The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China.
While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the threat actors to also target Android devices, essentially turning it into a multi-platform threat.
According to ESET, the campaign has singled out sqgame[.]net, a gaming platform used by ethnic Koreans living in the Yanbian region in China bordering North Korea and Russia. It’s also known to act as a primary, high-risk transit point for North Korean defectors crossing the Tumen River.
The targeting of this platform is said to be a deliberate strategy given ScarCruft’s storied history of targeting North Korean defectors, human rights activists, and university professors.
“In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor,” the Slovakian cybersecurity company said in a report shared with The Hacker News ahead of publication.
Windows versions of BirdCall, dubbed an advanced evolution of RokRAT, have been detected in the wild since 2021. Over the years, RokRAT has also been adapted to target macOS (CloudMensis) and Android (RambleOn), indicating that the malware family continues to be actively maintained by the threat actors.
BirdCall comes fitted with features typically present in a backdoor, enabling screenshot capture, keystroke logging, clipboard content theft, shell command execution, and data gathering. Like RokRAT, the malware relies on legitimate cloud services like Dropbox and pCloud for command-and-control (C2).
“BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key,” ESET said.
The Android variant of BirdCall, distributed as part of the sqgame[.]net supply chain attack, incorporates a subset of its Windows counterpart, while collecting contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio. An analysis of the malware’s lineage has unearthed seven versions, with the first dating back to October 2024.
Interestingly, the supply chain attack has been found to only poison the Android APKs available for download from the platform, leaving the Windows desktop client and the iOS games intact. The download pages for two Android games hosted on sqgame[.]net have been altered to serve the malicious APKs –
- sqgame.com[.]cn/ybht.apk
- sqgame.com[.]cn/sqybhs.apk
It’s currently not known when the website was breached, and the poisoned APKs began to be distributed. However, it’s believed that the incident occurred sometime in late 2024. What’s more, evidence has emerged that an update package of the Windows desktop client delivered a trojanized DLL since at least November 2024 and for an unspecified period. The update package is no longer malicious.
Specifically, the modified DLL included a downloader that checks the list of running processes for analysis tools and virtual machine environments, before proceeding to download and execute shellcode containing RokRAT. The backdoor is then used to fetch and install BirdCall on the infected hosts.
The Android version of BirdCall also relies on legitimate cloud storage services for C2 communications. This includes pCloud, Yandex Disk, and Zoho WorkDrive, the last of which has become an increasingly common presence across multiple campaigns.
“The Android backdoor has seen active development, and provides surveillance capabilities, such as collection of personal data and documents, taking screenshots, and making voice recordings,” ESET said.
