ESET researchers uncovered a multiplatform supply-chain assault by North Korea-aligned APT group ScarCruft, concentrating on the Yanbian area in China – dwelling to ethnic Koreans and a crossing level for North Korean refugees and defectors. Within the assault, most likely ongoing since late 2024, ScarCruft compromised Home windows and Android parts of a online game platform devoted to Yanbian-themed video games, trojanizing them with a backdoor.
The backdoor, named BirdCall by ESET, was initially identified to focus on Home windows solely; the Android model was found as a part of this supply-chain assault. On this blogpost, we offer an outline of the assault, and the primary public evaluation of the Android backdoor.
Key factors of this blogpost:
- North Korea-aligned APT group ScarCruft compromised a online game platform utilized by ethnic Koreans dwelling within the Yanbian area in China.
- The gaming platform’s Home windows shopper was compromised by a malicious replace resulting in the RokRAT backdoor, which deployed the extra refined BirdCall backdoor.
- Android video games accessible on the gaming platform had been trojanized to comprise the Android model of the BirdCall backdoor – a brand new software in ScarCruft’s arsenal.
- The objective of the marketing campaign is espionage, with the backdoor able to amassing private knowledge and paperwork, taking screenshots, and making voice recordings.
Scarcruft profile
ScarCruft, often known as APT37 or Reaper, has been working since a minimum of 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, however different Asian international locations have additionally been focused. ScarCruft appears to be primarily in authorities and navy organizations, and corporations in varied industries linked to the pursuits of North Korea. The group additionally targets North Korean defectors, with the newest such exercise introduced on this blogpost.
BirdCall backdoor
Home windows model
BirdCall is a Home windows backdoor written in C++ that we found in 2021 and attributed to ScarCruft as a part of the ESET Risk Intelligence reporting.
The backdoor has a variety of spying capabilities, together with taking screenshots, logging keystrokes and clipboard content material, stealing credentials and information, and executing shell instructions. For C&C functions, the backdoor makes use of legit cloud storage companies, equivalent to Dropbox or pCloud, or compromised web sites. BirdCall is normally deployed in a multistage loading chain, beginning with a Ruby or Python script, and containing parts encrypted utilizing a computer-specific key. The preliminary model of BirdCall was publicly described by South Korean distributors in 2021 as a sophisticated model of RokRAT (S2W, AhnLab).
Android model
The Android model of BirdCall, found within the assault that we describe on this blogpost, implements a subset of the instructions and capabilities of the Home windows backdoor – it collects contacts, SMS messages, name logs, paperwork, media information, and personal keys. It could possibly additionally take screenshots and document surrounding audio.
Primarily based on our analysis, Android BirdCall was actively developed over a span of a number of months. We recognized seven variations, starting from model 1.0 (created roughly in October 2024) to model 2.0 (created roughly in June 2025).
Discovery
Our investigation began with a suspicious APK file discovered on VirusTotal. Upon preliminary evaluation, we decided that the APK is malicious and comprises a backdoor.
Curiously, the APK turned out to be a trojanized card sport known as 延边红十 (machine translation: Yanbian Crimson Ten), which we traced to its official web site, https://www.sqgame[.]internet. sqgame is a gaming platform tailor-made for the individuals of Yanbian and hosts conventional Yanbian video games for Home windows, Android, and iOS. The gamers can compete in card and board video games (see Determine 1) with associates or be part of organized tournaments.
Surprisingly, the APK accessible for obtain on the official web site is similar because the APK we initially discovered on VirusTotal. Furthermore, a second Android sport (新画图, machine translation: New Drawing) accessible for obtain from sqgame was additionally trojanized with the identical backdoor. Additional evaluation revealed that the backdoor is an Android port of the ScarCruft group’s BirdCall backdoor.
The Home windows desktop shopper hyperlink on the sqgame web site results in a few-years-old installer that seems to be clear. It does obtain updates as soon as put in, however we didn’t determine any malicious code there throughout our evaluation.
Investigating additional in ESET telemetry, we recognized a trojanized mono.dll library, originating from an replace package deal for the desktop shopper. ESET telemetry exhibits that this replace package deal had been malicious since a minimum of November 2024, for an unknown interval. On the time of writing, this replace package deal was not malicious.
We additionally checked the iOS sport accessible on the sqgame web site and didn’t discover any malicious code. We expect that ScarCruft skipped this platform, for the reason that trojanization and supply of the app could be far more tough in comparison with different platforms, presumably operating into Apple’s overview course of.
