into Android game downloads hosted on the platform. While iOS apps and the Windows client largely remained unaffected, researchers found that a Windows update package had briefly distributed a compromised file capable of installing the malware.
“We also checked the iOS game available on the sqgame website and didn’t find any malicious code. We think that ScarCruft skipped this platform, since the trojanization and delivery of the app would be much more difficult compared to other platforms, possibly running into Apple’s review process,” ESET noted.
BirdCall is described as an advanced successor to RokRAT, a malware family attributed to the group. It enables attackers to capture screenshots, log keystrokes, steal clipboard data, and execute commands remotely. The Android variant is slightly less complex, though it can harvest contacts, messages, call logs, documents, and even record ambient audio.
Both versions of the malware use legitimate cloud services such as Dropbox, pCloud, and Zoho WorkDrive to communicate with attacker-controlled servers, helping them evade detection. Researchers note that the malware is typically deployed through multi-stage processes involving encrypted components tailored to individual devices.
Evidence suggests the campaign began as early as late 2024, although it’s unclear when the initial breach occurred. The researchers discovered multiple versions of the Android variant, suggesting that the malware is still in the development stage.