"In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor," the Slovakian cybersecurity company said.
ESET's technical assessment and the compromised platform
According to ESET, the North Korea-aligned state-sponsored hacking group known as ScarCruft compromised a video game platform, sqgame[.]net, in a supply chain espionage campaign that trojanized platform components to deliver a backdoor called BirdCall. ESET shared its report with The Hacker News ahead of publication. The platform is used by ethnic Koreans living in the Yanbian region of China and is also described in the report as a "primary, high-risk transit point for North Korean defectors crossing the Tumen River."
BirdCall's capabilities and lineage
BirdCall is described as an evolution of prior tooling from the RokRAT family. Windows variants of BirdCall, which ESET calls an "advanced evolution of RokRAT," have been observed in the wild since 2021. RokRAT itself has previously been adapted to other platforms — macOS (CloudMensis) and Android (RambleOn) — underscoring active maintenance of this malware family.
ESET details BirdCall's backdoor functionality: screenshot capture, keystroke logging, clipboard theft, shell command execution, and data gathering. The malware typically uses legitimate cloud services for command-and-control (C2), a pattern that continues with BirdCall's use of services such as Dropbox and pCloud. The Android variant specifically also communicates via pCloud, Yandex Disk, and Zoho WorkDrive.
How the supply chain was implemented: poisoned APKs and a trojanized DLL
The investigation found the supply chain intrusion focused on Android distribution channels hosted on sqgame[.]net. Two download pages for Android games were altered to serve malicious APKs at these locations:
- sqgame.com[.]cn/ybht.apk
- sqgame.com[.]cn/sqybhs.apk
ESET reports that only the Android APKs hosted on the platform were poisoned; the Windows desktop client and iOS games remained intact. It is not known when the website was first breached, but the compromise is believed to have occurred sometime in late 2024.
Separately, evidence indicates that an update package for the Windows desktop client delivered a trojanized DLL at least since November 2024. That update package is no longer malicious. The modified DLL included a downloader that first checked running processes for analysis tools and virtual machine environments and then proceeded to download and execute shellcode containing RokRAT. RokRAT was then used to fetch and install BirdCall on infected hosts. ESET also describes BirdCall as usually deployed in a multistage loading chain beginning with a Ruby or Python script and containing components encrypted with a computer-specific key.
Android BirdCall: surveillance-focused features
The Android variant deployed via the poisoned APKs contains a subset of the Windows backdoor's capabilities but emphasizes surveillance of mobile communications and media. ESET reports the Android backdoor collects contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio. An analysis of the malware family recovered seven versions of BirdCall, with the first version dating to October 2024.
What this means for ethnic Koreans in Yanbian, gaming-platform security teams, and Android users
Ethnic Koreans in the Yanbian region and users of sqgame[.]net: The platform's dual role as a regional gaming hub and a transit-point resource for defectors appears to have made it a deliberate target, according to ESET's assessment that ScarCruft has a history of targeting North Korean defectors, human rights activists, and university professors.
Gaming-platform security teams and software maintainers: The campaign demonstrates how a supply chain compromise can selectively poison distribution artifacts (Android APKs) while leaving other clients (Windows desktop, iOS) untouched, and how update packages can be modified to include trojanized DLLs that deploy multistage loaders.
Android users and mobile security practitioners: The poisoned APKs distributed through altered download pages underscore the risk of sideloaded apps and the broad surveillance capabilities of modern Android backdoors, including audio capture and access to messages and files.
The concrete traces ESET documents — poisoned APK URLs, a trojanized Windows DLL active since at least November 2024, and a lineage of seven BirdCall versions beginning in October 2024 — leave a narrow but important through-line: this was a targeted, multistage supply chain operation aimed at collecting sensitive personal and communications data across Windows and Android devices. The update package that carried the trojanized DLL is reported as no longer malicious, but the timing of the initial website breach and the full distribution window for the malicious APKs remain open questions.
