A cyber espionage campaign linked to the North Korea aligned threat group known as ScarCruft has been identified targeting a gaming platform to distribute malware across both Android and Windows systems. The operation involves a supply chain compromise in which components of a video game platform were modified to include a backdoor known as BirdCall. The activity is believed to be aimed at ethnic Koreans residing in China, particularly those in the Yanbian region, an area that has strategic relevance due to its proximity to North Korea and its association with cross border movement involving defectors.
According to research findings shared by cybersecurity firm ESET, the campaign has specifically targeted the platform sqgame net, which hosts games themed around the Yanbian region and is widely used by local communities. The choice of platform appears to align with ScarCruft’s historical targeting patterns, which include individuals such as North Korean defectors, human rights activists, and academic professionals. By compromising a trusted platform, the threat actors were able to distribute trojanized versions of software to unsuspecting users. The attack is believed to have been active since late 2024, indicating a sustained effort to infiltrate targeted environments through indirect delivery mechanisms.
The malware deployed in the campaign, BirdCall, is described as an advanced evolution of the previously known RokRAT backdoor. Earlier versions of RokRAT primarily targeted Windows systems, but this campaign demonstrates an expansion into Android environments, effectively creating a multi platform threat. On Windows systems, BirdCall is capable of capturing screenshots, logging keystrokes, collecting clipboard data, executing shell commands, and gathering system information. It operates through a multistage loading process that begins with scripts written in languages such as Ruby or Python, with components encrypted using system specific keys to evade detection. The malware also uses legitimate cloud storage services including Dropbox and pCloud for command and control communication, blending malicious traffic with normal network activity.
The Android variant of BirdCall, distributed through the compromised gaming platform, includes surveillance capabilities tailored for mobile devices. These features allow attackers to collect contact lists, SMS messages, call logs, media files, documents, screenshots, and even ambient audio recordings from infected devices. Analysis has identified multiple versions of the Android malware, with development activity traced back to October 2024. The compromised platform was found to host altered Android application packages for specific games, while the Windows desktop client and iOS versions remained unaffected in direct downloads. However, separate findings indicate that a Windows update package previously delivered a trojanized dynamic link library file that acted as a downloader for additional malicious payloads.
Further technical analysis revealed that the malicious Windows component included mechanisms to detect analysis environments such as virtual machines or security tools before proceeding with execution. Once active, it downloaded and executed shellcode linked to RokRAT, which then facilitated the installation of BirdCall on compromised systems. The Android version also relied on cloud based services such as pCloud, Yandex Disk, and Zoho WorkDrive for maintaining communication with attacker controlled infrastructure. Researchers noted that Zoho WorkDrive has increasingly appeared in multiple campaigns, suggesting its growing use in covert data exchange operations. The campaign highlights the continued evolution of supply chain attacks, where trusted software distribution channels are leveraged to deliver surveillance tools capable of collecting sensitive personal and organizational data across multiple platforms.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
