- The North Korean ScarCruft hacking group compromised a video game platform to deploy the BirdCall backdoor, targeting ethnic Koreans.
- This supply chain attack, ongoing since late 2024, marks a shift for the group by enabling multi-platform espionage against both Windows and Android users.
- The infected platform, sqgame[.]net, is used in a border region of China that serves as a transit point for North Korean defectors.
- BirdCall provides extensive surveillance capabilities, including screenshot capture, data theft, and audio recording.
The North Korean state-sponsored hacking group ScarCruft has been implicated in a long-running cyber espionage campaign, compromising a gaming platform since late 2024 to target ethnic Koreans in China. According to a report from ESET shared with The Hacker News, the attackers trojanized the platform’s components with a backdoor called BirdCall.
This supply chain attack represents a strategic evolution for the threat actors. Consequently, it enabled them to expand beyond their usual Windows focus and target Android devices for the first time in this operation.
The compromised platform, sqgame[.]net, hosts games for the Yanbian region bordering North Korea. “In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games,” the Slovakian cybersecurity company said.
Previous versions of the malware, an evolution of RokRAT, have been detected since 2021. The BirdCall backdoor itself provides capabilities for screenshot capture, keystroke logging, and data exfiltration.
For command-and-control communications, the malware leverages legitimate cloud services like Dropbox and pCloud. The Android variant specifically collects contact lists, SMS messages, call logs, and ambient audio.
Evidence suggests the Windows desktop client update package delivered a malicious DLL starting in November 2024. However, that specific package is no longer serving the trojanized component.
The Android attack specifically poisoned the download pages for two games on the platform. These pages were altered to serve malicious APKs containing the surveillance backdoor.
“The Android backdoor has seen active development, and provides surveillance capabilities, such as collection of personal data and documents, taking screenshots, and making voice recordings,” ESET concluded. The campaign aligns with ScarCruft’s known focus on North Korean defectors and activists.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
