ScarCruft's Supply-Chain Attack Targets Yanbian Gaming Platform with BirdCall Malware

ScarCruft's Supply-Chain Attack Targets Yanbian Gaming Platform with BirdCall Malware

First seen 5 May 2026, 09:34 UTC BleepingcomputerThehackernewsGbhackersInfosecurity-Magazinewww.welivesecurity.com+5 83% similarity 75.6

Article Content

Browse articles
ThreatCluster

ESET researchers reported a supply-chain attack by the North Korean APT group ScarCruft, targeting a gaming platform in the Yanbian region of China. The attack, ongoing since late 2024, involved trojanizing both Windows and Android components of the platform, sqgame[.]net, which hosts traditional Yanbian-themed games. The Android variant of the backdoor, named BirdCall, was developed over several months, with at least seven versions identified from October 2024 to June 2025. The malware is designed to gather intelligence on users, particularly targeting ethnic Koreans and North Korean defectors. The Windows version of BirdCall has been known since 2021 and includes capabilities such as keystroke logging and file exfiltration. The attack's command-and-control traffic was routed through cloud storage services, with ESET notifying the platform of the compromise in December 2025, but no response was received. The malicious APKs remain available for download on the site.

Key Points: • ScarCruft's attack targets a gaming platform for ethnic Koreans in China. • The Android variant of BirdCall was developed from October 2024 to June 2025. • ESET identified the attack as part of a broader espionage campaign against North Korean defectors.

ThreatCluster AI

Timeline

2024-10-01
Development of Android BirdCall begins
2025-06-01
Final version of Android BirdCall released
2025-12-01
ESET notifies sqgame of the compromise
2026-05-05
ESET publishes analysis of the attack

Community

Browse all →