A North Korea-aligned espionage group has compromised a regional gaming platform serving ethnic Koreans in China. The Windows and Android software hosted on the site was trojanized with a previously undocumented mobile backdoor.
According to new analysis from ESET researchers, the supply-chain operation has likely been running since late 2024, targeting users of sqgame[.]net, a site dedicated to traditional Yanbian-themed card and board games.
Yanbian Korean Autonomous Prefecture is a district which borders North Korea and acts as a known crossing point for refugees and defectors.
ESET assessed that the activity was aimed at gathering intelligence on individuals of interest to the Pyongyang regime.
Multiplatform Compromise of a Regional Gaming Site
ESET attributed the campaign to ScarCruft, also known as APT37, Reaper and Ricochet Chollima, an espionage group active since at least 2012 and historically focused on South Korean government, military and defector-related targets.
The investigation began with a suspicious APK uploaded to VirusTotal, which the researchers traced to a card game called Yanbian Red Ten distributed directly from the sqgame website. A second Android title hosted on the same platform, New Drawing, was also found to carry the same malicious code.
On Windows, telemetry showed that an update package for the desktop client had served a trojanized mono.dll library since at least November 2024. The patched library acted as a downloader, performing anti-analysis checks before fetching shellcode containing the RokRAT backdoor, which was then used to deploy the more sophisticated BirdCall implant.
The iOS game on the same site was untouched, which ESET said likely reflected the difficulty of evading Apple’s review process.
Read more on ScarCruft activity: North Korea’s APT37 Expands Toolkit to Breach Air-Gapped Networks
A New Android Variant of a Known Windows Backdoor
BirdCall was first identified by ESET as a Windows backdoor in 2021. The Android port, internally named zhuagou, implemented a subset of its predecessor’s capabilities and saw active development across seven versions between October 2024 and June 2025.
ESET said operators recompiled or repackaged legitimate game APKs with malicious code rather than gaining access to source code, modifying AndroidManifest.xml to redirect the entry point through the backdoor before launching the original game activity.
Once running, the malware harvested contacts, call logs, SMS messages, documents, media files and private keys. It could also capture screenshots and record ambient audio, although researchers noted the recording function was restricted to a three-hour window between 7 pm and 10 pm local time.
Command-and-control (C2) traffic was routed through cloud storage providers, including pCloud, Yandex Disk, and Zoho WorkDrive, although ESET observed only Zoho WorkDrive being used in this campaign, with 12 separate accounts identified during the investigation.
The cybersecurity company notified sqgame of the compromise in December 2025 but had received no response at the time of publication, and the malicious APKs remains available on the site.
