ScarCruft infiltrates gaming platform to distribute BirdCall malware on Windows and Android

On May 5, 2026, ESET researchers published findings on an active espionage campaign carried out by ScarCruft —also known as APT37 or Reaper—, an advanced persistent threat (APT) group aligned with North Korea that has been active since at least 2012. The group compromised sqgame[.]net, a video gaming platform aimed at ethnic Koreans in China’s Yanbian region, to distribute the BirdCall backdoor on both Windows systems and Android devices, making it a cross-platform threat for the first time.

The incident: a gaming platform as an infection vector

sqgame[.]net hosts traditional games from the Yanbian region —a border area between China, North Korea, and Russia— for Windows, Android, and iOS. The platform is widely used by the local Korean community, which also includes North Korean refugees and defectors who use the region as a transit point.

According to ESET, the compromise likely began around late 2024. The attackers modified two key elements of the platform:

• On Windows: a desktop client update package was altered to include a trojanized version of the mono.dll library. Upon execution, the file performed anti-analysis checks before downloading the RokRAT backdoor from a compromised Korean website; RokRAT in turn installed the more sophisticated BirdCall implant. After infection, the malicious library was replaced with a clean copy to erase evidence.

• On Android: two of the three games available for download —Yanbian Red Ten and New Drawing— were repackaged with malicious code. The operators modified the AndroidManifest.xml file of the legitimate APKs to redirect the entry point through the backdoor before launching the original game activity, without requiring access to the source code.

ESET researcher Filip Jurčacko, who discovered the attack, noted that the campaign was identified in October 2025 and that the trojanized Android games were still available for download at the time of publication. ESET notified sqgame of the compromise in December 2025, receiving no response.

The problem: the trap of software you already trust

What makes this campaign especially dangerous is its nature as a supply-chain attack. Instead of tricking victims into downloading software from unknown sites, the attackers infected the official source: the very platform that users already know, already use, and already trust.

This attack vector subverts the most basic security advice. A user who downloads an update from the official website of their favorite application has no immediate reason to suspect anything. There are no phishing emails, no suspicious domains, no visible warnings. The pre-established trust in the platform is precisely the mechanism the attacker exploits.

The danger of this attack model can be summarized in three points:

• Massive reach with a low profile: a single point of compromise —the vendor’s server— infects all users who update or download during the active period.
• Evasion of conventional controls: security solutions that validate the authenticity of the download source cannot distinguish between a clean update and a trojanized one coming from the same server.
• Extended persistence: in this case, the malicious infrastructure was active for at least from November 2024, for more than a year, before being publicly reported.

Analysis: targeted espionage and total device control

The selection of sqgame[.]net is no coincidence. The Yanbian region hosts the largest ethnic Korean community outside the peninsula and is a high-risk transit route for North Korean defectors. The campaign’s profile is consistent with ScarCruft’s historical operations, whose focus includes the South Korean government, military organizations, human rights activists, and individuals connected to the interests of the North Korean regime.

BirdCall capabilities

Once installed, BirdCall gives operators near-total access to the compromised device. Its documented capabilities include:

The Android variant —internally named zhuagou— was actively developed between October 2024 and June 2025, with at least seven identified versions. On Windows, the infection process is initiated through a multi-stage chain that begins with a Ruby or Python script, with components encrypted using a key specific to the compromised machine, which hinders forensic analysis outside the victim’s environment.

This type of campaign, targeting specific and geographically delimited populations, represents an evolution toward precision espionage: less noisy than mass attacks, but potentially devastating for vulnerable communities like North Korean defectors, whose exposure can have consequences that go far beyond data loss.

Security recommendations

Although the main vector of this campaign was a compromised platform in a specific geographic niche, the lessons it leaves are applicable to any user or security team.

For individual users

• Download only from verified official sources. On Android, prefer Google Play and enable warnings for installations from external sources. An APK downloaded from a website, even if it is the developer’s official site, may have been compromised.
• Keep software updated, but verify the legitimacy of updates. Be wary of updates that were not preceded by notifications within the application itself or visible version changes.
• Install a security solution with behavior detection. Antivirus products based exclusively on signatures may not detect new variants; solutions with heuristic and behavioral analysis offer an additional layer of protection.
• Review application permissions. A game that requests access to the microphone, contacts, or system files should raise suspicions.

For security teams and organizations

• Implement monitoring of unusual outbound traffic. ESET specifically recommends watching for unexpected HTTPS traffic to cloud platforms originating from gaming applications.
• Consult the Indicators of Compromise (IoCs). ESET has published the complete list of IoCs in its GitHub repository to facilitate threat hunting.
• Consider deception technology. Honeytokens and decoy services allow detection of anomalous accesses by contact, regardless of the sophistication of the attacking agent.
• Establish validation policies for third-party software updates, especially in corporate environments where software of uncommon origin may not go through formal validation processes.

In summary…

The ScarCruft and BirdCall case illustrates an uncomfortable reality: the trust we place in software we already use can become the weakest link in our security. The supply chain is not an abstract risk reserved for large corporations; any platform, however small or specialized, can become a vector if its operators lack adequate integrity controls.

The answer to the problem is not to stop updating software —that path leads to even greater vulnerabilities— but to develop the habit of verifying, keeping security tools active, and paying attention to signs of anomalous behavior. In a landscape where threat groups with state resources target even very specific communities, vigilance is not paranoia: it is digital hygiene.

Sources consulted:

• ESET WeLiveSecurity: “A rigged game: ScarCruft compromises gaming platform in a supply-chain attack” (May 5, 2026)
• The Hacker News: “ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows” (May 5, 2026)
• BleepingComputer: “ScarCruft hackers push BirdCall Android malware via game platform” (May 5, 2026)
• Help Net Security: “North Korean hackers trojanize gaming platform to spy on ethnic Koreans in China” (May 5, 2026)
• Infosecurity Magazine: “North Korean APT Targets Yanbian Gamers via Trojanized Platform” (May 5, 2026)
• Cybersecurity News: “New ScarCruft Supply Chain Attack Hits Gaming Platform With Windows and Android Backdoors” (May 5, 2026)
• GlobeNewswire – ESET: “North Korea-aligned APT group ScarCruft compromises gaming platform in supply-chain espionage attack, ESET Research finds” (May 5, 2026)