Executive Summary
On 5 May 2026, ESET researchers reported that a North Korea-aligned threat group known as ScarCruft executed a supply chain attack against a video gaming platform serving ethnic Koreans in China’s Yanbian region, planting backdoors in both Windows and Android versions of the platform’s games to turn a trusted service into a covert espionage tool.
Key Takeaways
Targeting & Intent
- The campaign has likely been active since late 2024 and focuses on collecting personal data from individuals of interest to the North Korean regime, including refugees and defectors.
- The Yanbian region borders North Korea and holds the largest ethnic Korean community outside the peninsula, making it a key crossing point for defectors and a high-priority target.
Attack Method
- ScarCruft did not break into the game’s source code directly; instead, the group appears to have accessed the platform’s web server and repackaged the original Android game files with malicious code.
- ESET telemetry confirmed the malicious Windows update had been active since at least November 2024, delivering the first-stage RokRAT backdoor, which then dropped the more capable BirdCall backdoor onto victim machines.
- The iOS version showed no signs of tampering, likely because Apple’s review process made it harder to target.
BirdCall Backdoor Capabilities
- On first run, the backdoor collects a full directory listing of shared storage and harvests contacts, call logs, and SMS messages, then uploads RAM, IMEI, IP and MAC address, and geolocation data via hardcoded cloud credentials.
- In some versions, audio recording via microphone is active between 7 PM and 10 PM local time, and the backdoor also captures screenshots and steals files including .jpg, .doc, .pdf, .xls, .ppt, .txt, and .p12 formats.
- Communication runs over HTTPS through Zoho WorkDrive accounts, with 12 separate drives identified in the campaign.
Attribution
- ScarCruft, also tracked as APT37 or Reaper, has been active since at least 2012 and is a North Korean state-sponsored espionage group primarily targeting South Korea, government bodies, military organizations, and industries linked to North Korean interests.
Mitigations
- Users should only install apps from trusted stores like Google Play and keep devices patched at all times.
- Security teams should flag unexpected HTTPS traffic to cloud platforms originating from gaming applications.
- Organizations serving Korean diaspora communities should treat gaming software supply chains as elevated-risk vectors given this group’s persistent targeting.
IOCs
ESET researchers shared the following IOCs on their GitHub:
Files
SHA-1 | Filename | Detection | Description |
01A33066FBC6253304C92760916329ABD50C3191 | sqybhs.apk | Android/Spy.Agent.EXM | Trojanized game with Android BirdCall version 2.0. |
03E3ECE9F48CF4104AAFC535790CA2FB3C6B26CF | ybht.apk | Android/Spy.Agent.EGE | Trojanized game with Android BirdCall version 1.3. |
2B81F78EC4C3F8D6CF8F677D141C5D13C35333AF | sqybhs.apk | Android/Spy.Agent.EGE | Trojanized game with Android BirdCall version 1.5. |
59A9B9D47AE36411B277544F25AD2CC955D8DD2C | ybht.apk | Android/Spy.Agent.EGE | Trojanized game with Android BirdCall version 1.0. |
7356D7868C81499FB4E720F7C9530E5763B4C1D0 | sqybhs.apk | Android/Spy.Agent.EGE | Trojanized game with Android BirdCall version 1.0. |
FC0C691DB7E2D2BD3B0B4C1E24D18DF72168B7D9 | sqybhs.apk | Android/Spy.Agent.EGE | Trojanized game with Android BirdCall version 1.5. |
95BDB94F6767A3CCE6D92363BBF5BC84B786BDB0 | mono.dll | Win32/TrojanDownloader.Agent.ILQ | Trojanized mono library. |
409C5ACAED587F62F7E23DA47F72C4D9EC3144D9 | N/A | Win32/TrojanDownloader.Agent.ILQ | Downloader leading to the RokRAT backdoor. |
B06110E0FEB7592872E380B7E3B8F77D80DD1108 | N/A | Win64/Agent.EGN | Publicly available dump of Windows BirdCall backdoor. |
Network
IP | Domain | Hosting provider | First seen | Details |
39.106.249[.]68 | sqgame.com[.]cn | Hangzhou Alibaba Advertising Co.,Ltd. | 2024‑06‑01 | Compromised sqgame site hosting trojanized games and malicious updates. |
211.239.117[.]117 | 1980food.co[.]kr | Hostway IDC | 2025‑03‑07 | Compromised South Korean site used to host Android BirdCall configuration. |
114.108.128[.]157 | inodea[.]com | LG DACOM Corporation | 2025‑07‑03 | Compromised South Korean site used to host Android BirdCall configuration. |
221.143.43[.]214 | www.lawwell.co[.]kr | SK Broadband Co Ltd | 2024‑11‑04 | Compromised South Korean site used to host shellcode and clean mono library. |
222.231.2[.]20 | colorncopy.co[.]kr | LG DACOM Corporation | 2025‑03‑18 | Compromised South Korean site used to host shellcode. |
222.231.2[.]23 | sejonghaeun[.]com | IP Manager | 2025‑03‑18 | Compromised South Korean site used to host clean mono library. |
222.231.2[.]41 | cndsoft.co[.]kr | IP Manager | 2025‑03‑18 | Compromised South Korean site used to host shellcode. |
TTPs
ESET researchers shared the following TTPs:
Tactic | ID | Name | Description |
Initial Access | Supply Chain Compromise: Compromise Software Supply Chain | ScarCruft performed a supply-chain attack, compromising the sqgame website, to distribute trojanized games containing the Android BirdCall backdoor. | |
Defense Evasion | Obfuscated Files or Information | Version 2.0 of the Android BirdCall backdoor is obfuscated. | |
Download New Code at Runtime | The Android BirdCall backdoor can download and load newer versions of itself. | ||
Foreground Persistence | Android BirdCall uses the startForeground API to take screenshots while in the background. | ||
Discovery | File and Directory Discovery | Android BirdCall creates a directory listing and searches for files with specified extensions. | |
Local Network Configuration Discovery | Android BirdCall obtains the device’s IMEI, IP address, and MAC address. | ||
System Information Discovery | Android BirdCall obtains system information of the compromised device including brand, model, OS version, kernel version, rooted status, battery temperature, RAM, and storage information. | ||
Collection | Archive Collected Data | Android BirdCall compresses and encrypts collected data. | |
Audio Capture | Android BirdCall can record voice using the microphone. | ||
Location Tracking | Android BirdCall obtains approximate device location using the ipinfo[.]io service. | ||
Screen Capture | Android BirdCall can take screenshots. | ||
Data from Local System | Android BirdCall collects local files with the following extensions: .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12. | ||
Protected User Data: Call Log | Android BirdCall collects the call log. | ||
Protected User Data: Contact List | Android BirdCall collects the contact list. | ||
Protected User Data: SMS Messages | Android BirdCall collects SMS messages. | ||
Command and Control | Application Layer Protocol: Web Protocols | Android BirdCall communicates with the C&C cloud storage drive using HTTPS. | |
Web Service: Bidirectional Communication | Android BirdCall uses a Zoho WorkDrive service cloud storage drive for C&C purposes. | ||
Exfiltration | Exfiltration Over C2 Channel | Android BirdCall uses the C&C channel for data exfiltration. |
