Back

ScarCruft's Supply-Chain Attack Targets Yanbian Gaming Platform with BirdCall Malware

Severity: High (Score: 75.6)

Sources: Gbhackers, Nknews, Escudodigital, Thehackernews, Cybersecuritynews

Summary

ESET researchers reported a supply-chain attack by the North Korean APT group ScarCruft, targeting a gaming platform in the Yanbian region of China. The attack, ongoing since late 2024, involved trojanizing both Windows and Android components of the platform, sqgame[.]net, which hosts traditional Yanbian-themed games. The Android variant of the backdoor, named BirdCall, was developed over several months, with at least seven versions identified from October 2024 to June 2025. The malware is designed to gather intelligence on users, particularly targeting ethnic Koreans and North Korean defectors. The Windows version of BirdCall has been known since 2021 and includes capabilities such as keystroke logging and file exfiltration. The attack's command-and-control traffic was routed through cloud storage services, with ESET notifying the platform of the compromise in December 2025, but no response was received. The malicious APKs remain available for download on the site. Key Points: • ScarCruft's attack targets a gaming platform for ethnic Koreans in China. • The Android variant of BirdCall was developed from October 2024 to June 2025. • ESET identified the attack as part of a broader espionage campaign against North Korean defectors.

Key Entities

  • Apt37 (apt_group)
  • Reaper (apt_group)
  • Ricochet Chollima (apt_group)
  • ScarCruft (apt_group)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Trojan (attack_type)
  • China (country)
  • North Korea (country)
  • South Korea (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • 1980food.co (domain)
  • cndsoft.co (domain)
  • colorncopy.co (domain)
  • sqgame.com (domain)
  • swr.co (domain)
  • Government (industry)
  • BirdCall (malware)
  • RokRAT (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Android (platform)
  • IOS (platform)
  • Sqgame (platform)
  • Windows (platform)
  • PCloud (tool)
  • Yandex Disk (tool)
  • Zoho WorkDrive (tool)
  • Dropbox (tool)
  • B06110E0FEB7592872E380B7E3B8F77D80DD1108 (sha1)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed