The North Korea–linked group ScarCruft carried out a targeted supply-chain attack against the gaming platform sqgame[.]net, popular among ethnic Koreans in China’s Yanbian region, by replacing Windows and Android components with the BirdCall spyware backdoor; the incident extends what was previously a “desktop” espionage platform into a multi‑platform one (Windows and Android) and creates a direct risk for North Korean defectors and their associated networks, so all sqgame users should immediately remove Android games installed from outside official stores and check their systems for signs of compromise.
Technical details of the attack
According to research published by ESET, starting at least in late 2024 ScarCruft was secretly modifying legitimate components of the sqgame[.]net gaming platform, used in Yanbian — a Chinese region bordering North Korea and Russia that is known as one of the main transit routes for escapees from the DPRK. The choice of target fits well with ScarCruft’s traditional focus on defectors, human rights activists, and the academic community.
Windows infection chain
For desktop systems, the update chain of the sqgame client for Windows was compromised. ESET observed that at least since November 2024 the official update package had been delivering a modified DLL that acted as a loader:
- the DLL is launched when the desktop client is updated or running;
- it checks the list of running processes for analysis tools and signs of a virtual machine;
- if no “suspicious” processes are found, it downloads and executes shellcode containing the RokRAT family;
- RokRAT was used as an intermediate layer to download and install the newer BirdCall backdoor on the compromised host.
Thus, BirdCall is integrated into ScarCruft’s existing tool ecosystem, evolving out of RokRAT, which is known as multi‑platform spyware (variants for Windows, macOS — CloudMensis, Android — RambleOn).
On Windows, BirdCall supports the functionality typical of an advanced backdoor:
- taking screenshots;
- keylogging;
- stealing clipboard contents;
- executing arbitrary shell commands;
- collecting system and user information.
The command‑and‑control (C2) infrastructure for the Windows versions of BirdCall and RokRAT is built on top of legitimate cloud services, including Dropbox and pCloud, which aligns with the technique of using public web services for command and data exfiltration described in MITRE ATT&CK T1567.002 (Exfiltration to Cloud Storage).
Deployment of BirdCall on Windows occurs through a multi‑stage chain: the initial stage is a Ruby or Python script, followed by a sequence of encrypted components whose keys are tied to a specific machine. This complicates analysis and prevents easy reuse of artifacts on other hosts.
Supply-chain attack on Android
The most notable part of the campaign is the move of BirdCall onto mobile devices. ESET discovered that:
- only the Android APKs available for download from sqgame[.]net had been replaced;
- the current Windows desktop client and iOS games did not contain malicious code at the time of analysis;
- the download pages of two Android games were modified to distribute trojanized APK files.
The Android variant of BirdCall implements a subset of the Windows backdoor’s capabilities, but with a focus on pervasive surveillance of the device owner:
- collecting the contact list;
- stealing SMS messages and call logs;
- exfiltrating media files and documents;
- taking screenshots;
- recording ambient audio.
For Android C2, several cloud services are used — pCloud, Yandex Disk, and Zoho WorkDrive — which increases the campaign’s resilience and makes detection based on a single cloud provider more difficult. Analysis of the Android backdoor’s evolution revealed seven versions, with the first dating back to October 2024, indicating active and rapid development of the tool.
Key artifacts and high-level IOCs
- Platform domain: sqgame[.]net (compromised within the supply chain; the domain itself is not necessarily still malicious at the time of reading).
- C2 channels (all via legitimate services):
- Dropbox — Windows variant;
- pCloud — Windows and Android;
- Yandex Disk — Android;
- Zoho WorkDrive — Android.
Exact IP addresses and hash values are not provided in the public description of the campaign; defenses should therefore be based on behavioral and contextual analysis.
Threat context: ScarCruft and toolkit evolution
ScarCruft is a long‑tracked espionage group associated with the DPRK and focused on Korean‑language targets. The group’s profile matches the description of G0067 in MITRE ATT&CK, which highlights its interest in North Korean defectors and related organizations.
