ScarCruft’s Supply Chain Attack: BirdCall Malware Targets Android and Windows Users
In a sophisticated cyber espionage campaign, the North Korean state-sponsored hacking group known as ScarCruft has infiltrated a video game platform, embedding a backdoor named BirdCall into its components. This strategic move appears to be aimed at ethnic Koreans residing in China, marking a significant escalation in ScarCruft’s cyber operations.
Historically, ScarCruft’s malicious activities have predominantly targeted Windows users. However, this recent supply chain attack has expanded their reach to Android devices, transforming BirdCall into a multi-platform threat. According to cybersecurity firm ESET, the campaign specifically targeted sqgame[.]net, a gaming platform popular among ethnic Koreans in China’s Yanbian region, which borders North Korea and Russia. This area is notably a critical transit point for North Korean defectors crossing the Tumen River.
ESET’s senior malware researcher, Filip Jurčacko, revealed that the campaign was uncovered in October 2025. He noted that the compromised Android games remain available for download on the sqgame[.]net website. This deliberate targeting aligns with ScarCruft’s established pattern of focusing on North Korean defectors, human rights activists, and academic professionals.
The attack, believed to have commenced in late 2024, involved ScarCruft compromising both Windows and Android components of the gaming platform, embedding them with the BirdCall backdoor. ESET’s report, shared with The Hacker News prior to publication, highlights this development.
BirdCall, an advanced evolution of the RokRAT malware, has been active in the wild since 2021. Over time, RokRAT has been adapted to target various operating systems, including macOS (as CloudMensis) and Android (as RambleOn), indicating ongoing maintenance and development by ScarCruft.
The BirdCall backdoor is equipped with typical espionage functionalities, such as capturing screenshots, logging keystrokes, stealing clipboard content, executing shell commands, and gathering data. Similar to RokRAT, BirdCall utilizes legitimate cloud services like Dropbox and pCloud for command-and-control (C2) communications.
ESET’s analysis indicates that BirdCall is typically deployed through a multi-stage loading process, beginning with a Ruby or Python script and involving components encrypted with a computer-specific key.
The Android variant of BirdCall, distributed via the compromised sqgame[.]net platform, mirrors many features of its Windows counterpart. It collects contact lists, SMS messages, call logs, media files, documents, captures screenshots, and records ambient audio. Analysis of the malware’s evolution has identified seven versions, with the earliest dating back to October 2024.
Despite sharing a foundation with RokRAT and RambleOn, BirdCall is a distinct malware family. Both BirdCall and RambleOn disguise themselves as legitimate Android applications and use cloud storage services for data exfiltration, but they function as separate backdoors.
Notably, the supply chain attack specifically targeted the Android APKs available for download from the platform, leaving the Windows desktop client and iOS games unaffected. The download pages for two Android games hosted on sqgame[.]net were altered to serve the malicious APKs:
– sqgame.com[.]cn/ybht.apk
– sqgame.com[.]cn/sqybhs.apk
The exact timeline of the website’s breach and the distribution of the compromised APKs remains unclear, though it’s believed the incident began in late 2024. Evidence suggests that an update package of the Windows desktop client delivered a trojanized DLL since at least November 2024 for an unspecified duration. Currently, the update package is no longer malicious.
The modified DLL included a downloader that checks for analysis tools and virtual machine environments among running processes before downloading and executing shellcode containing RokRAT. The backdoor then fetches and installs BirdCall on the infected systems.
The Android version of BirdCall also relies on legitimate cloud storage services for C2 communications, including pCloud, Yandex Disk, and Zoho WorkDrive. The latter has become increasingly common across multiple campaigns.
ESET’s report emphasizes that the Android backdoor has undergone active development, providing surveillance capabilities such as collecting personal data and documents, taking screenshots, and recording voice.
