Emerging ThreatsSupply Chain Attacks

ScarCruft APT Exploits Yanbian Gaming Platform for Intelligence Gathering

Analyst 207||Source: InfoSecMag
Computer workstation in a brightly-lit Korean game center with patrons and traditional games.

ESET researchers observed 12 separate Zoho WorkDrive accounts being used as command-and-control infrastructure in a supply‑chain espionage campaign that trojanized a regional gaming platform serving ethnic Koreans in China.

How ScarCruft trojanized sqgame[.]net

According to ESET, a North Korea‑aligned espionage group known as ScarCruft — also tracked as APT37, Reaper and Ricochet Chollima — compromised sqgame[.]net, a site dedicated to traditional Yanbian‑themed card and board games. The operation, which ESET assessed was aimed at gathering intelligence on individuals of interest to the Pyongyang regime, affected Windows and Android software distributed from the site. The investigation began when a suspicious APK was uploaded to VirusTotal and traced back to a Yanbian Red Ten package on sqgame. A second Android title on the same platform, New Drawing, carried the same malicious code.

Windows infection chain: mono.dll, RokRAT and BirdCall

Telemetry showed that an update package for the sqgame desktop client had served a trojanized mono.dll library since at least November 2024. ESET said the patched library acted as a downloader, performing anti‑analysis checks before fetching shellcode containing the RokRAT backdoor. RokRAT was then used to deploy the more sophisticated BirdCall implant. BirdCall itself was first identified by ESET as a Windows backdoor in 2021; in this campaign it appears as part of a multistage supply‑chain compromise that begins with a modified update library.

Android port "zhuagou": repackaged games and data theft

ESET identified a previously undocumented Android port of BirdCall, internally named zhuagou. Rather than obtaining source code, operators recompiled or repackaged legitimate game APKs with malicious code, and modified AndroidManifest.xml entries so the backdoor redirected the app’s entry point before launching the original game activity. The Android implant implemented a subset of the Windows backdoor’s features and saw active development across seven versions between October 2024 and June 2025.

Once installed, the Android backdoor harvested contacts, call logs, SMS messages, documents, media files and private keys. It could capture screenshots and record ambient audio; ESET noted the audio recording function was restricted to a three‑hour window between 7 pm and 10 pm local time. Command‑and‑control traffic was routed through cloud storage providers — ESET cited pCloud, Yandex Disk and Zoho WorkDrive as examples — though in this campaign researchers observed only Zoho WorkDrive in use.

Why Yanbian users were a focal point

sqgame’s audience is concentrated in the Yanbian Korean Autonomous Prefecture, a district that borders North Korea and acts as a known crossing point for refugees and defectors. ESET assessed the activity was intended to collect intelligence on individuals of interest to the Pyongyang regime, a targeting rationale consistent with ScarCruft’s historical focus on South Korean government, military and defector‑related targets.

Notably, the iOS game hosted on the same site remained untouched; ESET suggested this likely reflected the difficulty of evading Apple’s review process, even as Windows and Android binaries were trojanized.

What this means for sqgame, players, and security teams

  • sqgame (the affected platform): The site hosted trojanized Windows and Android software and — as of ESET’s disclosure — continued to serve malicious APKs. ESET notified sqgame of the compromise in December 2025 but had received no response at the time of publication, leaving the site’s distribution of compromised installers unresolved.
  • Players and end users in Yanbian: Users who downloaded the affected Yanbian Red Ten and New Drawing APKs faced exfiltration risks to their contacts, messages, documents, media and private keys; ambient audio and screenshots could also have been captured during the limited nightly recording window.
  • Security teams and incident responders: The campaign demonstrates a multiplatform supply‑chain pattern — a trojanized update library on Windows combined with repackaged APKs on Android — and the use of cloud storage services for C2. Teams should expect similar multi‑vector compromises where one distribution point serves both desktop and mobile clients.

The investigation paints a clear picture: a long‑running, deliberate supply‑chain operation targeting a geographically and politically sensitive user base, using repackaging and a known Windows backdoor adapted to Android. ESET’s notification to sqgame in December 2025 and the continued availability of malicious APKs on the site at publication leave a concrete unanswered question about remediation and user protection in the affected community.

Original reporting: https://www.infosecurity-magazine.com/news/scarcruft-birdcall-android-yanbian/

Emerging ThreatsEspionageNation-StateNorth KoreaSupply ChainAPT37Gaming IndustryIntelligence GatheringScarcruft
Related Intelligence

Continue Reading

Modern cityscape at dusk with glowing abstract computer screen.

AI-Powered Adversaries Compress Cyberattack Timeline

In early 2026, the emergence of advanced agentic AI models marked a chilling new era in cyber threats, enabling attackers to compress the time between discovery and weaponization to mere minutes. This means that the window for detecting and responding to breaches may soon be shorter than the time it takes to finish a cup of coffee.

Analyst 207
Blurred cityscape with office workstation and blank computer screen.

MuddyWater Exploits Ransomware Disguise for Cyber Espionage

The line between ransomware attacks and nation-state espionage is rapidly blurring, as cyber groups like MuddyWater now disguise their operations as financially motivated ransomware attacks to further their strategic objectives. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has been caught posing as the Chaos ransomware group in a deliberate campaign.

Analyst 207
Blurred computer workstation in foreground, network equipment rack in background.

Mistic Backdoor Enables Long-Term Access in Ransomware Attacks

Cyber attackers have deployed a sneaky backdoor called Mistic, allowing them to maintain long-term access to infected systems during ransomware attacks, all while staying remarkably under the radar. This stealthy threat uses clever tactics like running payloads in memory and mimicking legitimate Microsoft security tools to evade detection.

Analyst 207
Server equipment in a clean, clinical data center environment with ambient daylight.

US Seizes Huione Cloud Account Tied to $31 Billion Cyber Scam Laundering

The US Department of Justice has seized a cloud account linked to a staggering $31 billion cyber scam laundering operation, disrupting a vast online marketplace for fraud and money laundering. This massive crackdown targeted HuiOne Group, a Cambodia-based company accused of helping scammers launder billions through its subsidiaries.

Analyst 207