Victimology
For the reason that web site compromised on this assault is devoted to the individuals of Yanbian and their conventional video games, we infer that the first targets are ethnic Koreans dwelling in Yanbian. Yanbian Korean Autonomous Prefecture is a area in China that borders North Korea and is dwelling to the biggest ethnic Korean group exterior Korea.
On this context, we imagine that it’s possible that the assault was geared toward amassing data on people primarily based in (or originating from) the Yanbian area and deemed of curiosity to the North Korean regime – probably refugees or defectors.
Assault overview
Android
Two of the Android video games accessible on the sqgame web site had been discovered to be trojanized to comprise the BirdCall backdoor. The obtain web page accessible at https://www.sqgame[.]internet/video games/gamedownload.aspx is proven in Determine 2, with obtain buttons for the 2 trojanized video games highlighted in purple. The third accessible Android sport was clear on the time of our evaluation.
We discovered proof that the victims downloaded the trojanized video games through an online browser on their gadgets and doubtless put in them deliberately. Now we have not discovered some other APK areas. We additionally haven’t discovered the malicious APKs on the official Google Play retailer.
We had been unable to find out when the web site was first compromised and the supply-chain assault began. Nonetheless, primarily based on our evaluation of the deployed malware, we estimate that it occurred in late 2024.
Desk 1 exhibits the internet hosting URLs of the 2 trojanized APK information, together with the hashes of information served on the time of discovery. On the time of writing of this blogpost, the malicious information had been nonetheless up on the sqgame web site. We notified sqgame of the compromise in December 2025, however haven’t acquired a response.
Desk 1. Malicious samples
| Time of discovery | URL | SHA‑1 | Description |
| 2025-10 | http://sqgame.com |
03E3ECE9F48CF4104AAF |
Trojanized sport with the BirdCall |
| 2025-10 | http://sqgame.com |
FC0C691DB7E2D2BD3B0B |
Trojanized sport with the BirdCall |
Home windows
Whereas the Home windows desktop shopper accessible on the sqgame web site didn’t comprise malicious code after we analyzed it, we later recognized a trojanized mono.dll library, originating from an replace package deal of the desktop shopper hosted on the URL http://xiazai.sqgame.com[.]cn/courting/20240429.zip. ESET telemetry exhibits that this replace package deal had been malicious since a minimum of November 2024, for an unknown interval – however on the time of writing, this replace package deal was not malicious.
ScarCruft took a clear mono library and patched it with additional code and knowledge, containing a downloader. The downloader first checks operating processes for evaluation instruments and digital machine environments and doesn’t proceed if any are discovered. In any other case, it seems to be for the method of the sqgame shopper and constructs a path to the mono library in its set up folder.
Subsequent, it downloads and executes shellcode, which contained the RokRAT backdoor on the time of discovery. Lastly, the downloader terminates the shopper course of and downloads the unique clear model of the mono library, changing the trojanized one within the put in shopper folder. Each the payload and clear mono library are downloaded from legit South Korean web sites that had been compromised for this function – a typical TTP of ScarCruft.
In response to our telemetry, the RokRAT backdoor was subsequently used to obtain and set up the BirdCall backdoor on the victimized machines.
Android BirdCall evaluation
On this part, we offer a technical evaluation of the Android BirdCall backdoor – an Android port of the eponymous Home windows backdoor written in C++. Internally, the backdoor is called zhuagou, which will be translated (from Chinese language) as “catching canine”.
Trojanized Android video games
Android BirdCall is distributed through trojanized Android video games. Within the assault described on this blogpost, we imagine that ScarCruft didn’t achieve entry to the sport’s supply code, solely to the sqgame web site or net server, and as a substitute took the unique sport APKs and recompiled or repackaged them with malicious code added.
Within the trojanized APKs, the AndroidManifest.xml entry level exercise is modified and factors to the added malicious code – which, after beginning the backdoor, executes the unique entry exercise of the sport.
Within the analyzed samples, the modified entry level exercise was both com.instance.zhuagou.SplashScreen or com.mob.util.MobSs (within the newest pattern). The modifications to AndroidManifest.xml additionally embody new exercise and repair definitions for the backdoor, in addition to further permissions required for its operation. A comparability of packages within the authentic sport and its trojanized model is proven in Determine 3.
For the reason that Android BirdCall backdoor is part of a trojanized Android app put in on the system, it doesn’t robotically begin after set up or a tool reboot; as a substitute, it depends on person execution.
