The whir of mechanical keyboards in a dimly lit apartment near the Chinese-North Korean border suddenly felt a lot more ominous.
This isn’t just another tale of shadowy nation-state actors slinging malware; this is about a very specific, very human target pool: gamers who likely feel a strong connection to their Yanbian heritage. North Korea-aligned APT group ScarCruft, also known by the less-than-subtle monikers APT37, Reaper, and Ricochet Chollima, has managed to compromise a regional gaming platform, sqgame[.]net. The site, dedicated to traditional Yanbian-themed card and board games, has become the unwitting vector for a previously undocumented mobile backdoor. Think about it: a platform designed for leisure, for community, hijacked to serve the espionage needs of Pyongyang.
Supply-chain attacks are always a headache, but this one has a particular sting. ESET researchers uncovered that the trojanized software, both for Windows and Android, has likely been distributed since late last year. Yanbian Korean Autonomous Prefecture, a border region with significant ethnic Korean population and a known transit point for defectors, provides the geopolitical backdrop. The choice of target isn’t accidental; it’s a calculated move to gather intelligence on individuals of interest to the North Korean regime. It’s a chilling reminder that even seemingly innocuous online communities can become battlegrounds.
A Multiplatform Compromise, But Not All Platforms Are Created Equal
The investigation kicked off with a suspicious Android APK uploaded to VirusTotal. Tracing it back led researchers to sqgame.net and a card game dubbed Yanbian Red Ten. Another Android title, New Drawing, also hosted on the same platform, turned out to be carrying the identical malicious payload. The Windows side of things isn’t left out; an update package for the desktop client was seen serving a compromised mono.dll library as far back as November 2024. This library, acting as a downloader, performs anti-analysis checks before pulling down shellcode that deploys the RokRAT backdoor, which then paves the way for the more sophisticated BirdCall implant. Interestingly, the iOS version of the game on the site remained untouched. ESET’s assessment? Apple’s review process likely proved too formidable an obstacle for ScarCruft’s current capabilities, a small win for platform security but a stark reminder of the uneven playing field.
BirdCall: A Windows Ghost with an Android Shadow
BirdCall itself isn’t entirely new. ESET first flagged it as a Windows backdoor back in 2021. What’s new here is its Android iteration, internally named zhuagou. This mobile variant, while implementing only a subset of its Windows predecessor’s functions, has seen active development with at least seven versions appearing between October 2024 and June 2025. The operators aren’t necessarily gaining access to the game’s source code. Instead, they’re recompiling or repackaging legitimate game APKs, subtly modifying the AndroidManifest.xml file. This redirection ensures that the backdoor launches first, before the original game activity. It’s a bit like sneaking into a concert disguised as a roadie, only to slip out and start your own unauthorized performance once inside.
Once the malware is up and running, its appetite for data is voracious. It harvests contacts, call logs, SMS messages, documents, media files, and even private keys. Furthermore, it can snatch screenshots and record ambient audio. The audio recording feature, however, comes with a rather peculiar time restriction: it’s limited to a three-hour window between 7 pm and 10 pm local time. Why this specific window? Perhaps it’s tied to patterns of communication or activity observed among the target demographic, or maybe it’s an attempt to minimize detection by capturing data during periods of anticipated high user engagement.
Command-and-control (C2) traffic is masked, routed through legitimate cloud storage providers like pCloud, Yandex Disk, and Zoho WorkDrive. In this particular campaign, ESET observed only Zoho WorkDrive being utilized, with a dozen separate accounts identified. This tactic isn’t new—it’s a form of living-off-the-land, using reputable services to blend in. Even more damning? ESET notified sqgame about the compromise in December 2025. As of this report, no response was received, and the malicious APKs remain available on the site. It’s a stark illustration of how quickly security vulnerabilities can be exploited and how sluggish the response can be from the compromised entity, leaving users exposed long after the threat has been identified.
This incident underscores a critical architectural shift: threat actors are increasingly targeting niche platforms and legitimate software distribution channels as their primary ingress point. It’s not always about finding zero-day exploits; sometimes, it’s about exploiting trust. The gaming community, especially those with shared cultural ties, can be particularly vulnerable to social engineering disguised as community engagement, and scarCruft has clearly identified this weakness.
