ScarCruft Deploys BirdCall Malware Across Android and Windows via Compromised Gaming Platform

TL;DR — ScarCruft, a North Korea-aligned threat actor, has compromised sqgame.net, a gaming platform serving ethnic Koreans in China's Yanbian region, to distribute trojanized APKs and Windows updates containing BirdCall malware. The campaign, discovered in October 2025 but believed active since late 2024, marks the first widespread Android deployment of BirdCall, a sophisticated backdoor previously focused on Windows targets. Trojanized Android games remain available for download.

What happened

ScarCruft has executed a supply chain attack against sqgame.net, a video gaming platform used by ethnic Koreans living in Yanbian, China—a region bordering North Korea and Russia and a known transit point for North Korean defectors. The compromise enabled the deployment of BirdCall, an advanced backdoor derived from the RokRAT malware family.

The attack targeted both the Android and Windows components of the platform, though with differing scope. For Android, ScarCruft altered the download pages for two games (hosted at sqgame.com.cn/ybht.apk and sqgame.com.cn/sqybhs.apk) to serve malicious APKs. According to ESET senior malware researcher Filip Jurčacko, these trojanized Android games remained available for download at the time of the campaign's discovery in October 2025. The Windows desktop client and iOS games were left intact.

On Windows, evidence indicates that update packages delivered to the desktop client contained a trojanized DLL at least since November 2024. This DLL acted as a downloader, checking running processes for analysis tools and virtual machine environments before fetching and executing shellcode containing RokRAT. BirdCall was then installed as a follow-on payload. The update package has since been remediated.

The attack is believed to have commenced in late 2024. Analysis of BirdCall's development history has identified seven distinct versions, with the earliest dating to October 2024. This marks a significant expansion of BirdCall's reach: Windows variants of the malware have circulated since 2021, but this supply chain attack represents the first confirmed large-scale Android distribution.

Why it matters

This campaign signals a strategic shift in ScarCruft's operational scope. The group has a documented history of targeting North Korean defectors, human rights activists, and university professors. The deliberate focus on sqgame.net—a platform embedded in the daily lives of the Yanbian ethnic Korean community—indicates a sustained interest in surveillance of individuals with potential political or intelligence value to North Korea.

The Android deployment of BirdCall extends the threat surface for defenders in the region. Unlike Windows environments where endpoint detection and response (EDR) tools are more mature, Android surveillance malware often evades detection through supply chain compromises. Users downloading games from what appears to be a legitimate platform face infection without the usual warning signs of sideloading or untrusted sources.

The use of legitimate cloud storage services—Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive—for command-and-control communications complicates network-based detection. Organizations cannot easily block these services without disrupting legitimate workflows. The multistage infection chain, employing Ruby or Python scripts and computer-specific encryption keys, demonstrates operational maturity and adds complexity for forensic analysis.

For developers and security teams, this incident underscores the persistent risk of supply chain compromise against regional or niche platforms. Gaming platforms serving diaspora communities are lower-profile targets than mainstream app stores, potentially receiving less scrutiny from both platform vendors and security researchers.

Affected systems and CVEs

sqgame.net Android APKs (ybht.apk, sqybhs.apk)
sqgame.net Windows desktop client (update packages from at least November 2024)
BirdCall malware (seven identified versions; first observed October 2024)

No CVE assigned at the time of publication.

What to do

Avoid downloading games or applications from sqgame.net. Use verified alternative sources such as official app stores (Google Play Store, Apple App Store).
If you have downloaded games from sqgame.net, scan your Android device for the malicious APK files (ybht.apk, sqybhs.apk) and uninstall them immediately.
For Windows users, ensure the sqgame.net desktop client is updated from official sources only. Verify that any recent update packages no longer contain trojanized DLLs.
Monitor network traffic for communications to pCloud, Yandex Disk, and Zoho WorkDrive initiated by gaming applications or unfamiliar processes. Restrict or sandbox these services where possible.
Implement application-level monitoring for behavioral indicators: screenshot capture, keystroke logging, clipboard theft, contact list exfiltration, and ambient audio recording on both Android and Windows systems.
For organizations with users in the Yanbian region or among diaspora communities, conduct targeted awareness training on supply chain risks and the dangers of sideloading applications.

Open questions

When exactly was sqgame.net initially breached, and what attack vector was used?
For how long were the poisoned Android APKs distributed before discovery in October 2025?
What is the exact duration of Windows DLL trojanization beyond the confirmed "at least November 2024" period?
How many users have been infected, and what is the confirmed scope of affected devices?
Has the sqgame.net website been fully remediated, or are malicious files still being distributed?
Are there additional Android or iOS applications on the platform that may have been compromised?