Configuration
Android BirdCall comprises a default configuration, which is initialized on the primary run. The configuration makes use of JSON format and is endured in a file. Subsequent runs load the prevailing configuration file, and the configuration will be modified through backdoor instructions. An instance of a formatted configuration is proven in Determine 4.
{
"bi": "E823D451D636D0A0",
"skey": "A8FE823D451D636D0A0366C0629EF5C3##@(()(#@",
"si": "20251105141404",
"rft": 20000,
"fst": true,
"kill": false,
"log": true,
"ctm": 10000,
"scr": false,
"rec": false,
"cmd": 0,
"knowledge": 1,
"bd_version": 37,
"extentions": ".jpg;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.txt;.hwp;.pdf;.m4a;.p12;",
"cloud": [
{
"ct": 9,
"idx": 28,
"cid": "1000.2IGB56IS1FHQ1V332R[redacted]",
"cst": "fa7ec5c8b050[redacted]",
"rt": "1000.a7fc479e[redacted]",
"at": "empty",
"fid": "8mwe5bbc0a2759839401f813968808a2f36a6",
"dm": "",
"use": 0
},
[redacted]
]
}Determine 4. Android BirdCall configuration instance
The bd_version configuration entry encodes the model of the backdoor, saved as MAJOR << 5 | MINOR, so worth 37 is the same as model 1.5.
The endured configuration file is saved within the knowledge listing of the app and has a device-specific path. Moreover, in the course of the configuration initialization, the default configuration of cloud storage drives hardcoded within the pattern will be overridden by an exterior supply. If accessible, the backdoor downloads a JPG picture that comprises an encrypted cloud configuration embedded in its overlay. The picture is normally hosted on a compromised South Korean web site.
C&C communication
Android BirdCall makes use of cloud storage drives for C&C communication, just like the Home windows model. Within the analyzed samples, three cloud suppliers are supported: pCloud, Yandex Disk, and Zoho WorkDrive, though solely Zoho WorkDrive is used. The backdoor communicates through HTTPS, sending requests to API endpoints of the respective supplier utilizing the okhttp3 library.
Throughout our analysis, we noticed 12 Zoho WorkDrive drives utilized by the Android BirdCall backdoor for C&C functions. Particulars of the related accounts are proven in Desk 2.
Desk 2. Android BirdCall Zoho WorkDrive accounts
| client_id | display_name | e mail |
| 1000.AJUEYDUIQQ5G |
tomasalfred37 | tomasalfred37@zohomail[.]com |
| 1000.INXKBHQ3698C |
kalimaxim279 | kalimaxim279@zohomail[.]com |
| 1000.FYRJ46E75TUY |
Smith Bentley | smithbentley0617@zohomail[.]com |
| 1000.8QU6D2LJZ3RC |
Mic haelLarrow19 | michaellarrow19@zohomail[.]com |
| 1000.NT1QEE7V73IH |
dsf sdf | amandakurth94@zohomail[.]com |
| 1000.SKXUYYKYL06F |
dsf sdf | rexmedina89@zohomail[.]com |
| 1000.7BMBOS8GV1ZR |
dsf dsf | alishaross751@zohomail[.]com |
| 1000.V0J0QN7SJ2N7 |
sdf sdf | jamesdeeds385@zohomail[.]com |
| 1000.2IGB56IS1FHQ |
asdf sdaf | joyceluke505@zohomail[.]com |
| 1000.W4V2XMB83C6V |
dfsd sdf | marjoriemiller280@zohomail[.]com |
| 1000.LIUBF67S89H0 |
Invoice Jackson | teresadaniels200@zohomail[.]com |
| 1000.8BLOFSFU4WOF |
Zoe Jack | michaelgiesen62@zohomail[.]com |
Capabilities
Android BirdCall options an replace mechanism: a more moderen model will be loaded from an replace file, which is anticipated to be within the type of an APK within the app knowledge listing, and its obtain is triggered through the command MP_SEND_FILE.
After the non-compulsory replace process, the unique sport exercise is began, so as to not elevate suspicion. Then the backdoor checks and waits for an web connection, earlier than continuing to its most important operation.
Knowledge assortment
On the primary run, the backdoor collects a full listing itemizing of the gadget’s main shared exterior storage, and person knowledge consisting of contact listing, name log, and SMS messages.
The backdoor periodically checks in with the C&C and uploads primary data, which consists of:
- identifier values from configuration and present time,
- battery temperature, RAM and storage data, cloud configuration, backdoor model, and file extensions of curiosity,
- IP geolocation data from https://ipinfo[.]io/json, and
- on the primary run, further details about the gadget, community, and the applying is included:
○ model, mannequin, OS, kernel, and rooted standing,
○ IMEI quantity, IP handle, MAC handle, and community kind, and
○ software package deal and permissions.
