Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/Threats/ScarCruft Supply Chain Attack Backdoors Windows and Android Gaming Platform
Threats

ScarCruft Supply Chain Attack Backdoors Windows and Android Gaming Platform

Key Takeaways A North Korean state-sponsored group, ScarCruft (also known as APT37 or Reaper), has launched a sophisticated supply chain attack. The target is sqgame, a gaming platform popular among...

David kimber
David kimber
May 5, 2026 5 Min Read
48 0

Key Takeaways

  • A North Korean state-sponsored group, ScarCruft (also known as APT37 or Reaper), has launched a sophisticated supply chain attack.
  • The target is sqgame, a gaming platform popular among ethnic Koreans in China’s Yanbian region.
  • Both Windows and Android versions of the gaming platform were backdoored with new malware, including the BirdCall backdoor and RokRAT.
  • The attack aims to collect personal data from individuals of interest, such as North Korean refugees and defectors.
  • Users of the affected platform, particularly those on Windows and Android, are at high risk of extensive data exfiltration and device compromise.

North Korean APT ScarCruft Targets Gaming Platform in Supply Chain Attack

A North Korea-aligned advanced persistent threat (APT) group, identified as ScarCruft, has orchestrated a complex supply chain attack against a gaming platform predominantly used by ethnic Koreans residing in China’s Yanbian region. This operation involved the surreptitious deployment of both Windows and Android backdoors, as detailed in a comprehensive report by security researchers.

Table Of Content

  • Key Takeaways
  • North Korean APT ScarCruft Targets Gaming Platform in Supply Chain Attack
  • Targeted Platform and Attack Vector
  • About ScarCruft (APT37)
  • How the BirdCall Backdoor Works
  • What You Should Do

The attackers successfully embedded malicious code into both the Windows and Android iterations of the platform’s games. This turned what appeared to be a trusted entertainment service into an instrument for covert espionage, facilitating the collection of sensitive personal data.

Analysts believe the campaign has been operational since at least late 2024. Its primary objective is the exfiltration of personal information from individuals deemed significant to the North Korean regime, including refugees and defectors.

Targeted Platform and Attack Vector

The compromised service, known as sqgame, offers traditional Yanbian-themed card and board games across Windows, Android, and iOS platforms. ScarCruft did not breach the game’s core source code directly. Instead, the group appears to have gained unauthorized access to the platform’s web server.

From there, they repackaged the original Android game files by injecting malicious code. Specifically, two Android games available on the sqgame website were found to be trojanized with the BirdCall backdoor. The Windows client was compromised through a malicious update package. Notably, the iOS version of the platform showed no evidence of tampering, likely due to the more stringent app review processes enforced by Apple.

Researchers at WeLiveSecurity were instrumental in uncovering the full scope of this multiplatform supply chain attack, attributing it to ScarCruft with high confidence. The research team highlighted that the Android variant of BirdCall represents a new addition to the group’s toolkit and provided the first public analysis of this specific Android malware.

ESET’s telemetry data indicates that the malicious Windows update had been active since at least November 2024. This update initially delivered the RokRAT backdoor as a first-stage payload, which subsequently installed the more advanced BirdCall backdoor onto victim machines.

About ScarCruft (APT37)

ScarCruft, also tracked by the aliases APT37 and Reaper, has a documented history of activity stretching back to at least 2012. It is widely recognized as a state-sponsored espionage group operating on behalf of North Korea. While its primary focus traditionally targets South Korea, the group has also launched attacks against other Asian nations, specifically targeting government entities, military organizations, and industries that align with North Korean interests.

The Yanbian region, which shares a border with North Korea and hosts the largest community of ethnic Koreans outside the Korean Peninsula, aligns perfectly with ScarCruft’s established targeting profile. This area is particularly significant as a common crossing point for defectors, making its residents potential high-value targets for intelligence gathering.

ESET reportedly informed sqgame of the compromise in December 2025. However, as of the publication of the research, no response had been received from the platform operator.

How the BirdCall Backdoor Works

The Android variant of the BirdCall backdoor, internally referred to as “zhuagou” (Chinese for “catching dogs”), propagates through tampered game packages hosted on the sqgame website.

The attackers modified the AndroidManifest.xml file within each affected APK, redirecting the application’s startup process to execute the backdoor’s code. When a user launches a compromised game, the backdoor initiates silently in the background before seamlessly returning control to the legitimate game, thereby maintaining a covert infection.

Yanbian Red Ten Game (Source - Welivesecurity)
Yanbian Red Ten Game (Source – Welivesecurity)

Upon its initial execution, the backdoor systematically collects a comprehensive directory listing of shared storage and harvests the user’s contacts, call logs, and SMS messages. It then establishes connections to cloud storage using hardcoded credentials to upload collected data, including RAM contents, IMEI, IP and MAC addresses, and geolocation information.

Package tree of the legitimate game (left) and its trojanized version (right) (Source - Welivesecurity)
Package tree of the legitimate game (left) and its trojanized version (right) (Source – Welivesecurity)

Communication with command and control infrastructure is conducted over HTTPS, leveraging Zoho WorkDrive accounts. Researchers identified 12 distinct Zoho WorkDrive accounts utilized throughout the campaign. In some versions of the backdoor, audio recording via the device microphone is activated during specific hours, specifically between 7 PM and 10 PM local time. The backdoor is also capable of capturing screenshots and exfiltrating files with extensions such as .jpg, .doc, .pdf, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .m4a, and .p12.

For Windows systems, ScarCruft embedded a trojanized mono.dll within an sqgame update package. A downloader component within this malicious library first performs checks for the presence of analysis tools and virtual environments. If no such tools are detected, it fetches shellcode containing the RokRAT payload from a compromised South Korean website. After successfully delivering the payload, the malicious mono.dll replaces itself with a clean copy to erase forensic evidence. RokRAT then proceeds to install the full BirdCall backdoor on the victim’s machine.

What You Should Do

  • Only Install Apps from Trusted Sources: Android users should strictly limit app installations to official stores like Google Play. Avoid downloading APKs from third-party websites, especially for gaming platforms.
  • Keep Systems and Applications Updated: Ensure your operating systems (Windows, Android) and all installed applications are regularly patched to their latest versions to mitigate known vulnerabilities.
  • Monitor Network Traffic: Security teams should configure network monitoring to flag unusual HTTPS traffic directed towards cloud storage platforms (e.g., Zoho WorkDrive) originating from gaming applications.
  • Leverage Indicators of Compromise (IoCs): Consult the full list of IoCs provided in the ESET GitHub repository to enhance threat hunting capabilities and detect potential compromises.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackPatchSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

SilverFox Uses Fake Tax Notices to Deploy ValleyRAT and ABCDoor Backdoor

Next Post

China-Aligned SHADOW-EARTH-053 Exploits Exchange Servers With ShadowPad Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us