Back

North Korean APT ScarCruft Launches BirdCall Android Malware via Game Platform

Severity: High (Score: 75.5)

Sources: www.welivesecurity.com, Bleepingcomputer

Summary

ESET researchers have identified a supply-chain attack by the North Korean APT group ScarCruft, targeting the Yanbian region in China. The attack involves the distribution of a trojanized Android version of the BirdCall backdoor through a gaming platform called sqgame.net, which caters to ethnic Koreans. The Android variant, developed since late 2024, has been found to collect sensitive information such as contacts, SMS messages, and media files. ScarCruft, also known as APT37, has been active since at least 2012 and primarily targets South Korea and North Korean defectors. The Windows version of BirdCall has been known since 2021, and this new Android variant implements a subset of its capabilities. ESET's investigation revealed that the Android version lacks some features present in the Windows version, such as shell command execution. The attack is ongoing, and users are advised to download software only from official sources. Key Points: • ScarCruft has developed an Android variant of the BirdCall backdoor targeting ethnic Koreans. • The malware is distributed through a compromised gaming platform, sqgame.net. • Users are urged to download applications only from trusted sources to mitigate risks.

Key Entities

  • Apt37 (apt_group)
  • Reaper (apt_group)
  • ScarCruft (apt_group)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • China (country)
  • North Korea (country)
  • South Korea (country)
  • 1980food.co (domain)
  • cndsoft.co (domain)
  • colorncopy.co (domain)
  • sqgame.com (domain)
  • swr.co (domain)
  • Government (industry)
  • BirdCall (malware)
  • RokRAT (malware)
  • T1056 - Input Capture (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Android (platform)
  • IOS (platform)
  • Sqgame (platform)
  • Windows (platform)
  • B06110E0FEB7592872E380B7E3B8F77D80DD1108 (sha1)
  • Dropbox (tool)
  • PCloud (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed