ScarCruft Hacks Gaming Platform to Install BirdCall Malware on Android and Windows
A state-sponsored hacker group based in North Korea known as ScarCruft exposed the video game industry to a supply chain spy attack, harassing its components through a backdoor called BirdCallto guide Koreans living in China.
While previous versions of the backdoor mainly targeted Windows users only, supply chain attacks are being tested to allow threat actors to target Android devices, essentially making them a cross-platform threat.
According to ESET, the campaign nominated sqgame[.]net, a playground used by Koreans from the Yanbian region of China on the border between North Korea and Russia. It is also known to have served as a key, high-risk destination for North Korean migrants crossing the Tumen River.
The targeting of this forum is said to be a deliberate strategy given ScarCruft’s notorious history of targeting North Korean defectors, human rights activists, and university professors.
“In this attack, which may continue from the end of 2024, ScarCruft compromised the Windows and Android parts of the video game platform dedicated to Yanbian-themed games, exploiting it through a back door,” the Slovakian cybersecurity company said in a report shared with Hacker News before publication.
Windows versions of BirdCall, called the improved evolution of RokRAT, have been found in the wild since 2021. Over the years, RokRAT has also been modified to target macOS (CloudMensis) and Android (RambleOn), indicating that the malware family continues to be actively maintained by threat actors.
BirdCall comes equipped with the usual backend features, allowing for screenshot capture, key logging, clipboard content stealing, shell command execution, and data collection. Like RokRAT, the malware relies on legitimate cloud services like Dropbox and pCloud for command and control (C2).
“BirdCall is typically deployed in a multi-stage payload chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key,” ESET said.
The Android variant of BirdCall, distributed as part of sqgame[.]net supply chain attack, includes a subset of its Windows counterpart, while collecting contact lists, SMS messages, call logs, media files, texts, screenshots, and ambient audio. An analysis of the malware list found seven versions, the first of which dates back to October 2024.
Interestingly, the supply chain attack was found to have poisoned only the Android APKs available for download on the platform, leaving the Windows desktop client and iOS games intact. The download pages for the two Android games are hosted on sqgame[.]net modified to run malicious APKs –
- sqgame.com[.]cn/ybht.apk
- sqgame.com[.]cn/sqybhs.apk
It is not yet known when the website was breached, and the poisoned APKs began to be distributed. However, this event is believed to take place sometime in late 2024. In addition, evidence has emerged that the Windows desktop client update package has delivered the stripped DLL since at least November 2024 and for an unspecified time. The update package is no longer cruel.
Specifically, the modified DLL included a loader that checks the list of running processes for analysis tools and virtual machine conditions, before proceeding to download and execute the shellcode containing RokRAT. The backdoor is then used to download and install BirdCall on infected hosts.
The Android version of BirdCall also relies on official cloud storage services for C2 communications. This includes pCloud, Yandex Disk, and Zoho WorkDrive, the last of which is often present in most campaigns.
“The Android backdoor has seen significant improvements, and provides surveillance capabilities, such as collecting personal data and documents, taking screenshots, and making voice recordings,” ESET said.
