North Korean hackers compromised a gaming platform in a supply-chain attack, using trojanized Windows and Android games to deploy a previously undocumented mobile variant of its BirdCall spyware.
Security researchers at ESET detailed the operation in a recent report, describing how the “ScarCruft” APT group, also known as APT37, embedded malware into legitimate game downloads. The investigation began after analysts identified a suspicious Android APK on VirusTotal, which turned out to be a backdoored version of a traditional card game. Further analysis revealed that the same malicious files were being distributed directly through the platform’s official website, indicating a supply-chain compromise rather than a standalone malware campaign.
ScarCruft has been active since at least 2012 and is widely believed to operate in support of North Korean intelligence objectives. The group typically focuses on espionage targeting government entities, military organizations, and individuals of strategic interest, including defectors. In this campaign, researchers assess that the attackers aimed to surveil people connected to the Yanbian region, a culturally significant area in China bordering North Korea and home to a large ethnic Korean population.
The compromised platform, sqgame, distributes traditional Yanbian-themed games across Windows, Android, and iOS. While the iOS version appeared unaffected, both Windows and Android distributions were tampered with. On Android, attackers repackaged legitimate game APKs such as “Yanbian Red Ten” to include a malicious component without altering the user-facing functionality. On Windows, the compromise occurred via a poisoned update mechanism, in which a trojanized mono.dll library served as a loader for additional payloads.
ESET
The attack chain on Windows systems involved deploying the RokRAT backdoor, which then fetched the more advanced BirdCall malware. On Android, the newly discovered BirdCall variant was embedded directly into the trojanized apps. This marks the first documented instance of BirdCall targeting Android devices, expanding the group’s cross-platform surveillance capabilities.
The Windows version, written in C++, supports keylogging, credential theft, clipboard monitoring, and command execution. It communicates with the command-and-control (C2) infrastructure via cloud storage services such as Dropbox and pCloud. The Android variant, while slightly more limited, supports the following:
- Steal contacts list
- Exfiltrate SMS messages
- Steal call logs, media files, and documents
- Record audio
- Capture screenshots
- Gather device metadata such as IMEI numbers and network details
The malware uses legitimate cloud services, primarily Zoho WorkDrive, for C2 communications, blending malicious traffic with normal network activity. The backdoor periodically uploads collected data and retrieves commands, supporting functions like file exfiltration and configuration updates. In some versions, it even restricts audio recording to specific evening hours, suggesting deliberate operational tuning.
ESET researchers found that the malicious components had likely been distributed since late 2024, with some infrastructure remaining active into late 2025. Despite responsible disclosure, the platform operator had not responded at the time of publication.
Leave a Reply