www.welivesecurity.com
ScarCruft's Supply-Chain Attack Targets Yanbian Gaming Platform with BirdCall Malware
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
ESET researchers reported a supply-chain attack by the North Korean APT group ScarCruft, targeting a gaming platform in the Yanbian region of China. The attack, ongoing since late 2024, involved trojanizing both Windows and Android components of the platform, sqgame[.]net, which hosts traditional Yanbian-themed games. The Android variant of the backdoor, named BirdCall, was developed over several months, with at least seven versions identified from October 2024 to June 2025. The malware is designed to gather intelligence on users, particularly targeting ethnic Koreans and North Korean defectors. The Windows version of BirdCall has been known since 2021 and includes capabilities such as keystroke logging and file exfiltration. The attack's command-and-control traffic was routed through cloud storage services, with ESET notifying the platform of the compromise in December 2025, but no response was received. The malicious APKs remain available for download on the site.
Key Points: • ScarCruft's attack targets a gaming platform for ethnic Koreans in China. • The Android variant of BirdCall was developed from October 2024 to June 2025. • ESET identified the attack as part of a broader espionage campaign against North Korean defectors.