ScarCruft uses gaming platform supply chain attack to deliver Windows and Android backdoors
7 min. read 
Published on
ScarCruft has compromised a gaming platform used by ethnic Koreans in China’s Yanbian region and used it to deliver spyware through Windows and Android game components.
ESET researchers found that the North Korea-aligned group trojanized Android game packages with a new Android version of the BirdCall backdoor. The Windows side involved a malicious update package that delivered RokRAT first, then installed the more capable BirdCall backdoor.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign appears to have started in late 2024. Its goal was espionage, with the malware built to steal personal data, documents, screenshots, device information, and audio recordings from selected victims.
What happened in the ScarCruft supply chain attack
The targeted platform is sqgame, a site that hosts traditional Yanbian-themed card and board games for Windows, Android, and iOS users.
Instead of tricking users with a random fake app, the attackers abused a trusted gaming platform. This made the campaign more dangerous because users likely believed they were downloading legitimate games from the official site.
ESET found two Android games on the platform that had been repackaged with malicious code. The iOS version did not show signs of compromise, while the Windows infection chain came through an update package rather than the installer available on the main website.
| Attack detail | What researchers found |
|---|---|
| Threat group | ScarCruft, also tracked as APT37 and Reaper |
| Targeted platform | sqgame, a Yanbian-themed gaming platform |
| Target region | Yanbian, China, home to a large ethnic Korean community |
| Android malware | Android version of BirdCall |
| Windows malware chain | Trojanized mono.dll, then RokRAT, then BirdCall |
| Likely purpose | Espionage and collection of personal data |
Why Yanbian matters in this campaign
Yanbian borders North Korea and has one of the largest ethnic Korean communities outside the Korean peninsula. The region also has strategic importance because it has served as a transit point for North Korean refugees and defectors.
That makes the target selection consistent with ScarCruft’s previous activity. The group has a long history of targeting South Korea, North Korean defectors, human rights activists, academics, and organizations linked to North Korean interests.
This campaign shows how a local entertainment platform can become a surveillance channel. A game download can look harmless, but a compromised installer or APK can give attackers access to private messages, files, location details, and device metadata.
How Android users were infected
The Android attack relied on trojanized APK files hosted on the sqgame website. ESET found no evidence that the malicious APKs were distributed through Google Play.
The attackers modified the AndroidManifest.xml file so the app launched the backdoor first. After starting the malicious code, the app opened the real game, which helped hide the infection from the user.
The Android backdoor is internally named zhuagou, which ESET translated from Chinese as “catching dogs.” Researchers found that Android BirdCall had been developed across several versions, starting around October 2024.
- Two Android games on the sqgame website were trojanized.
- The malicious APKs started the backdoor before opening the real game.
- The malware collected contacts, call logs, SMS messages, files, screenshots, and device details.
- Some versions recorded audio between 7 PM and 10 PM local time.
- The Android version used cloud services for command and control.
What BirdCall can steal on Android
Android BirdCall functions as spyware. On first run, it collects a directory listing from shared storage and harvests contacts, call logs, and SMS messages.
It also gathers device and network details, including OS version, kernel information, rooted status, IMEI, IP address, MAC address, network type, RAM, storage, and battery temperature.
The malware can search for files with extensions such as .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12. That file list shows interest in photos, documents, audio files, and private keys.
| Data type | Examples collected by Android BirdCall |
|---|---|
| Personal data | Contacts, SMS messages, call logs |
| Device data | IMEI, IP address, MAC address, OS, kernel, rooted status |
| Files | Documents, images, audio files, HWP files, private keys |
| Surveillance data | Screenshots and microphone recordings |
| Network data | Network type and IP geolocation information |
How the Windows attack worked
The Windows infection did not start with a visibly malicious installer from the main sqgame download page. ESET found a trojanized mono.dll file that came from an update package for the desktop client.
The malicious library included a downloader that checked for analysis tools and virtual machine environments. If it did not find those signs, it downloaded and executed shellcode containing RokRAT.
RokRAT then installed BirdCall on victim systems. The downloader also replaced the trojanized mono.dll with a clean copy, which reduced visible evidence of the compromise.
Why this attack is difficult to detect
This campaign blends several techniques that make detection harder. It uses a trusted game platform, legitimate-looking game files, cloud storage services, and compromised websites for payload hosting.
On Android, the real game still runs after the malware starts. On Windows, the malicious DLL can get replaced with a clean version after execution. Both patterns help the attackers hide from casual inspection.
Security teams should not rely only on file names or simple blocklists. They should look for unusual behavior from gaming apps, including unexpected cloud API traffic, background audio access, screenshot activity, suspicious DLL behavior, and outbound traffic to infrastructure unrelated to gameplay.
- Flag gaming apps that contact cloud storage APIs unexpectedly.
- Review Android devices that installed APKs outside official app stores.
- Monitor Windows clients for suspicious mono.dll replacement activity.
- Check for RokRAT and BirdCall detections across endpoints.
- Use ESET’s published IoCs for threat hunting and incident response.
What users and security teams should do now
Users should avoid sideloading Android apps from unknown websites, even when the site looks legitimate. Official app stores are not perfect, but they reduce the risk of installing repackaged APKs from compromised sites.
Anyone who installed sqgame Android APKs from the official website should remove them and scan the device with a trusted mobile security tool. High-risk users should also review permissions, messages, files, and account activity.
Organizations should treat this as a supply chain warning. Small or regional platforms can still become valuable attack paths when they serve communities of intelligence interest.
| Audience | Recommended action |
|---|---|
| Android users | Remove sideloaded sqgame APKs and scan the device. |
| Windows users | Check endpoint alerts for RokRAT, BirdCall, and suspicious update activity. |
| Security teams | Monitor gaming apps for unexpected cloud storage traffic. |
| High-risk individuals | Reset sensitive accounts and review exposed documents or private keys. |
| Incident responders | Use the ESET IoC list to hunt across endpoints and network logs. |
FAQ
Who is ScarCruft?
ScarCruft is a North Korea-aligned espionage group also known as APT37 and Reaper. It has been active for more than a decade and often targets South Korea and individuals linked to North Korean interests.
What is BirdCall?
BirdCall is a backdoor associated with ScarCruft. It was previously known as a Windows threat, but this campaign introduced an Android version used for mobile surveillance.
Was the sqgame iOS app infected?
ESET said it found no malicious code in the iOS version. The Android games and a Windows update package were the parts connected to the campaign.
Was the malware found on Google Play?
No. ESET found the malicious Android APKs on the sqgame website and did not find those APKs on Google Play.
What makes this a supply chain attack?
The attackers abused software delivered through a trusted gaming platform. Users received malware through what looked like normal game downloads or updates.
How can users reduce the risk?
Users should install apps only from trusted stores, avoid sideloaded APKs, keep devices updated, and review app permissions regularly.
Official and source links
ESET WeLiveSecurity: A rigged game: ScarCruft compromises gaming platform in a supply-chain attack
ESET GitHub repository: Indicators of compromise for ESET research
MITRE ATT&CK: ScarCruft profile
BleepingComputer: ScarCruft hackers push BirdCall Android malware via game platform
The Hacker News: ScarCruft hacks gaming platform to deploy BirdCall malware on Android and Windows
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages