ScarCruft Compromises Gaming Platform: A Deep Dive into the BirdCall Malware Attack

On May 5, 2026, a significant escalation in state-sponsored cyber activity was revealed as researchers uncovered a sophisticated supply chain attack orchestrated by the North Korean threat group ScarCruft (also known as APT37). By compromising a niche gaming platform, the group successfully distributed a new backdoor, titled BirdCall, targeting both Windows and Android users. This operation highlights a growing trend of “watering hole” and supply chain attacks aimed at specific demographic groups.

The Target: sqgame[.]net and the Yanbian Connection

The epicenter of this breach was the gaming platform sqgame[.]net. This site is not a global giant like Steam, but rather a specialized portal catering to ethnic Koreans, particularly those residing in the Yanbian region of China.

• Strategic Geography: The Yanbian Korean Autonomous Prefecture borders North Korea and Russia, making it a hub for North Korean defectors and those involved in cross-border trade.
• Demographic Targeting: By poisoning this specific platform, ScarCruft ensured their malware reached individuals of high interest to the North Korean state, including activists and defectors.
• Long-term Persistence: Evidence suggests that the platform’s infrastructure was compromised as early as late 2024, allowing the hackers to maintain a “sleeper” presence before activating the wider BirdCall deployment.

Unveiling BirdCall: The Next Generation of Backdoors

The malware at the heart of this campaign, BirdCall, represents a significant technical evolution from ScarCruft’s previous toolkit. While the group is well-known for its RokRAT malware, BirdCall introduces new layers of stealth and cross-platform capability.

Windows Exploitation and Architecture

On Windows systems, the attack was delivered through trojanized software updates. The hackers replaced a legitimate library, mono.dll, within the game’s desktop client with a malicious version.

• Initial Execution: Once the user updates their game client, the malicious DLL is loaded into memory, initiating the BirdCall infection without triggering traditional antivirus warnings.
• Stealth Mechanisms: BirdCall utilizes advanced “API unhooking” to bypass security software that monitors system calls, making it nearly invisible to standard Endpoint Detection and Response (EDR) tools.
• Information Harvesting: On Windows, the backdoor is capable of logging keystrokes, capturing high-resolution screenshots, and exfiltrating local files.

The Android Pivot: Targeting Mobile Users

In a notable shift, ScarCruft also targeted the platform’s mobile users. At least two Android games hosted on the site were found to be repackaged with the BirdCall backdoor.

• Repackaging vs. Source Code Access: The hackers did not need the original game’s source code. Instead, they took the existing APK (Android Package) files, decompiled them, inserted the BirdCall code, and re-signed them.
• Mobile Espionage: The Android variant of BirdCall is particularly invasive, requesting permissions to record ambient audio through the microphone, read SMS messages, and track GPS location data in real-time.
• Data Exfiltration: On mobile devices, the malware prioritizes the theft of contact lists and call logs, which are used to map out the social networks of the targets.

Infrastructure and Command-and-Control (C2)

A hallmark of ScarCruft’s operations is the use of legitimate cloud services for Command-and-Control (C2) communication. BirdCall continues this tradition but expands the roster of abused services.

• Abusing the Cloud: The malware communicates with its operators via legitimate platforms like Dropbox, pCloud, and Yandex Disk.
• Traffic Blending: By using these services, the malicious data transfers look like normal encrypted web traffic to network monitors, making the breach extremely difficult to detect at the perimeter.
• Dynamic Updating: The C2 infrastructure allows the hackers to push “plug-ins” to the infected devices, granting them new capabilities on the fly based on the value of the specific target.

Who is ScarCruft? Understanding APT37

ScarCruft, also tracked as APT37, InkySquid, and Reaper, is a state-sponsored threat group operating on behalf of the North Korean government, specifically under the Ministry of State Security.

• Primary Objective: Unlike the Lazarus Group, which often focuses on financial gain, ScarCruft’s primary mission is political and social espionage.
• Specialization in Human Rights: The group frequently targets North Korean defectors, journalists, and human rights activists who focus on the peninsula.
• Technological Sophistication: This attack on a gaming platform shows they are moving beyond simple phishing emails toward complex supply chain compromises that require significant planning and technical skill.

Mitigation and Defense Strategies

Given the stealthy nature of supply chain attacks, traditional defenses are often insufficient. Cybersecurity agencies have recommended several steps for users of niche or localized software platforms:

1. Verify Digital Signatures: Always check the digital signature of software updates. If a signature from a trusted vendor is missing or invalid, do not proceed with the installation.
2. Monitor Cloud Traffic: Organizations should monitor for unusual or high-volume traffic to cloud storage sites like pCloud or Dropbox from devices that do not typically use them.
3. App Permissions: On Android, users should be wary of games that request access to sensitive functions like the microphone or SMS logs if they are not necessary for the game’s functionality.

Frequently Asked Questions (FAQs)

1. What is the BirdCall malware?

BirdCall is a sophisticated backdoor malware used by the ScarCruft hacking group to spy on victims. It is capable of stealing files, recording audio, and capturing keystrokes on both Windows and Android devices.

2. How was the malware distributed?

The malware was distributed through a supply chain attack on the website sqgame[.]net. Hackers infected legitimate game updates and Android apps hosted on the site, so users thought they were downloading safe software.

3. Is this a global threat?

While the malware is highly dangerous, the campaign was specifically targeted at ethnic Koreans in the Yanbian region of China. However, the techniques used (supply chain poisoning) could be applied to any software platform globally.

4. How can I tell if my Android phone is infected?

Check for games downloaded from third-party sites that have unusual permissions. If a simple game is asking for your contact list, SMS access, and microphone use, it may be trojanized. It is recommended to uninstall such apps immediately.

5. Who is behind the ScarCruft group?

ScarCruft is a state-sponsored hacking unit linked to the North Korean government. They are primarily tasked with surveillance and intelligence gathering on political targets and defectors.

🚀 Transform Your Brand with TechInDesigns

Your brand deserves a visual identity that speaks volumes. At TechInDesigns, we craft stunning custom logo designs, branding assets, and creative visuals that help your business stand out and connect with your audience at first glance. Our expert designers tailor every concept to reflect your vision and boost your brand’s impact online and offline.

📩 Ready to Elevate Your Brand Identity?

Connect with TechInDesigns today and bring your ideas to life with powerful logo design, strategic branding, and eye-catching graphics that drive recognition and growth