Emerging ThreatsMalware & Ransomware

North Korean Hackers Infiltrate Android Games to Spy on Defectors

Analyst 207||Source: GovInfoSecurity
Smartphone on a cluttered gaming desk with blurred Android game interface.

"Surprisingly, the APK available for download on the official website is the same as the APK we initially found on VirusTotal," Eset researchers wrote.

ESET investigation and the initial discovery

Security researchers at Eset discovered the campaign after inspecting a suspicious Android app file uploaded to VirusTotal. The APK contained a backdoor that matched an Android variant of a known North Korean backdoor called BirdCall. Eset said the same APK was available for download on the official site of a regional gaming platform, www.sqgame.net, and a second APK on that site likewise contained BirdCall.

Technique: supply-chain compromise via the www.sqgame.net web server

Eset concluded the attackers most likely did not obtain the game source code. Instead, the researchers say the threat actor gained access to the platform's web server, recompiled the original APKs and injected the backdoor into the distributed Android installers. The platform hosts digital card and board games popular in a regional Korean ethnic enclave in China.

BirdCall Android backdoor: capabilities and C2 behavior

The Android build implements a subset of commands and capabilities from a Windows backdoor version, but it carries potent mobile-specific features. According to Eset, the malware can collect contacts, SMS messages, call logs, documents, media files and private keys. It can also take screenshots and record surrounding audio. The backdoor mixes command-and-control traffic with normal traffic and is capable of using several cloud storage services as C2 servers, including pCloud, Yandex Disk and Zoho WorkDrive; in this campaign the attackers used Zoho WorkDrive only.

Attribution and regional focus: ScarCruft (APT37 / Reaper) and Yanbian

Eset attributed the supply-chain attack to a North Korean-linked group the company tracks as ScarCruft, also known as APT37 or Reaper. Eset reported the campaign appears to have been active since late 2024. The researchers noted the Yanbian region of northern China—where the targeted gaming platform is popular—is a crossing point for refugees fleeing the Pyongyang government and concluded the hackers were likely attempting to surveil defectors in that community.

What this means for security teams, platform operators, and local communities

  • Security teams and technologists: The campaign demonstrates a supply-chain vector that can be executed by modifying distributed APKs on a vendor web server rather than by stealing or altering source code. Teams should watch for signs of recompiled binaries published to official download pages and for C2 channels that blend with benign cloud-storage traffic.
  • Platform operators (www.sqgame.net and similar hosts): Operators who distribute mobile installers must treat their web servers and distribution mechanisms as high-value assets. The Eset finding — same APK on VirusTotal and the official site — underscores that compromise of a distribution server can deliver malicious updates directly to users of otherwise legitimate software.
  • Local Korean ethnic communities and defectors in Yanbian: The targeting reflected by this campaign indicates that apps popular within a geographically concentrated community can be weaponized to gather highly personal material—calls, texts, documents, media and even private keys. A focus on platforms used by cross-border communities suggests a tailored surveillance intent rather than opportunistic mass infection.

The Eset report stitches together a precise, if stark, scenario: a threat actor with known regional ambitions used a distribution-server compromise to turn leisure software into a persistent surveillance tool. The choice to use Zoho WorkDrive as the active C2 channel, while other cloud services remained available to the malware, is a concrete operational detail that may aid defenders hunting for indicators of compromise.

For investigators and defenders, the case is a reminder that malware authors continue to adapt established desktop tooling to mobile environments, and that distribution ecosystems—especially those serving niche or vulnerable communities—remain high-value targets. Eset's attribution to ScarCruft and the reported start date of late 2024 provide a time and actor frame; the rest of the puzzle—exact intrusion timeline on the web server and whether additional apps or versions were affected—remains to be filled by subsequent disclosures or detailed forensic analysis.

Read the original Eset-based report: North Koreans Spy on Defectors Via Android Game Apps

Emerging ThreatsNation-StateSupply ChainNorth Korean HackersAPTAndroid MalwareEsetBirdcallVirustotal
Related Intelligence

Continue Reading

Dimly lit home network setup with outdated routers, tangled cables, and old equipment.

AryStinger Botnet Exploits Flaws in Thousands of D-Link Routers

Meet AryStinger, a sneaky botnet that's hijacked over 4,000 outdated D-Link routers worldwide, turning them into a powerful tool for hackers to carry out stealthy scans and attacks. This malware mastermind breaks down massive tasks into tiny chunks, distributing them across its zombie network for lightning-fast execution.

Analyst 207
Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207