North Korea-aligned APT group ScarCruft (APT37) has been caught compromising a legitimate gaming platform to deliver a previously undocumented Android version of its BirdCall backdoor, marking the first public multiplatform supply-chain attack by the threat actor targeting ethnic Korean communities in China.
ESET researchers have uncovered a sophisticated, ongoing supply-chain attack attributed to ScarCruft, a North Korean state-sponsored espionage group also tracked as APT37 and Reaper, that compromised both the Windows and Android components of a video game platform tailored for the Yanbian Korean Autonomous Prefecture in northeastern China.
The campaign, assessed to have begun in late 2024, weaponized trojanized game installers and malicious software updates to deploy the BirdCall espionage backdoor across multiple platforms.
ScarCruft Hacks Gaming Platform
Yanbian Korean Autonomous Prefecture, located in China’s Jilin province and bordering North Korea, is home to the largest ethnic Korean diaspora outside the Korean Peninsula.
The region also serves as a critical transit corridor for North Korean refugees and defectors fleeing the regime. ScarCruft’s deliberate targeting of a Yanbian-themed gaming platform strongly suggests the campaign was designed to surveil individuals of operational interest to the North Korean government, primarily defectors and refugees.
The compromised platform hosts traditional Korean card and board games for Windows, Android, and iOS users. ESET’s analysis confirmed that two Android game APKs available for direct download from the platform had been trojanized with the BirdCall backdoor.
At the same time, the iOS application showed no signs of tampering, likely due to Apple’s stringent app review process. On Windows, ScarCruft’s entry point was a trojanized mono.dll library embedded within an update package hosted. ESET telemetry confirmed this update package was malicious from at least November 2024 onward.
The patched library contained a downloader component that first performed anti-analysis checks, scanning for virtual machine environments and forensic tools, before proceeding with the infection.
Upon clearing these checks, the downloader retrieved and executed shellcode containing RokRAT, ScarCruft’s well-known reconnaissance backdoor.
RokRAT then downloaded and deployed the more advanced BirdCall backdoor as a second-stage payload. Both the payload and the clean replacement mono.dll were downloaded from legitimate, previously compromised South Korean websites, a hallmark tactic of ScarCruft operations.
The Android version of BirdCall, internally codenamed zhuagou, represents a significant expansion of ScarCruft’s mobile capabilities. ESET researchers identified seven development versions ranging from v1.0 (approximately October 2024) to v2.0 (approximately June 2025), indicating active, sustained development across the campaign lifecycle.
ScarCruft is believed to have repackaged legitimate APKs after downloading them, injecting malicious code without access to the source code. The trojanized apps modified the entry point to redirect execution to the backdoor before loading the original game activity to avoid raising user suspicion.
Android BirdCall’s surveillance capabilities include:
- Collection of contacts, call logs, and SMS messages
- Exfiltration of documents and media files (
.jpg,.doc,.docx,.pdf,.hwp,.m4a,.p12) - Device fingerprinting: IMEI, MAC address, IP address, OS version, kernel, rooted status
- Periodic screenshot capture (with a silent MP3 loop technique to prevent background suspension)
- Scheduled audio recording via microphone, limited to a three-hour window between 7 PM and 10 PM local time
- IP geolocation data harvested from
ipinfo[.]io
Android BirdCall communicates with its operators entirely through legitimate cloud storage providers, mirroring the Windows variant’s C2 methodology.
The analyzed samples supported pCloud, Yandex Disk, and Zoho WorkDrive as C2 channels, with Zoho WorkDrive being the active provider.
Researchers identified 12 unique Zoho WorkDrive accounts used across the campaign for command issuance and data exfiltration. This cloud-native C2 approach intentionally blends malicious traffic into legitimate HTTPS API communications, significantly hampering detection by network-layer monitoring tools.
ScarCruft has been operationally active since at least 2012 and has historically focused on South Korea’s government, military, and industries aligned with North Korean strategic interests.
The group has demonstrated consistent evolution in its tooling from leveraging Internet Explorer zero-days (CVE-2024-39178) in late 2024 to now deploying purpose-built Android spyware via supply-chain compromise.
The deployment of RokRAT as a staging mechanism for the more sophisticated BirdCall backdoor also aligns with documented multi-stage loading chains observed in prior ScarCruft campaigns.
ESET notified sqgame of the compromise in December 2025, but received no response. As of the publication of this report in May 2026, the malicious APK files remained available for download on the platform.
IOCs
FAQ
Q1: What is ScarCruft (APT37)?
ScarCruft, also known as APT37 or Reaper, is a North Korean state-sponsored cyber espionage group active since at least 2012, primarily targeting South Korea, defectors, and organizations of strategic interest to the North Korean regime.
Q2: What does the Android BirdCall backdoor do?
It collects contacts, SMS, call logs, device identifiers, documents, and media files, while also taking screenshots and recording audio during specific evening hours to surveil targeted individuals.
Q3: How was the sqgame gaming platform compromised?
ScarCruft trojanized the platform’s Android APKs and injected a malicious downloader into the Windows desktop client’s update package (mono.dll), which then deployed RokRAT and, subsequently, the BirdCall backdoor.
Q4: How can users protect themselves from supply-chain attacks like this?
Users should install apps only from trusted, verified sources like Google Play, keep devices updated, use mobile endpoint security solutions, and avoid sideloading APKs from third-party websites.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
