Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Espionage

June 25, 2026

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
Facebook X (Twitter) Instagram
Thursday, June 25
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows
News

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

Team-CWDBy Team-CWDMay 13, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China.

While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the threat actors to also target Android devices, essentially turning it into a multi-platform threat.

According to ESET, the campaign has singled out sqgame[.]net, a gaming platform used by ethnic Koreans living in the Yanbian region in China bordering North Korea and Russia. It’s also known to act as a primary, high-risk transit point for North Korean defectors crossing the Tumen River.

Filip Jurčacko, senior malware researcher at ESET, told The Hacker News that the campaign was discovered in October 2025, adding the trojanized Android games are still available for download on the sqgame[.]net website.

The targeting of this platform is said to be a deliberate strategy given ScarCruft’s storied history of targeting North Korean defectors, human rights activists, and university professors.

“In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor,” the Slovakian cybersecurity company said in a report shared with The Hacker News ahead of publication.

Windows versions of BirdCall, dubbed an advanced evolution of RokRAT, have been detected in the wild since 2021. Over the years, RokRAT has also been adapted to target macOS (CloudMensis) and Android (RambleOn), indicating that the malware family continues to be actively maintained by the threat actors.

BirdCall comes fitted with features typically present in a backdoor, enabling screenshot capture, keystroke logging, clipboard content theft, shell command execution, and data gathering. Like RokRAT, the malware relies on legitimate cloud services like Dropbox and pCloud for command-and-control (C2).

“BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key,” ESET said.

The Android variant of BirdCall, distributed as part of the sqgame[.]net supply chain attack, incorporates a subset of its Windows counterpart, while collecting contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio. An analysis of the malware’s lineage has unearthed seven versions, with the first dating back to October 2024.

Despite the fact that BirdCall is built upon the foundations of RokRAT and, by extension, RambleOn, they are fundamentally two disparate malware families. “They both disguise [themselves] as legitimate Android apps and use cloud storage services for data exfiltration, but are different backdoors,” Jurčacko noted.

Interestingly, the supply chain attack has been found to only poison the Android APKs available for download from the platform, leaving the Windows desktop client and the iOS games intact. The download pages for two Android games hosted on sqgame[.]net have been altered to serve the malicious APKs –

  • sqgame.com[.]cn/ybht.apk
  • sqgame.com[.]cn/sqybhs.apk

It’s currently not known when the website was breached, and the poisoned APKs began to be distributed. However, it’s believed that the incident occurred sometime in late 2024. What’s more, evidence has emerged that an update package of the Windows desktop client delivered a trojanized DLL since at least November 2024 and for an unspecified period. The update package is no longer malicious.

Specifically, the modified DLL included a downloader that checks the list of running processes for analysis tools and virtual machine environments, before proceeding to download and execute shellcode containing RokRAT. The backdoor is then used to fetch and install BirdCall on the infected hosts.

The Android version of BirdCall also relies on legitimate cloud storage services for C2 communications. This includes pCloud, Yandex Disk, and Zoho WorkDrive, the last of which has become an increasingly common presence across multiple campaigns.

“The Android backdoor has seen active development, and provides surveillance capabilities, such as collection of personal data and documents, taking screenshots, and making voice recordings,” ESET said.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleMini Shai-Hulud Hits TanStack npm Packages
Next Article UK Cybersecurity Market Expands to £14.7bn with Strong Growth in AI Se
Team-CWD
  • Website

Related Posts

News

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026
News

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
News

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

June 24, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Beware of threats lurking in booby-trapped PDF files

October 7, 2025

Common Apple Pay scams, and how to stay safe

January 22, 2026

What to consider before asking an AI chatbot for health advice

May 27, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.