ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

Ravie LakshmananMay 05, 2026Cyber Espionage / Surveillance

The North Korea-aligned state-sponsored hacking group generally known as ScarCruft has compromised a online game platform in a provide chain espionage assault, trojanizing its elements with a backdoor known as BirdCallto possible goal ethnic Koreans residing in China.

While prior variations of the backdoor have primarily focused Windows customers solely, the availability chain assault is assessed to have enabled the risk actors to additionally goal Android gadgets, basically turning it right into a multi-platform risk.

According to ESET, the marketing campaign has singled out sqgame[.]internet, a gaming platform utilized by ethnic Koreans residing within the Yanbian area in China bordering North Korea and Russia. It’s additionally recognized to behave as a major, high-risk transit level for North Korean defectors crossing the Tumen River.

The concentrating on of this platform is claimed to be a deliberate technique given ScarCruft’s storied historical past of concentrating on North Korean defectors, human rights activists, and college professors.

“In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor,” the Slovakian cybersecurity firm said in a report shared with The Hacker News forward of publication.

Windows variations of BirdCall, dubbed a complicated evolution of RokRAT, have been detected within the wild since 2021. Over the years, RokRAT has additionally been tailored to focus on macOS (CloudMensis) and Android (RambleOn), indicating that the malware household continues to be actively maintained by the risk actors.

BirdCall comes fitted with options sometimes current in a backdoor, enabling screenshot seize, keystroke logging, clipboard content material theft, shell command execution, and information gathering. Like RokRAT, the malware depends on official cloud providers like Dropbox and pCloud for command-and-control (C2).

“BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key,” ESET mentioned.

The Android variant of BirdCall, distributed as a part of the sqgame[.]internet provide chain assault, incorporates a subset of its Windows counterpart, whereas accumulating contact lists, SMS messages, name logs, media recordsdata, paperwork, screenshots, and ambient audio. An evaluation of the malware’s lineage has unearthed seven variations, with the primary courting again to October 2024.

Interestingly, the availability chain assault has been discovered to solely poison the Android APKs accessible for obtain from the platform, leaving the Windows desktop consumer and the iOS video games intact. The obtain pages for 2 Android video games hosted on sqgame[.]internet have been altered to serve the malicious APKs –

• sqgame.com[.]cn/ybht.apk
• sqgame.com[.]cn/sqybhs.apk

It’s presently not recognized when the web site was breached, and the poisoned APKs started to be distributed. However, it is believed that the incident occurred someday in late 2024. What’s extra, proof has emerged that an replace bundle of the Windows desktop consumer delivered a trojanized DLL since at the least November 2024 and for an unspecified interval. The replace bundle is not malicious.

Specifically, the modified DLL included a downloader that checks the listing of working processes for evaluation instruments and digital machine environments, earlier than continuing to obtain and execute shellcode containing RokRAT. The backdoor is then used to fetch and set up BirdCall on the contaminated hosts.

The Android model of BirdCall additionally depends on official cloud storage providers for C2 communications. This consists of pCloud, Yandex Disk, and Zoho WorkDrive, the final of which has turn into an more and more frequent presence throughout a number of campaigns.

“The Android backdoor has seen active development, and provides surveillance capabilities, such as collection of personal data and documents, taking screenshots, and making voice recordings,” ESET mentioned.