The backdoor can periodically take screenshots (scr flag). In some variations, we noticed the strategy of taking part in a silent MP3 file in a loop whereas taking screenshots, which is used to stop the trojanized app from being suspended whereas operating within the background.
In among the variations, the backdoor can document audio through the microphone and listen in on the environment of the compromised gadget. Surprisingly, even when the recording is enabled (rec flag), it’s restricted to a three-hour time interval within the night, from 7 pm to 10 pm native time.
The backdoor periodically searches the shared exterior storage for information with extensions of curiosity (extentions) and phases them for exfiltration. Within the samples we analyzed, exfiltration was geared toward media information, paperwork, and personal keys: .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12.
Instructions
Android BirdCall periodically checks the cloud storage drive for instructions issued for the sufferer. Decrypted instructions begin with the magic DWORD 0x2A7B4C33, and this worth matches the Home windows model of BirdCall. The instructions have zero or extra parameters, relying on their kind. Desk 3 exhibits an outline of the supported instructions with their descriptions for each platforms.
The Android model of the backdoor implements solely a subset of instructions accessible within the Home windows model.
Desk 3. BirdCall backdoor instructions
| Sort | Identify | Android description | Home windows description |
| 0x48 | MP_SET_FILESEARCH_EXTENTION | Units file extensions of curiosity within the configuration. | |
| 0x49 | MP_SET_THREADS | Toggles screenshot taking and voice recording. | Contains further capabilities equivalent to clipboard stealing and keylogging. |
| 0x4A | MP_SET_CLOUD | Units cloud API credentials within the configuration. | |
| 0x4B | MP_SET_REGISTER_FILE_CONTROL | N/A | Modifies filter used throughout file search. |
| 0x4C | MP_SET_MODE | Toggles assortment of the backdoor execution logs. | Toggles varied collection-related flags. |
| 0x4D | MP_ACTION_KILLME | Disables the backdoor. The unique sport continues working. | Uninstalls the backdoor and exits. |
| 0x4E | MP_ACTION_KILLPROCESS | N/A | Makes use of the taskkill utility to kill a course of. |
| 0x4F | MP_ACTION_FILE_OR_DIRECTORY | Helps add of a specified file or listing. | Helps a number of file and listing operations: delete, rename, open, and add. |
| 0x50 | MP_ACTION_DOWNLOAD_COMMAND | N/A | Downloads and executes instructions from a URL or cloud drive. |
| 0x51 | MP_ACTION_RESET_WORKDIRECTORIES | N/A | Can delete working directories utilized by the backdoor. |
| 0x52 | MP_ACTION_EXECUTE_SIMPLE_COMMAND | N/A | Can restart the backdoor and execute a command through cmd.exe. |
| 0x53 | MP_ACTIONS_MORE | N/A | Can carry out three operations: · Delete endured configuration. · Allow macros in Phrase (Microsoft and Hancom Workplace). · Restart the backdoor. |
| 0x54 | MP_ACTION_SHELL | N/A | Begins shell (primarily based on WCMD). |
| 0x55 | MP_ACTION_WEBSCAN | N/A | Performs HTTP scan of specified hosts/ports. |
| 0x56 | MP_GET_DATA | Can acquire: · contacts, name logs, and SMS messages, · full listing itemizing of the first shared exterior storage, and · primary data. |
Can acquire: · backdoor configuration and varied system data, · credentials from browsers and different software program, · information from IM apps – KakaoTalk, WeChat, and Sign, · digital camera pictures, and · listing itemizing. |
| 0x57 | MP_GET_TREES | Retrieves listing itemizing. | |
| 0x59 | MP_SEND_FILE | Helps backdoor updating. | Helps dropping of a file to a specified location, dropping and execution of further executables, and updating of the backdoor. |
| 0x5A | MP_SEND_SHELL | N/A | Executes shell instructions. |
| 0x5C | MP_SET_PROXY | N/A | Connects to a specified <ip>:<port> and forwards site visitors from/to the C&C server, performing as a proxy. |
A dump containing the Home windows model of BirdCall that intently resembles the one we noticed on this assault and options all of the instructions listed above will be discovered on VirusTotal with SHA‑1 B06110E0FEB7592872E380B7E3B8F77D80DD1108. The pattern was uploaded from China on July 15th, 2024.
