A rigged recreation: ScarCruft compromises gaming platform in a supply-chain assault

ESET researchers uncovered a multiplatform supply-chain assault by North Korea-aligned APT group ScarCruft, concentrating on the Yanbian area in China – house to ethnic Koreans and a crossing level for North Korean refugees and defectors. In the assault, in all probability ongoing since late 2024, ScarCruft compromised Windows and Android elements of a online game platform devoted to Yanbian-themed video games, trojanizing them with a backdoor.

The backdoor, named ChickenCall by ESET, was initially identified to focus on Windows solely; the Android model was found as a part of this supply-chain assault. In this blogpost, we offer an summary of the assault, and the primary public evaluation of the Android backdoor.

Key factors of this blogpost:

• North Korea-aligned APT group ScarCruft compromised a online game platform utilized by ethnic Koreans dwelling within the Yanbian area in China.
• The gaming platform’s Windows shopper was compromised by a malicious replace resulting in the RokRAT backdoor, which deployed the extra subtle ChickenCall backdoor.
• Android video games obtainable on the gaming platform have been trojanized to comprise the Android model of the ChickenCall backdoor – a brand new instrument in ScarCruft’s arsenal.
• The aim of the marketing campaign is espionage, with the backdoor able to accumulating private information and paperwork, taking screenshots, and making voice recordings.

Scarcruft profile

ScarCruft, also referred to as APT37 or Reaper, has been working since not less than 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, however different Asian nations have additionally been focused. ScarCruft appears to be primarily in authorities and army organizations, and corporations in varied industries linked to the pursuits of North Korea. The group additionally targets North Korean defectors, with the newest such exercise introduced on this blogpost.

ChickenCall backdoor

Windows model

ChickenCall is a Windows backdoor written in C++ that we found in 2021 and attributed to ScarCruft as a part of the ESET Threat Intelligence reporting.

The backdoor has a variety of spying capabilities, together with taking screenshots, logging keystrokes and clipboard content material, stealing credentials and information, and executing shell instructions. For C&C functions, the backdoor makes use of authentic cloud storage providers, similar to Dropbox or pCloud, or compromised web sites. ChickenCall is often deployed in a multistage loading chain, beginning with a Ruby or Python script, and containing elements encrypted utilizing a computer-specific key. The preliminary model of ChickenCall was publicly described by South Korean distributors in 2021 as a sophisticated model of RokRAT (S2W, AhnLab).

Android model

The Android model of ChickenCall, found within the assault that we describe on this blogpost, implements a subset of the instructions and capabilities of the Windows backdoor – it collects contacts, SMS messages, name logs, paperwork, media information, and personal keys. It may take screenshots and document surrounding audio.

Based on our analysis, Android ChickenCall was actively developed over a span of a number of months. We recognized seven variations, starting from model 1.0 (created roughly in October 2024) to model 2.0 (created roughly in June 2025).

Discovery

Our investigation began with a suspicious APK file discovered on VirusTotal. Upon preliminary evaluation, we decided that the APK is malicious and incorporates a backdoor.

Interestingly, the APK turned out to be a trojanized card recreation known as 延边红十 (machine translation: Yanbian Red Ten), which we traced to its official web site, https://www.sqgame[.]web. sqgame is a gaming platform tailor-made for the folks of Yanbian and hosts conventional Yanbian video games for Windows, Android, and iOS. The gamers can compete in card and board video games (see Figure 1) with buddies or be part of organized tournaments.

Surprisingly, the APK obtainable for obtain on the official web site is similar because the APK we initially discovered on VirusTotal. Moreover, a second Android recreation (新画图, machine translation: New Drawing) obtainable for obtain from sqgame was additionally trojanized with the identical backdoor. Further evaluation revealed that the backdoor is an Android port of the ScarCruft group’s ChickenCall backdoor.

The Windows desktop shopper hyperlink on the sqgame web site results in a few-years-old installer that seems to be clear. It does obtain updates as soon as put in, however we didn’t establish any malicious code there throughout our evaluation.

Investigating additional in ESET telemetry, we recognized a trojanized mono.dll library, originating from an replace package deal for the desktop shopper. ESET telemetry reveals that this replace package deal had been malicious since not less than November 2024, for an unknown interval. At the time of writing, this replace package deal was not malicious.

We additionally checked the iOS recreation obtainable on the sqgame web site and didn’t discover any malicious code. We suppose that ScarCruft skipped this platform, because the trojanization and supply of the app could be rather more tough in comparison with different platforms, presumably operating into Apple’s assessment course of.

Victimology

Since the web site compromised on this assault is devoted to the folks of Yanbian and their conventional video games, we infer that the first targets are ethnic Koreans dwelling in Yanbian. Yanbian Korean Autonomous Prefecture is a area in China that borders North Korea and is house to the most important ethnic Korean group outdoors Korea.

