The North Korean-linked cyber espionage group ScarCruft has orchestrated a sophisticated supply chain attack targeting a gaming platform popular among ethnic Koreans in China's Yanbian region. By embedding backdoors into the Windows and Android versions of the platform's games, the attackers transformed a legitimate service into a tool for covert surveillance. The platform affected, known as sqgame, hosts traditional card and board games. ScarCruft did not compromise the source code directly but instead infiltrated the platform's web server to insert malicious code into Android game files. Specifically, two Android games were altered to include the BirdCall backdoor, while the Windows client was compromised through a malicious update package. The iOS version remained unaffected, likely due to Apple's stringent review process.

WeLiveSecurity analysts have linked this multi-platform attack to ScarCruft with high confidence, noting that the Android BirdCall is a new addition to ScarCruft's toolkit. ESET telemetry has confirmed that the malicious Windows update has been in operation since November 2024, employing the first-stage RokRAT backdoor to eventually deploy BirdCall on infected devices. ScarCruft, also known as APT37 or Reaper, has been active since at least 2012 and often targets South Korea and other Asian nations, focusing on sectors of interest to North Korea. The Yanbian region's proximity to North Korea and its significant ethnic Korean population make it an ideal target for ScarCruft, especially as a passage for defectors.

The Android version of BirdCall, called 'zhuagou' in Chinese, spreads through trojanized game packages on the sqgame website. It silently activates upon game startup, collecting and transmitting user data such as contacts, call logs, and location information to cloud storage. The backdoor also captures screenshots and records audio, maintaining communication over secure HTTPS connections. On Windows, the attack involved a trojanized mono.dll file in an sqgame update, which checks for analysis tools before deploying RokRAT and eventually BirdCall. Security teams are advised to monitor for unusual HTTPS traffic from gaming applications. ESET has provided a comprehensive list of Indicators of Compromise for threat hunters.