Conclusion
Now we have uncovered a multiplatform supply-chain assault concentrating on the Yanbian area by a compromised online game platform. Analyzing the trojanized Android video games on the platform, we found a brand new software in ScarCruft’s arsenal – an Android model of the group’s BirdCall backdoor. The Android backdoor has seen energetic growth, and supplies surveillance capabilities, equivalent to assortment of non-public knowledge and paperwork, taking screenshots, and making voice recordings.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis presents non-public APT intelligence studies and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
A complete listing of indicators of compromise (IoCs) and samples will be present in our GitHub repository.
Recordsdata
| SHA-1 | Filename | Detection | Description |
| 01A33066FBC6253304C9 |
sqybhs.apk | Android/Spy.Agent.EXM | Trojanized sport with Android BirdCall model 2.0. |
| 03E3ECE9F48CF4104AAF |
ybht.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.3. |
| 2B81F78EC4C3F8D6CF8F |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.5. |
| 59A9B9D47AE36411B277 |
ybht.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.0. |
| 7356D7868C81499FB4E7 |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.0. |
| FC0C691DB7E2D2BD3B0B |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.5. |
| 95BDB94F6767A3CCE6D9 |
mono.dll | Win32/TrojanDownloader |
Trojanized mono library. |
| 409C5ACAED587F62F7E2 |
N/A | Win32/TrojanDownloader |
Downloader resulting in the RokRAT backdoor. |
| B06110E0FEB7592872E3 |
N/A | Win64/Agent.EGN | Publicly accessible dump of Home windows BirdCall backdoor. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| 39.106.249[.]68 | sqgame.com[.]cn | Hangzhou Alibaba Promoting Co.,Ltd. | 2024‑06‑01 | Compromised sqgame web site internet hosting trojanized video games and malicious updates. |
| 211.239.117[.]117 | 1980food.co[.]kr | Hostway IDC | 2025‑03‑07 | Compromised South Korean web site used to host Android BirdCall configuration. |
| 114.108.128[.]157 | inodea[.]com | LG DACOM Company | 2025‑07‑03 | Compromised South Korean web site used to host Android BirdCall configuration. |
| 221.143.43[.]214 | www.lawwell.co[.]kr | SK Broadband Co Ltd | 2024‑11‑04 | Compromised South Korean web site used to host shellcode and clear mono library. |
| 222.231.2[.]20 | colorncopy.co[.]kr swr.co[.]kr |
LG DACOM Company | 2025‑03‑18 | Compromised South Korean web site used to host shellcode. |
| 222.231.2[.]23 | sejonghaeun[.]com | IP Supervisor | 2025‑03‑18 | Compromised South Korean web site used to host clear mono library. |
| 222.231.2[.]41 | cndsoft.co[.]kr | IP Supervisor | 2025‑03‑18 | Compromised South Korean web site used to host shellcode. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 18 of the MITRE ATT&CK Enterprise framework.
| Tactic | ID | Identify | Description |
| Useful resource Growth | T1584.004 | Compromise Infrastructure: Server | ScarCruft compromised South Korean web sites to host payloads and configurations. ScarCruft compromised the sqgame web site to carry out a supply-chain assault. |
| T1585.003 | Set up Accounts: Cloud Accounts | ScarCruft created Zoho WorkDrive accounts and used their cloud storage drives for C&C functions. | |
| T1587.001 | Develop Capabilities: Malware | ScarCruft developed the Android model of the BirdCall backdoor. | |
| T1608.001 | Stage Capabilities: Add Malware | ScarCruft uploaded trojanized video games to the compromised sqgame web site. | |
| Preliminary Entry | T1195.002 | Provide Chain Compromise: Compromise Software program Provide Chain | ScarCruft compromised an sqgame replace server to distribute malicious updates. |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | BirdCall can execute shell instructions. |
| Protection Evasion | T1027.013 | Obfuscated Recordsdata or Info: Encrypted/Encoded File | BirdCall has encrypted strings and loading chain parts. The trojanized mono library comprises encrypted shellcode. |
| T1070.004 | Indicator Removing: File Deletion | The trojanized mono library is changed with a clear one. | |
| T1112 | Modify Registry | BirdCall can modify settings of phrase processors to allow macros. | |
| T1140 | Deobfuscate/Decode Recordsdata or Info | BirdCall decrypts strings and loading chain parts. | |
| T1480.001 | Execution Guardrails: Environmental Keying | BirdCall’s loading chain has parts encrypted with a computer-specific key. | |
