The North Korea-aligned hacking group ScarCruft has compromised the gaming platform sqgame.net to distribute the BirdCall backdoor, targeting ethnic Koreans in China through trojanized Windows and Android software.

Key Points

• Researchers at ESET discovered the supply chain attack in October 2025, with malicious activity dating back to late 2024.
• The campaign targets the Yanbian region, a high-risk transit point for North Korean defectors, using trojanized Android APKs and Windows DLLs.
• BirdCall functions as a sophisticated backdoor capable of capturing screenshots, logging keystrokes, recording ambient audio, and stealing personal documents.
• The malware utilizes legitimate cloud storage services, including Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive, for command-and-control communications.
• While the Windows desktop client update is no longer malicious, the compromised Android games remain available for download on the platform.

Why it Matters

This campaign demonstrates a significant evolution in state-sponsored espionage by expanding surveillance capabilities across both Windows and Android mobile platforms. By targeting a niche gaming site used by vulnerable populations, the attackers have successfully weaponized a trusted supply chain to conduct long-term, multi-platform data theft.