In this context, we imagine that it’s possible that the assault was aimed toward accumulating data on people primarily based in (or originating from) the Yanbian area and deemed of curiosity to the North Korean regime – more than likely refugees or defectors.

Attack overview

Android

Two of the Android video games obtainable on the sqgame web site have been discovered to be trojanized to comprise the ChickenCall backdoor. The obtain web page obtainable at https://www.sqgame[.]web/video games/gamedownload.aspx is proven in Figure 2, with obtain buttons for the 2 trojanized video games highlighted in pink. The third obtainable Android recreation was clear on the time of our evaluation.

We discovered proof that the victims downloaded the trojanized video games through an internet browser on their gadgets and doubtless put in them deliberately. We haven’t discovered another APK areas. We additionally haven’t discovered the malicious APKs on the official Google Play retailer.

We have been unable to find out when the web site was first compromised and the supply-chain assault began. However, primarily based on our evaluation of the deployed malware, we estimate that it occurred in late 2024.

Table 1 reveals the internet hosting URLs of the 2 trojanized APK information, together with the hashes of information served on the time of discovery. At the time of writing of this blogpost, the malicious information have been nonetheless up on the sqgame web site. We notified sqgame of the compromise in December 2025, however haven’t acquired a response.

Table 1. Malicious samples

Windows

While the Windows desktop shopper obtainable on the sqgame web site didn’t comprise malicious code after we analyzed it, we later recognized a trojanized mono.dll library, originating from an replace package deal of the desktop shopper hosted on the URL http://xiazai.sqgame.com[.]cn/courting/20240429.zip. ESET telemetry reveals that this replace package deal had been malicious since not less than November 2024, for an unknown interval – however on the time of writing, this replace package deal was not malicious.

ScarCruft took a clear mono library and patched it with additional code and information, containing a downloader. The downloader first checks operating processes for evaluation instruments and digital machine environments and doesn’t proceed if any are discovered. Otherwise, it appears to be like for the method of the sqgame shopper and constructs a path to the mono library in its set up folder.

Next, it downloads and executes shellcode, which contained the RokRAT backdoor on the time of discovery. Finally, the downloader terminates the shopper course of and downloads the unique clear model of the mono library, changing the trojanized one within the put in shopper folder. Both the payload and clear mono library are downloaded from authentic South Korean web sites that have been compromised for this objective – a typical TTP of ScarCruft.

According to our telemetry, the RokRAT backdoor was subsequently used to obtain and set up the ChickenCall backdoor on the victimized machines.

Android ChickenCall evaluation

In this part, we offer a technical evaluation of the Android ChickenCall backdoor – an Android port of the eponymous Windows backdoor written in C++. Internally, the backdoor is called zhuagou, which may be translated (from Chinese) as “catching dogs”.

Trojanized Android video games

Android ChickenCall is distributed through trojanized Android video games. In the assault described on this blogpost, we imagine that ScarCruft didn’t achieve entry to the sport’s supply code, solely to the sqgame web site or internet server, and as a substitute took the unique recreation APKs and recompiled or repackaged them with malicious code added.

In the trojanized APKs, the AndroidManifest.xml entry level exercise is modified and factors to the added malicious code – which, after beginning the backdoor, executes the unique entry exercise of the sport.

In the analyzed samples, the modified entry level exercise was both com.instance.zhuagou.SplashScreen or com.mob.util.MobSs (within the newest pattern). The modifications to AndroidManifest.xml additionally embrace new exercise and repair definitions for the backdoor, in addition to extra permissions required for its operation. A comparability of packages within the unique recreation and its trojanized model is proven in Figure 3.

Since the Android ChickenCall backdoor is part of a trojanized Android app put in on the system, it doesn’t routinely begin after set up or a tool reboot; as a substitute, it depends on consumer execution.

Configuration

Android ChickenCall incorporates a default configuration, which is initialized on the primary run. The configuration makes use of JSON format and is continued in a file. Subsequent runs load the present configuration file, and the configuration may be modified through backdoor instructions. An instance of a formatted configuration is proven in Figure 4.

{
    "bi": "E823D451D636D0A0",
    "skey": "A8FE823D451D636D0A0366C0629EF5C3##@(()(#@",
    "si": "20251105141404",
    "rft": 20000,
    "fst": true,
    "kill": false,
    "log": true,
    "ctm": 10000,
    "scr": false,
    "rec": false,
    "cmd": 0,
    "data": 1,
    "bd_version": 37,
    "extentions": ".jpg;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.txt;.hwp;.pdf;.m4a;.p12;",
    "cloud": [
        {
            "ct": 9,
            "idx": 28,
            "cid": "1000.2IGB56IS1FHQ1V332R[redacted]",
            "cst": "fa7ec5c8b050[redacted]",
            "rt": "1000.a7fc479e[redacted]",
            "at": "empty",
            "fid": "8mwe5bbc0a2759839401f813968808a2f36a6",
            "dm": "",
            "use": 0
        },
        [redacted]
    ]
}