| T1497 | Virtualization/Sandbox Evasion | The downloader within the trojanized mono library checks for evaluation instruments and digital machine environments. | |
| Credential Entry | T1555 | Credentials from Password Shops | BirdCall can acquire saved passwords from browsers and different software program. |
| Discovery | T1046 | Community Service Discovery | BirdCall can scan a spread of IPs and ports with an HTTP GET request. |
| T1082 | System Info Discovery | BirdCall can acquire varied system data. | |
| T1083 | File and Listing Discovery | BirdCall can acquire details about drives and directories. | |
| Assortment | T1005 | Knowledge from Native System | BirdCall can gather person information from IM purchasers KakaoTalk, WeChat, and Sign. |
| T1056.001 | Enter Seize: Keylogging | BirdCall can log keystrokes. | |
| T1113 | Display screen Seize | BirdCall can seize screenshots. | |
| T1115 | Clipboard Knowledge | BirdCall can gather clipboard contents. | |
| T1119 | Automated Assortment | BirdCall can periodically gather information with sure extensions from native and detachable drives. | |
| T1125 | Video Seize | BirdCall can seize a webcam photograph. | |
| T1560 | Archive Collected Knowledge | BirdCall compresses and encrypts collected knowledge earlier than exfiltration. | |
| Command and Management | T1071.001 | Utility Layer Protocol: Net Protocols | BirdCall makes use of HTTP to speak with cloud storage companies. |
| T1090 | Proxy | BirdCall can act as a proxy. | |
| T1102.002 | Net Service: Bidirectional Communication | BirdCall communicates with cloud storage companies to obtain instructions and exfiltrate knowledge. | |
| Exfiltration | T1020 | Automated Exfiltration | BirdCall periodically exfiltrates collected knowledge. |
| T1041 | Exfiltration Over C2 Channel | BirdCall exfiltrates knowledge to its C&C server. | |
| T1567.002 | Exfiltration Over Net Service: Exfiltration to Cloud Storage | BirdCall exfiltrates knowledge to cloud storage companies. |
This desk was constructed utilizing model 18 of the MITRE ATT&CK Cellular framework.
| Tactic | ID | Identify | Description |
| Preliminary Entry | T1474.003 | Provide Chain Compromise: Compromise Software program Provide Chain | ScarCruft carried out a supply-chain assault, compromising the sqgame web site, to distribute trojanized video games containing the Android BirdCall backdoor. |
| Protection Evasion | T1406 | Obfuscated Recordsdata or Info | Model 2.0 of the Android BirdCall backdoor is obfuscated. |
| T1407 | Obtain New Code at Runtime | The Android BirdCall backdoor can obtain and cargo newer variations of itself. | |
| T1541 | Foreground Persistence | Android BirdCall makes use of the startForeground API to take screenshots whereas within the background. | |
| Discovery | T1420 | File and Listing Discovery | Android BirdCall creates a listing itemizing and searches for information with specified extensions. |
| T1422 | Native Community Configuration Discovery | Android BirdCall obtains the gadget’s IMEI, IP handle, and MAC handle. | |
| T1426 | System Info Discovery | Android BirdCall obtains system data of the compromised gadget together with model, mannequin, OS model, kernel model, rooted standing, battery temperature, RAM, and storage data. | |
| Assortment | T1532 | Archive Collected Knowledge | Android BirdCall compresses and encrypts collected knowledge. |
| T1429 | Audio Seize | Android BirdCall can document voice utilizing the microphone. | |
| T1430 | Location Monitoring | Android BirdCall obtains approximate gadget location utilizing the ipinfo[.]io service. | |
| T1513 | Display screen Seize | Android BirdCall can take screenshots. | |
| T1533 | Knowledge from Native System | Android BirdCall collects native information with the next extensions: .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12. | |
| T1636.002 | Protected Person Knowledge: Name Log | Android BirdCall collects the decision log. | |
| T1636.003 | Protected Person Knowledge: Contact Record | Android BirdCall collects the contact listing. | |
| T1636.004 | Protected Person Knowledge: SMS Messages | Android BirdCall collects SMS messages. | |
| Command and Management | T1437.001 | Utility Layer Protocol: Net Protocols | Android BirdCall communicates with the C&C cloud storage drive utilizing HTTPS. |
| T1481.002 | Net Service: Bidirectional Communication | Android BirdCall makes use of a Zoho WorkDrive service cloud storage drive for C&C functions. | |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | Android BirdCall makes use of the C&C channel for knowledge exfiltration. |