The campaign against sqgame[.]net logically continues this line: the platform serves the Korean diaspora in Yanbian, and the region acts as a “bottleneck” for many escape routes from the DPRK. Compromising such a service gives ScarCruft the ability to:
- identify users from the target group (including potential defectors and their intermediaries);
- gain access to their communications and social graphs via the Android backdoor;
- build long‑term surveillance by using desktop clients for additional control.
From a technical standpoint, the campaign combines several tactics from MITRE ATT&CK:
- software supply-chain compromise — see T1195 (Supply Chain Compromise);
- use of cloud services for C2 and exfiltration (T1567.002);
- evasion of analysis by checking for security tools and virtual machines on the host before loading the main payload.
The evolution from RokRAT to BirdCall, along with related branches CloudMensis (macOS) and RambleOn (Android), points to a mature, centrally developed toolkit rather than a one‑off piece of malware. Adding a supply‑chain vector through a locally popular gaming service is a logical step toward more reliable delivery of these tools into a tightly defined region and language group.
Impact assessment
The highest‑risk groups are:
- ethnic Koreans living in Yanbian who use sqgame[.]net, especially those who installed Android games from APK files;
- individuals and organizations involved in assisting North Korean defectors or maintaining ties with Yanbian;
- entities using workstations with the sqgame desktop client installed and allowing updates without integrity verification.
Potential consequences include:
- threats to physical safety: deanonymization of defectors and intermediaries may lead to persecution of them and their family members;
- communications compromise: interception of SMS, calls, chats, and documents gives attackers a full picture of the victim’s social and financial ties;
- long‑term cyber‑espionage foothold: the combination of desktop and mobile backdoors allows ScarCruft to maintain a persistent presence within the diaspora environment and monitor migration routes;
- secondary incidents: compromised user devices can become entry points for attacks against human rights organizations, NGOs, and universities with which they interact.
For organizations working with the Korean diaspora or in Yanbian, the risk is not only technical but also political and security‑related: leaks of personal data and communications can have consequences at the state level.
Practical recommendations
For individual users and the diaspora
- Immediately delete all Android games downloaded from sqgame[.]net (not from Google Play or other official stores).
- Run a full scan of the device with a mobile antivirus from a major vendor; if there is any suspicion, perform a factory reset and then reinstall apps selectively.
- Review app permissions: if games or non‑system apps have access to SMS, call logs, the microphone, or contacts, uninstall them.
- Change passwords for all critical accounts (messengers, email, social networks, banking services) from a device that is known not to be associated with sqgame.
- Where possible, avoid installing APKs manually and use only official app stores.
For organizations, SOCs, and security teams
- Asset inventory:
- determine whether sqgame desktop clients or Android apps obtained from external sources are used in the organization;
- check the list of installed software on workstations and corporate mobile devices.
- Network monitoring:
- configure monitoring and logging of access to Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive from client devices for which such behavior is atypical (especially from gaming apps);
- separately analyze outbound connections from game clients and software that users classify as “entertainment.”
- Hunting for compromise on Windows:
- review the update history of the sqgame desktop client and associated DLL files for signature mismatches and anomalous changes;
- look for scenarios where Ruby or Python scripts launch non‑standard executables or download encrypted blobs from the network;
- deploy EDR/IDS rules to detect processes that, before loading executable code, check for analysis tools and signs of a virtual machine.
- Mobile security:
- restrict the ability to install apps from unknown sources on corporate Android devices;
- enforce mandatory app permission reviews in MDM policies;
- perform spot audits of apps that request access to the microphone, SMS, and contacts but do not need it for business reasons (for example, games).
- User awareness:
- specifically inform employees and partners from the Korean diaspora about the risks of installing games and apps from local or unofficial sources;
- explain that messages, calls, and documents on a phone associated with high‑risk migration routes may be of interest to state intelligence services.
The top priority for potentially affected parties is to quickly inventory any apps and clients associated with sqgame[.]net, remove Android games installed from APKs, and implement monitoring of network traffic to cloud storage services in order to promptly detect and block activity by BirdCall and related ScarCruft tools.
