ESET researchers uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor.
The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was discovered as part of this supply-chain attack. In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor.
Key points of this blogpost:
- North Korea-aligned APT group ScarCruft compromised a video game platform used by ethnic Koreans living in the Yanbian region in China.
- The gaming platform’s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated BirdCall backdoor.
- Android games available on the gaming platform were trojanized to contain the Android version of the BirdCall backdoor – a new tool in ScarCruft’s arsenal.
- The goal of the campaign is espionage, with the backdoor capable of collecting personal data and documents, taking screenshots, and making voice recordings.
Scarcruft profile
ScarCruft, also known as APT37 or Reaper, has been operating since at least 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea. The group also targets North Korean defectors, with the latest such activity presented in this blogpost.
BirdCall backdoor
Windows version
BirdCall is a Windows backdoor written in C++ that we discovered in 2021 and attributed to ScarCruft as part of the ESET Threat Intelligence reporting.
The backdoor has a wide range of spying capabilities, including taking screenshots, logging keystrokes and clipboard content, stealing credentials and files, and executing shell commands. For C&C purposes, the backdoor utilizes legitimate cloud storage services, such as Dropbox or pCloud, or compromised websites. BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key. The initial version of BirdCall was publicly described by South Korean vendors in 2021 as an advanced version of RokRAT (S2W, AhnLab).
Android version
The Android version of BirdCall, discovered in the attack that we describe in this blogpost, implements a subset of the commands and capabilities of the Windows backdoor – it collects contacts, SMS messages, call logs, documents, media files, and private keys. It can also take screenshots and record surrounding audio.
Based on our research, Android BirdCall was actively developed over a span of several months. We identified seven versions, ranging from version 1.0 (created approximately in October 2024) to version 2.0 (created approximately in June 2025).
Discovery
Our investigation started with a suspicious APK file found on VirusTotal. Upon initial analysis, we determined that the APK is malicious and contains a backdoor.
Interestingly, the APK turned out to be a trojanized card game called 延边红十 (machine translation: Yanbian Red Ten), which we traced to its official website, https://www.sqgame[.]net. sqgame is a gaming platform tailored for the people of Yanbian and hosts traditional Yanbian games for Windows, Android, and iOS. The players can compete in card and board games (see Figure 1) with friends or join organized tournaments.
Surprisingly, the APK available for download on the official website is the same as the APK we initially found on VirusTotal. Moreover, a second Android game (新画图, machine translation: New Drawing) available for download from sqgame was also trojanized with the same backdoor. Further analysis revealed that the backdoor is an Android port of the ScarCruft group’s BirdCall backdoor.
The Windows desktop client link on the sqgame website leads to a few-years-old installer that appears to be clean. It does download updates once installed, but we did not identify any malicious code there during our analysis.
Investigating further in ESET telemetry, we identified a trojanized mono.dll library, originating from an update package for the desktop client. ESET telemetry shows that this update package had been malicious since at least November 2024, for an unknown period. At the time of writing, this update package was no longer malicious.
We also checked the iOS game available on the sqgame website and didn’t find any malicious code. We think that ScarCruft skipped this platform, since the trojanization and delivery of the app would be much more difficult compared to other platforms, possibly running into Apple’s review process.
Victimology
Since the website compromised in this attack is dedicated to the people of Yanbian and their traditional games, we infer that the primary targets are ethnic Koreans living in Yanbian. Yanbian Korean Autonomous Prefecture is a region in China that borders North Korea and is home to the largest ethnic Korean community outside Korea.
In this context, we believe that it is probable that the attack was aimed at collecting information on individuals based in (or originating from) the Yanbian region and deemed of interest to the North Korean regime – most likely refugees or defectors.
Attack overview
Android
Two of the Android games available on the sqgame website were found to be trojanized to contain the BirdCall backdoor. The download page available at https://www.sqgame[.]net/games/gamedownload.aspx is shown in Figure 2, with download buttons for the two trojanized games highlighted in red. The third available Android game was clean at the time of our analysis.
We found evidence that the victims downloaded the trojanized games via a web browser on their devices and probably installed them intentionally. We have not found any other APK locations.
The malicious APKs were also not found on the official Google Play store.
The exact date of the website compromise and the beginning of the supply-chain attack remains unknown. However, based on our analysis of the malware, we believe it occurred in late 2024.
Table 1 displays the hosting URLs for the two trojanized APK files, along with the file hashes at the time of discovery. As of the writing of this blogpost, these malicious files were still accessible on the sqgame website. Despite notifying sqgame of the compromise in December 2025, we have not yet received a response.
Table 1. Malicious samples
| Time of discovery | URL | SHA‑1 | Description |
| 2025-10 | http://sqgame.com |
03E3ECE9F48CF4104AAF |
Trojanized game with the BirdCall |
| 2025-10 | http://sqgame.com |
FC0C691DB7E2D2BD3B0B |
Trojanized game with the BirdCall |
Windows
Upon analysis, the Windows desktop client available on the sqgame website did not contain any malicious code. However, we later discovered a trojanized mono.dll library within an update package of the desktop client hosted at the URL http://xiazai.sqgame.com[.]cn/dating/20240429.zip. ESET telemetry indicates that this update package had been malicious since at least November 2024, but at the time of writing, it was no longer malicious.
ScarCruft manipulated a clean mono library by adding extra code and data with a downloader. This downloader checks for analysis tools and virtual machine environments in running processes and only proceeds if none are found. It then locates the sqgame client process and constructs a path to the mono library in its installation folder.
