ScarCruft compromises gaming platform in a supply-chain assault

ESET researchers uncovered a multiplatform supply-chain assault by North Korea-aligned APT group ScarCruft, concentrating on the Yanbian area in China – dwelling to ethnic Koreans and a crossing level for North Korean refugees and defectors. Within the assault, most likely ongoing since late 2024, ScarCruft compromised Home windows and Android parts of a online game platform devoted to Yanbian-themed video games, trojanizing them with a backdoor.

The backdoor, named BirdCall by ESET, was initially identified to focus on Home windows solely; the Android model was found as a part of this supply-chain assault. On this blogpost, we offer an outline of the assault, and the primary public evaluation of the Android backdoor.

Key factors of this blogpost:

• North Korea-aligned APT group ScarCruft compromised a online game platform utilized by ethnic Koreans dwelling within the Yanbian area in China.
• The gaming platform’s Home windows shopper was compromised by a malicious replace resulting in the RokRAT backdoor, which deployed the extra refined BirdCall backdoor.
• Android video games accessible on the gaming platform had been trojanized to comprise the Android model of the BirdCall backdoor – a brand new software in ScarCruft’s arsenal.
• The objective of the marketing campaign is espionage, with the backdoor able to amassing private knowledge and paperwork, taking screenshots, and making voice recordings.

Scarcruft profile

ScarCruft, often known as APT37 or Reaper, has been working since a minimum of 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, however different Asian international locations have additionally been focused. ScarCruft appears to be primarily in authorities and navy organizations, and corporations in varied industries linked to the pursuits of North Korea. The group additionally targets North Korean defectors, with the newest such exercise introduced on this blogpost.

BirdCall backdoor

Home windows model

BirdCall is a Home windows backdoor written in C++ that we found in 2021 and attributed to ScarCruft as a part of the ESET Risk Intelligence reporting.

The backdoor has a variety of spying capabilities, together with taking screenshots, logging keystrokes and clipboard content material, stealing credentials and information, and executing shell instructions. For C&C functions, the backdoor makes use of legit cloud storage companies, equivalent to Dropbox or pCloud, or compromised web sites. BirdCall is normally deployed in a multistage loading chain, beginning with a Ruby or Python script, and containing parts encrypted utilizing a computer-specific key. The preliminary model of BirdCall was publicly described by South Korean distributors in 2021 as a sophisticated model of RokRAT (S2W, AhnLab).

Android model

The Android model of BirdCall, found within the assault that we describe on this blogpost, implements a subset of the instructions and capabilities of the Home windows backdoor – it collects contacts, SMS messages, name logs, paperwork, media information, and personal keys. It could possibly additionally take screenshots and document surrounding audio.

Primarily based on our analysis, Android BirdCall was actively developed over a span of a number of months. We recognized seven variations, starting from model 1.0 (created roughly in October 2024) to model 2.0 (created roughly in June 2025).

Discovery

Our investigation began with a suspicious APK file discovered on VirusTotal. Upon preliminary evaluation, we decided that the APK is malicious and comprises a backdoor.

Curiously, the APK turned out to be a trojanized card sport known as 延边红十 (machine translation: Yanbian Crimson Ten), which we traced to its official web site, https://www.sqgame[.]internet. sqgame is a gaming platform tailor-made for the individuals of Yanbian and hosts conventional Yanbian video games for Home windows, Android, and iOS. The gamers can compete in card and board video games (see Determine 1) with associates or be part of organized tournaments.

Surprisingly, the APK accessible for obtain on the official web site is similar because the APK we initially discovered on VirusTotal. Furthermore, a second Android sport (新画图, machine translation: New Drawing) accessible for obtain from sqgame was additionally trojanized with the identical backdoor. Additional evaluation revealed that the backdoor is an Android port of the ScarCruft group’s BirdCall backdoor.

The Home windows desktop shopper hyperlink on the sqgame web site results in a few-years-old installer that seems to be clear. It does obtain updates as soon as put in, however we didn’t determine any malicious code there throughout our evaluation.

Investigating additional in ESET telemetry, we recognized a trojanized mono.dll library, originating from an replace package deal for the desktop shopper. ESET telemetry exhibits that this replace package deal had been malicious since a minimum of November 2024, for an unknown interval. On the time of writing, this replace package deal was not malicious.

We additionally checked the iOS sport accessible on the sqgame web site and didn’t discover any malicious code. We expect that ScarCruft skipped this platform, for the reason that trojanization and supply of the app could be far more tough in comparison with different platforms, presumably operating into Apple’s overview course of.

Victimology

For the reason that web site compromised on this assault is devoted to the individuals of Yanbian and their conventional video games, we infer that the first targets are ethnic Koreans dwelling in Yanbian. Yanbian Korean Autonomous Prefecture is a area in China that borders North Korea and is dwelling to the biggest ethnic Korean group exterior Korea.

