Full Report
ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games
Analysis Summary
# Threat Actor: ScarCruft
## Attribution & Identity
ScarCruft is a North Korea-aligned Advanced Persistent Threat (APT) group that has been operational since at least 2012. The group is widely believed to be a state-sponsored espionage unit acting in the interests of the Democratic People's Republic of Korea (DPRK).
**Known Aliases:**
* APT37
* Reaper
## Activity Summary
ESET researchers identified an ongoing multiplatform supply-chain attack (likely active since late 2024 through mid-2025) targeting the **sqgame** gaming platform. The group compromised the platform’s official website to distribute trojanized versions of Windows and Android games.
* **Windows Campaign:** Legitimate updates were compromised to deploy the **RokRAT** backdoor, which subsequently dropped the more advanced **BirdCall** backdoor.
* **Android Campaign:** Popular games like "Yanbian Red Ten" and "New Drawing" were trojanized with a newly discovered Android port of the BirdCall backdoor.
## Tactics, Techniques & Procedures
ScarCruft utilizes a sophisticated multi-stage loading chain involving scripting languages like Ruby or Python and host-specific encryption.
**Specific TTPs (MITRE ATT&CK):**
* **Supply Chain Compromise [T1195.002]:** Compromising the gaming platform `sqgame[.]net` to distribute backdoors.
* **Discovery:**
* [T1422] Local Network Configuration Discovery (IMEI, IP, MAC).
* [T1426] System Information Discovery (OS version, root status, battery temp).
* **Collection:**
* [T1429] Audio Capture (Microphone recording).
* [T1513] Screen Capture (Screenshots).
* [T1636.002/.003/.004] Collection of Call Logs, Contacts, and SMS.
* [T1533] Data from Local System (Stealing .doc, .pdf, .hwp, and .p12 private keys).
* **Command and Control:**
* [T1481.002] Web Service: Bidirectional Communication via legitimate cloud services.
* [T1102] Ability to use Dropbox, pCloud, or Zoho WorkDrive for C2.
## Targeting
* **Sectors:** Government, military, and various industries linked to North Korean strategic interests; commercial gaming platforms.
* **Geography:** Primarily South Korea, China (Yanbian region), and other Asian countries.
* **Victims:** Specifically targeting ethnic Koreans living in the Yanbian region of China and North Korean refugees/defectors.
## Tools & Infrastructure
* **Malware:**
* **BirdCall (Windows & Android):** A high-capability backdoor for espionage.
* **RokRAT:** A long-standing ScarCruft backdoor used as a secondary stage.
* **Infrastructure:**
* **Official Website:** `https://www.sqgame[.]net` (Compromised source).
* **Cloud C2:** `Zoho WorkDrive`, `Dropbox`, `pCloud`.
* **IP Services:** `ipinfo[.]io` (for location tracking).
## Implications
This campaign demonstrates ScarCruft's increasing technical maturity in porting Windows-based espionage tools to mobile platforms (Android) to ensure persistent surveillance of targets who may rely on mobile devices. The focus on the Yanbian region indicates a strategic priority to monitor North Korean defectors and those facilitating their movement through China. The use of supply-chain attacks on niche software suggests the group effectively targets specific communities where trust in local digital platforms is high.
## Mitigations
* **Supply Chain Integrity:** Organizations providing software should implement code-signing and integrity checks to ensure binaries have not been replaced.
* **App Verification:** Android users should avoid side-loading APKs from third-party websites and rely on official stores, and use mobile security solutions to scan for trojanized apps.
* **Cloud Service Monitoring:** Defenders should monitor for unusual traffic to legitimate cloud storage providers (Zoho, pCloud, Dropbox) from unauthorized processes or system directories.
* **Data Protection:** Use of mobile device management (MDM) to restrict permissions for sensitive data like SMS and call logs for non-essential applications.