Subsequently, the downloader downloads and executes shellcode containing the RokRAT backdoor. Finally, it terminates the client process, downloads the original clean mono library, and replaces the trojanized one in the installed client folder. Both the payload and clean mono library are downloaded from compromised legitimate South Korean websites, following ScarCruft’s typical tactics, techniques, and procedures.
According to our telemetry, the RokRAT backdoor was used to download and install the BirdCall backdoor on the victimized machines.
Android BirdCall analysis
This section offers a technical analysis of the Android BirdCall backdoor, which is an Android version of the Windows backdoor written in C++. Internally, the backdoor is referred to as zhuagou, meaning “catching dogs” in Chinese.
Trojanized Android games
Android BirdCall is distributed through trojanized Android games. In the attack described, ScarCruft likely gained access to the sqgame website or server rather than the game’s source code. They recompiled or repackaged the original game APKs with added malicious code.
In the trojanized APKs, the entry point activity in the AndroidManifest.xml file is altered to execute the added malicious code before launching the game’s original entry activity.
The modified entry point activities in the analyzed samples were either com.example.zhuagou.SplashScreen or com.mob.util.MobSs in the latest sample. Changes in AndroidManifest.xml also include new activity and service definitions for the backdoor, along with additional permissions required for its operation. A comparison of packages between the original game and its trojanized version is depicted in Figure 3.
Since the Android BirdCall backdoor is embedded in a trojanized Android app, it does not automatically activate after installation or device reboot; it requires user initiation.
Configuration
Android BirdCall comes with a default configuration that initializes on the first run. The configuration, in JSON format, is stored in a file and can be modified through backdoor commands. An example of a formatted configuration is presented in Figure 4.
"bi": "E823D451D636D0A0",
"skey": "A8FE823D451D636D0A0366C0629EF5C3##@(()(#@",
"si": "20251105141404",
"rft": 20000,
"fst": true,
"kill": false,
"log": true,
"ctm": 10000,
"scr": false,
"rec": false,
"cmd": 0,
"data": 1,
"bd_version": 37,
"extentions": ".jpg;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.txt;.hwp;.pdf;.m4a;.p12;",
"cloud": [
"ct": 9,
"idx": 28,
"cid": "1000.2IGB56IS1FHQ1V332R[redacted]",
"cst": "fa7ec5c8b050[redacted]",
"rt": "1000.a7fc479e[redacted]",
"at": "empty",
"fid": "8mwe5bbc0a2759839401f813968808a2f36a6",
"dm": "",
"use": 0
,
[redacted]
]
Figure 4. Android BirdCall configuration example
The bd_version entry in the configuration denotes the backdoor version, with the value 37 representing version 1.5.
The configuration file is stored in the app’s data directory with a device-specific path. Additionally, during the configuration initialization phase, the default configuration of cloud storage drives hardcoded in the sample can be overridden by an external source. If accessible, the backdoor will download a JPG image containing an encrypted cloud configuration embedded in its overlay. Typically, the image is hosted on a compromised South Korean website.
C&C communication
Android BirdCall utilizes cloud storage drives for C&C communication, similar to the Windows version. In the analyzed samples, three cloud providers are supported: pCloud, Yandex Disk, and Zoho WorkDrive, with only Zoho WorkDrive being utilized. The backdoor communicates via HTTPS, sending requests to API endpoints of the respective provider using the okhttp3 library.
During our investigation, we identified 12 Zoho WorkDrive accounts used by the Android BirdCall backdoor for C&C activities. Details of the associated accounts are presented in Table 2.
Table 2. Android BirdCall Zoho WorkDrive accounts
Capabilities
Android BirdCall includes an update mechanism where a newer version can be loaded from an update file, typically in the form of an APK in the app data directory. The download is triggered via the command MP_SEND_FILE.
After the optional update process, the original game activity is initiated to avoid raising suspicion. Subsequently, the backdoor checks for an internet connection before proceeding with its main operations.
Data collection
Upon the initial run, the backdoor retrieves a full directory listing of the device’s primary shared external storage and user data such as contact list, call log, and SMS messages.
The backdoor periodically communicates with the C&C server and uploads basic information, including identifier values, battery temperature, RAM and storage details, cloud configuration, backdoor version, file extensions of interest, IP geolocation information, and additional device, network, and application information.
The backdoor can also periodically capture screenshots and, in some versions, record audio via the microphone for a limited time period in the evening. It searches for specific file extensions on the shared external storage for exfiltration, targeting media files, documents, and private keys.
Commands
Android BirdCall checks the cloud storage drive for commands issued for the victim. Decrypted commands begin with the magic DWORD 0x2A7B4C33, matching the Windows version of BirdCall. The commands may have zero or more parameters based on their type. Table 3 provides an overview of supported commands with descriptions for both platforms, noting that the Android version implements only a subset of commands available on Windows. If you have any questions or are interested in our research, please contact us at threatintel@eset.com. ESET Research also provides private APT intelligence reports and data feeds. sentence to make it more concise:
“The reason for his absence from work was due to a family emergency.”
“He was absent from work due to a family emergency.” sentence to make it more clear:
The instructions for setting up the new software are difficult to understand.
Rewritten sentence: The instructions for installing the new software are confusing. Can you please rephrase the following sentence? sentence to make it more concise:
“Can you please provide me with an update on the status of the project?”
“Can you update me on the project’s status?” sentence: “The cat chased the mouse around the room.”
Rewritten sentence: “Around the room, the mouse was chased by the cat.”
