ESET researchers uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor.
The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was discovered as part of this supply-chain attack. This post provides an overview of the attack and the first public analysis of the Android backdoor.
Key points:
- North Korea-aligned APT group ScarCruft compromised a video game platform used by ethnic Koreans living in the Yanbian region in China.
- The gaming platform’s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated BirdCall backdoor.
- Android games available on the gaming platform were trojanized to contain the Android version of the BirdCall backdoor – a new tool in ScarCruft’s arsenal.
- The goal of the campaign is espionage, with the backdoor capable of collecting personal data and documents, taking screenshots, and making voice recordings.
ScarCruft Profile
ScarCruft, also known as APT37 or Reaper, has been operating since at least 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea. The group also targets North Korean defectors, with the latest such activity presented in this post.
BirdCall Backdoor
Windows Version
BirdCall is a Windows backdoor written in C++ that ESET discovered in 2021 and attributed to ScarCruft as part of ESET Threat Intelligence reporting.
The backdoor has a wide range of spying capabilities, including taking screenshots, logging keystrokes and clipboard content, stealing credentials and files, and executing shell commands. For C&C purposes, the backdoor utilizes legitimate cloud storage services, such as Dropbox or pCloud, or compromised websites. BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key. The initial version of BirdCall was publicly described by South Korean vendors in 2021 as an advanced version of RokRAT (S2W, AhnLab).
Android Version
The Android version of BirdCall, discovered in the attack described in this post, implements a subset of the commands and capabilities of the Windows backdoor – it collects contacts, SMS messages, call logs, documents, media files, and private keys. It can also take screenshots and record surrounding audio.
Based on ESET research, Android BirdCall was actively developed over a span of several months. Seven versions were identified, ranging from version 1.0 (created approximately in October 2024) to version 2.0 (created approximately in June 2025).
Discovery
The investigation started with a suspicious APK file found on VirusTotal. Upon initial analysis, the APK was determined to be malicious and to contain a backdoor.
The APK turned out to be a trojanized card game called 延边红十 (machine translation: Yanbian Red Ten), which was traced to its official website, https://www.sqgame[.]net. sqgame is a gaming platform tailored for the people of Yanbian and hosts traditional Yanbian games for Windows, Android, and iOS. Players can compete in card and board games (see Figure 1) with friends or join organized tournaments.
Figure 1. Yanbian Red Ten game
The APK available for download on the official website is the same as the APK initially found on VirusTotal. A second Android game (新画图, machine translation: New Drawing) available for download from sqgame was also trojanized with the same backdoor. Further analysis confirmed that the backdoor is an Android port of ScarCruft’s BirdCall backdoor.
The Windows desktop client link on the sqgame website leads to a few-years-old installer that appears to be clean. It does download updates once installed, but no malicious code was identified there during analysis.
Further investigation using ESET telemetry identified a trojanized mono.dll library originating from an update package for the desktop client. ESET telemetry shows that this update package had been malicious since at least November 2024, for an unknown period. At the time of writing, this update package was no longer malicious.
The iOS game available on the sqgame website was also checked and no malicious code was found. ScarCruft appears to have skipped this platform, since trojanizing and delivering an iOS app would be considerably more difficult compared to other platforms, likely running into Apple’s review process.
Victimology
Since the website compromised in this attack is dedicated to the people of Yanbian and their traditional games, the primary targets are inferred to be ethnic Koreans living in Yanbian. Yanbian Korean Autonomous Prefecture is a region in China that borders North Korea and is home to the largest ethnic Korean community outside Korea.
In this context, the attack was most likely aimed at collecting information on individuals based in – or originating from – the Yanbian region and deemed of interest to the North Korean regime, most likely refugees or defectors.
Attack Overview
Android
Two of the Android games available on the sqgame website were found to be trojanized to contain the BirdCall backdoor. The download page at https://www.sqgame[.]net/games/gamedownload.aspx is shown in Figure 2, with download buttons for the two trojanized games highlighted in red. The third available Android game was clean at the time of analysis.
Figure 2. Download page leading to trojanized games
Evidence indicates that victims downloaded the trojanized games via a web browser on their devices and probably installed them intentionally. No other APK locations were identified, and the malicious APKs were not found on the official Google Play store.
The exact date when the website was first compromised could not be determined; however, based on analysis of the deployed malware, it is estimated to have occurred in late 2024.
Table 1 shows the hosting URLs of the two trojanized APK files, along with the hashes of files served at the time of discovery. At the time of writing, the malicious files were still up on the sqgame website. ESET notified sqgame of the compromise in December 2025 but had not received a response.
Table 1. Malicious samples
| Time of Discovery | URL | SHA-1 | Description |
|---|---|---|---|
| 2025-10 | http://sqgame.com[.]cn/ybht.apk | 03E3ECE9F48CF4104AAFC535790CA2FB3C6B26CF | Trojanized game with the BirdCall backdoor. |
| 2025-10 | http://sqgame.com[.]cn/sqybhs.apk | FC0C691DB7E2D2BD3B0B4C1E24D18DF72168B7D9 | Trojanized game with the BirdCall backdoor. |
Windows
While the Windows desktop client available on the sqgame website did not contain malicious code when analyzed, a trojanized mono.dll library was later identified originating from an update package of the desktop client hosted at http://xiazai.sqgame.com[.]cn/dating/20240429.zip. ESET telemetry shows this update package had been malicious since at least November 2024, for an unknown period; at the time of writing, it was no longer malicious.
ScarCruft took a clean mono library and patched it with extra code and data containing a downloader. The downloader first checks running processes for analysis tools and virtual machine environments and does not proceed if any are found. Otherwise, it looks for the process of the sqgame client and constructs a path to the mono library in its installation folder.
The downloader then downloads and executes shellcode, which contained the RokRAT backdoor at the time of discovery. Finally, the downloader terminates the client process and downloads the original clean version of the mono library, replacing the trojanized one in the installed client folder. Both the payload and the clean mono library are downloaded from legitimate South Korean websites that were compromised for this purpose – a typical TTP of ScarCruft.
According to ESET telemetry, the RokRAT backdoor was subsequently used to download and install the BirdCall backdoor on victimized machines.
Android BirdCall Analysis
This section provides a technical analysis of the Android BirdCall backdoor – an Android port of the eponymous Windows backdoor written in C++. Internally, the backdoor is named zhuagou, which translates from Chinese as “catching dogs.”
Trojanized Android Games
Android BirdCall is distributed via trojanized Android games. In this attack, ScarCruft is believed to have gained access to the sqgame website or web server rather than to the game’s source code, and instead took the original game APKs and recompiled or repackaged them with malicious code added.
In the trojanized APKs, the AndroidManifest.xml entry point activity is modified to point to the added malicious code, which – after starting the backdoor – executes the original entry activity of the game.
In the analyzed samples, the modified entry point activity was either com.example.zhuagou.SplashScreen or com.mob.util.MobSs (in the latest sample). The modifications to AndroidManifest.xml also include new activity and service definitions for the backdoor, as well as additional permissions required for its operation.
This supply-chain attack demonstrates ScarCruft’s continued expansion of its toolset and targeting capabilities, extending a previously Windows-only backdoor to Android and exploiting a legitimate regional gaming platform to reach ethnic Korean communities of interest to the North Korean regime.