On this context, we imagine that it’s possible that the assault was geared toward amassing data on people primarily based in (or originating from) the Yanbian area and deemed of curiosity to the North Korean regime – probably refugees or defectors.

Assault overview

Android

Two of the Android video games accessible on the sqgame web site had been discovered to be trojanized to comprise the BirdCall backdoor. The obtain web page accessible at https://www.sqgame[.]internet/video games/gamedownload.aspx is proven in Determine 2, with obtain buttons for the 2 trojanized video games highlighted in purple. The third accessible Android sport was clear on the time of our evaluation.

We discovered proof that the victims downloaded the trojanized video games through an online browser on their gadgets and doubtless put in them deliberately. Now we have not discovered some other APK areas. We additionally haven’t discovered the malicious APKs on the official Google Play retailer.

We had been unable to find out when the web site was first compromised and the supply-chain assault began. Nonetheless, primarily based on our evaluation of the deployed malware, we estimate that it occurred in late 2024.

Desk 1 exhibits the internet hosting URLs of the 2 trojanized APK information, together with the hashes of information served on the time of discovery. On the time of writing of this blogpost, the malicious information had been nonetheless up on the sqgame web site. We notified sqgame of the compromise in December 2025, however haven’t acquired a response.

Desk 1. Malicious samples

Home windows

Whereas the Home windows desktop shopper accessible on the sqgame web site didn’t comprise malicious code after we analyzed it, we later recognized a trojanized mono.dll library, originating from an replace package deal of the desktop shopper hosted on the URL http://xiazai.sqgame.com[.]cn/courting/20240429.zip. ESET telemetry exhibits that this replace package deal had been malicious since a minimum of November 2024, for an unknown interval – however on the time of writing, this replace package deal was not malicious.

ScarCruft took a clear mono library and patched it with additional code and knowledge, containing a downloader. The downloader first checks operating processes for evaluation instruments and digital machine environments and doesn’t proceed if any are discovered. In any other case, it seems to be for the method of the sqgame shopper and constructs a path to the mono library in its set up folder.

Subsequent, it downloads and executes shellcode, which contained the RokRAT backdoor on the time of discovery. Lastly, the downloader terminates the shopper course of and downloads the unique clear model of the mono library, changing the trojanized one within the put in shopper folder. Each the payload and clear mono library are downloaded from legit South Korean web sites that had been compromised for this function – a typical TTP of ScarCruft.

In response to our telemetry, the RokRAT backdoor was subsequently used to obtain and set up the BirdCall backdoor on the victimized machines.

Android BirdCall evaluation

On this part, we offer a technical evaluation of the Android BirdCall backdoor – an Android port of the eponymous Home windows backdoor written in C++. Internally, the backdoor is called zhuagou, which will be translated (from Chinese language) as “catching canine”.

Trojanized Android video games

Android BirdCall is distributed through trojanized Android video games. Within the assault described on this blogpost, we imagine that ScarCruft didn’t achieve entry to the sport’s supply code, solely to the sqgame web site or net server, and as a substitute took the unique sport APKs and recompiled or repackaged them with malicious code added.

Within the trojanized APKs, the AndroidManifest.xml entry level exercise is modified and factors to the added malicious code – which, after beginning the backdoor, executes the unique entry exercise of the sport.

Within the analyzed samples, the modified entry level exercise was both com.instance.zhuagou.SplashScreen or com.mob.util.MobSs (within the newest pattern). The modifications to AndroidManifest.xml additionally embody new exercise and repair definitions for the backdoor, in addition to further permissions required for its operation. A comparability of packages within the authentic sport and its trojanized model is proven in Determine 3.

For the reason that Android BirdCall backdoor is part of a trojanized Android app put in on the system, it doesn’t robotically begin after set up or a tool reboot; as a substitute, it depends on person execution.

Configuration

Android BirdCall comprises a default configuration, which is initialized on the primary run. The configuration makes use of JSON format and is endured in a file. Subsequent runs load the prevailing configuration file, and the configuration will be modified through backdoor instructions. An instance of a formatted configuration is proven in Determine 4.

{
    "bi": "E823D451D636D0A0",
    "skey": "A8FE823D451D636D0A0366C0629EF5C3##@(()(#@",
    "si": "20251105141404",
    "rft": 20000,
    "fst": true,
    "kill": false,
    "log": true,
    "ctm": 10000,
    "scr": false,
    "rec": false,
    "cmd": 0,
    "knowledge": 1,
    "bd_version": 37,
    "extentions": ".jpg;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.txt;.hwp;.pdf;.m4a;.p12;",
    "cloud": [
        {
            "ct": 9,
            "idx": 28,
            "cid": "1000.2IGB56IS1FHQ1V332R[redacted]",
            "cst": "fa7ec5c8b050[redacted]",
            "rt": "1000.a7fc479e[redacted]",
            "at": "empty",
            "fid": "8mwe5bbc0a2759839401f813968808a2f36a6",
            "dm": "",
            "use": 0
        },
        [redacted]
    ]
}