ScarCruft’s Covert Infiltration: Gaming Platform Compromised with Windows and Android Backdoors
In a sophisticated cyber espionage campaign, the North Korean-affiliated threat group ScarCruft has executed a supply chain attack targeting a video gaming platform popular among ethnic Koreans in China’s Yanbian region. This operation involved embedding backdoors into both Windows and Android versions of the platform’s games, transforming trusted applications into tools for clandestine data collection.
Targeted Platform and Methodology
The focal point of this attack is sqgame, a service offering traditional Yanbian-themed card and board games accessible on Windows, Android, and iOS devices. Rather than compromising the game’s source code directly, ScarCruft infiltrated the platform’s web server. They repackaged the original Android game files to include malicious code, specifically the BirdCall backdoor. Two Android games available on the sqgame website were altered to carry this backdoor, while the Windows client was compromised through a malicious update package. Notably, the iOS version remained unaffected, likely due to Apple’s stringent review processes that pose challenges for such tampering.
Discovery and Attribution
Analysts from WeLiveSecurity uncovered the full extent of this multiplatform supply chain attack, attributing it to ScarCruft with high confidence. Their investigation revealed that the Android variant of BirdCall is a new addition to ScarCruft’s toolkit, marking the first public analysis of this version. ESET telemetry data indicates that the malicious Windows update has been active since at least November 2024, initially delivering the RokRAT backdoor, which subsequently deployed the more advanced BirdCall backdoor onto compromised systems.
ScarCruft’s Profile and Objectives
Active since at least 2012, ScarCruft—also known as APT37 or Reaper—is widely recognized as a North Korean state-sponsored espionage group. Their primary focus has been on South Korea, but their operations have extended to other Asian countries, targeting government entities, military organizations, and industries aligned with North Korean interests. The Yanbian region, bordering North Korea and home to the largest ethnic Korean community outside the peninsula, aligns with ScarCruft’s targeting patterns, especially given its significance as a transit point for defectors. ESET notified sqgame of the compromise in December 2025; however, as of the time of publication, no response had been received.
Mechanics of the BirdCall Backdoor
The Android variant of BirdCall, internally referred to as zhuagou (Chinese for catching dogs), propagates through trojanized game packages hosted on the sqgame website. In these modified APKs, the AndroidManifest.xml file is altered to redirect the app’s startup process to the backdoor’s code. When a user launches the game, the backdoor operates silently in the background before handing control back to the legitimate game, effectively concealing the infection.
Upon its initial execution, the backdoor performs the following actions:
– Data Collection: It compiles a comprehensive directory listing of shared storage and extracts the user’s contacts, call logs, and SMS messages.
– Command and Control Communication: The backdoor connects to cloud storage services, such as pCloud and Yandex, to receive commands and exfiltrate collected data.
– Persistence Mechanisms: To maintain its presence on the device, the backdoor employs various persistence techniques, including registering as a device administrator and exploiting accessibility services.
Implications and Recommendations
This incident underscores the evolving tactics of state-sponsored threat actors like ScarCruft, who are increasingly leveraging supply chain vulnerabilities to infiltrate target systems. By compromising a trusted gaming platform, they have effectively turned entertainment applications into espionage tools, highlighting the critical need for robust security measures across all stages of software development and distribution.
Recommendations for Users:
– Verify Sources: Only download applications from official app stores or trusted sources.
– Regular Updates: Keep all software and operating systems updated to patch known vulnerabilities.
– Security Software: Utilize reputable antivirus and anti-malware solutions to detect and prevent infections.
– Monitor Permissions: Be cautious of applications requesting excessive permissions that are not necessary for their functionality.
Recommendations for Developers and Platform Operators:
– Code Integrity: Implement code-signing practices to ensure the authenticity and integrity of software packages.
– Server Security: Regularly audit and secure web servers to prevent unauthorized access and potential distribution of malicious code.
– Incident Response: Establish and maintain an incident response plan to address potential security breaches promptly.
By adopting these practices, both users and developers can contribute to a more secure digital environment, mitigating the risks posed by sophisticated threat actors like ScarCruft.
