North Korea-aligned hacking group ScarCruft has compromised a popular video game platform, sqgame.net, in a sophisticated supply chain attack. The group trojanized components of the platform to deploy its BirdCall backdoor malware on both Android and Windows devices, likely targeting ethnic Koreans in China and North Korean defectors.

Key Takeaways

• ScarCruft, a state-sponsored North Korean hacking group, targeted the sqgame.net gaming platform.

• The attack involved a supply chain compromise, affecting both Windows and Android versions of games.

• The BirdCall backdoor malware was deployed, expanding its reach to Android devices.

• The primary targets are likely ethnic Koreans in China and North Korean defectors.

The Compromise of Sqgame.net

The targeted platform, sqgame.net, is a gaming service catering to ethnic Koreans in China's Yanbian region, an area known as a transit point for North Korean defectors. ScarCruft's strategy involved compromising the platform's web server to repackage legitimate Android game applications with malicious code. For Windows users, the infection vector was a trojanized update package for the desktop client.

BirdCall Malware: A Multi-Platform Threat

BirdCall, previously known to target only Windows systems, has now been adapted to infect Android devices. The Windows version, an evolution of the RokRAT backdoor, is capable of capturing screenshots, logging keystrokes, stealing clipboard data, and executing shell commands. It utilizes legitimate cloud services like Dropbox and pCloud for command and control (C2).

The Android variant, while possessing a subset of the Windows version's capabilities, can collect contact lists, SMS messages, call logs, media files, documents, and ambient audio. It also captures screenshots and relies on cloud services such as pCloud, Yandex Disk, and Zoho WorkDrive for C2 communication.

Attack Details and Victimology

ESET researchers discovered the campaign in October 2025, with evidence suggesting the attack began in late 2024. The trojanized Android games, including "Yanbian Red Ten" and "New Drawing," were still available for download from sqgame.net at the time of discovery. The Windows client's malicious update package, containing a trojanized DLL, was active since at least November 2024.

The targeting of sqgame.net is consistent with ScarCruft's history of focusing on North Korean defectors, human rights activists, and individuals of interest to the North Korean regime. The Yanbian region's strategic location and large ethnic Korean population make it a prime target for such espionage activities.

ScarCruft's Modus Operandi

ScarCruft, also known as APT37 or Reaper, is a state-sponsored group believed to be operating on behalf of North Korea. Their operations typically focus on espionage, with a history of targeting South Korea, government entities, and military organizations. The development of a multi-platform backdoor like BirdCall signifies an expansion of their capabilities and reach.

Sources

• ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows, The Hacker News.

• BirdCall Spyware Hides in Gaming Apps, Android Headlines.

• ScarCruft compromises gaming platform in a supply-chain attack, WeLiveSecurity.

• New ScarCruft Supply Chain Attack Hits Gaming Platform With Windows and Android Backdoors, CyberSecurityNews.

• APT37 hacks gaming platform to spread new BirdCall Android spyware, CyberInsider.