ScarCruft Supply Chain Attack Backdoors Windows and Android Gaming Platform
Key Takeaways A North Korean state-sponsored group, ScarCruft (also known as APT37 or Reaper), has launched a sophisticated supply chain attack. The target is sqgame, a gaming platform popular among...
Key Takeaways
- A North Korean state-sponsored group, ScarCruft (also known as APT37 or Reaper), has launched a sophisticated supply chain attack.
- The target is sqgame, a gaming platform popular among ethnic Koreans in China’s Yanbian region.
- Both Windows and Android versions of the gaming platform were backdoored with new malware, including the BirdCall backdoor and RokRAT.
- The attack aims to collect personal data from individuals of interest, such as North Korean refugees and defectors.
- Users of the affected platform, particularly those on Windows and Android, are at high risk of extensive data exfiltration and device compromise.
North Korean APT ScarCruft Targets Gaming Platform in Supply Chain Attack
A North Korea-aligned advanced persistent threat (APT) group, identified as ScarCruft, has orchestrated a complex supply chain attack against a gaming platform predominantly used by ethnic Koreans residing in China’s Yanbian region. This operation involved the surreptitious deployment of both Windows and Android backdoors, as detailed in a comprehensive report by security researchers.
Table Of Content
The attackers successfully embedded malicious code into both the Windows and Android iterations of the platform’s games. This turned what appeared to be a trusted entertainment service into an instrument for covert espionage, facilitating the collection of sensitive personal data.
Analysts believe the campaign has been operational since at least late 2024. Its primary objective is the exfiltration of personal information from individuals deemed significant to the North Korean regime, including refugees and defectors.
Targeted Platform and Attack Vector
The compromised service, known as sqgame, offers traditional Yanbian-themed card and board games across Windows, Android, and iOS platforms. ScarCruft did not breach the game’s core source code directly. Instead, the group appears to have gained unauthorized access to the platform’s web server.
From there, they repackaged the original Android game files by injecting malicious code. Specifically, two Android games available on the sqgame website were found to be trojanized with the BirdCall backdoor. The Windows client was compromised through a malicious update package. Notably, the iOS version of the platform showed no evidence of tampering, likely due to the more stringent app review processes enforced by Apple.
Researchers at WeLiveSecurity were instrumental in uncovering the full scope of this multiplatform supply chain attack, attributing it to ScarCruft with high confidence. The research team highlighted that the Android variant of BirdCall represents a new addition to the group’s toolkit and provided the first public analysis of this specific Android malware.
ESET’s telemetry data indicates that the malicious Windows update had been active since at least November 2024. This update initially delivered the RokRAT backdoor as a first-stage payload, which subsequently installed the more advanced BirdCall backdoor onto victim machines.
About ScarCruft (APT37)
ScarCruft, also tracked by the aliases APT37 and Reaper, has a documented history of activity stretching back to at least 2012. It is widely recognized as a state-sponsored espionage group operating on behalf of North Korea. While its primary focus traditionally targets South Korea, the group has also launched attacks against other Asian nations, specifically targeting government entities, military organizations, and industries that align with North Korean interests.
The Yanbian region, which shares a border with North Korea and hosts the largest community of ethnic Koreans outside the Korean Peninsula, aligns perfectly with ScarCruft’s established targeting profile. This area is particularly significant as a common crossing point for defectors, making its residents potential high-value targets for intelligence gathering.
ESET reportedly informed sqgame of the compromise in December 2025. However, as of the publication of the research, no response had been received from the platform operator.
How the BirdCall Backdoor Works
The Android variant of the BirdCall backdoor, internally referred to as “zhuagou” (Chinese for “catching dogs”), propagates through tampered game packages hosted on the sqgame website.
The attackers modified the AndroidManifest.xml file within each affected APK, redirecting the application’s startup process to execute the backdoor’s code. When a user launches a compromised game, the backdoor initiates silently in the background before seamlessly returning control to the legitimate game, thereby maintaining a covert infection.

Upon its initial execution, the backdoor systematically collects a comprehensive directory listing of shared storage and harvests the user’s contacts, call logs, and SMS messages. It then establishes connections to cloud storage using hardcoded credentials to upload collected data, including RAM contents, IMEI, IP and MAC addresses, and geolocation information.

Communication with command and control infrastructure is conducted over HTTPS, leveraging Zoho WorkDrive accounts. Researchers identified 12 distinct Zoho WorkDrive accounts utilized throughout the campaign. In some versions of the backdoor, audio recording via the device microphone is activated during specific hours, specifically between 7 PM and 10 PM local time. The backdoor is also capable of capturing screenshots and exfiltrating files with extensions such as .jpg, .doc, .pdf, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .m4a, and .p12.
For Windows systems, ScarCruft embedded a trojanized mono.dll within an sqgame update package. A downloader component within this malicious library first performs checks for the presence of analysis tools and virtual environments. If no such tools are detected, it fetches shellcode containing the RokRAT payload from a compromised South Korean website. After successfully delivering the payload, the malicious mono.dll replaces itself with a clean copy to erase forensic evidence. RokRAT then proceeds to install the full BirdCall backdoor on the victim’s machine.
What You Should Do
- Only Install Apps from Trusted Sources: Android users should strictly limit app installations to official stores like Google Play. Avoid downloading APKs from third-party websites, especially for gaming platforms.
- Keep Systems and Applications Updated: Ensure your operating systems (Windows, Android) and all installed applications are regularly patched to their latest versions to mitigate known vulnerabilities.
- Monitor Network Traffic: Security teams should configure network monitoring to flag unusual HTTPS traffic directed towards cloud storage platforms (e.g., Zoho WorkDrive) originating from gaming applications.
- Leverage Indicators of Compromise (IoCs): Consult the full list of IoCs provided in the ESET GitHub repository to enhance threat hunting capabilities and detect potential compromises.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.