ScarCruft trojanizes Yanbian game site to deliver BirdCall

ScarCruft, a hacking group linked to North Korea, trojanized the Yanbian-focused gaming platform sqgame.net to distribute BirdCall backdoors through poisoned Android apps and a compromised Windows update. The activity began in late 2024, according to ESET.

ESET reported attackers altered two Android download pages, sqgame.com.cn/ybht.apk and sqgame.com.cn/sqybhs.apk, to serve malicious APKs. A trojanized Windows DLL was included in at least one update package as of November 2024.

BirdCall is an evolution of the RokRAT malware family and is delivered in a multistage chain that can start with a Ruby or Python script. ESET’s report noted the malware uses components encrypted with a computer-specific key.

The Android variant available on the game site collects contact lists, SMS messages, call logs, media files, documents, screenshots and ambient audio. The modified Windows DLL checks for analysis tools and virtual machines before downloading and executing shellcode that fetches RokRAT and installs BirdCall.

Researchers identified seven BirdCall versions, the earliest dating to October 2024. The actors used mainstream cloud storage services for command-and-control, including Dropbox, pCloud, Yandex Disk and Zoho WorkDrive.

ESET’s report includes the observation:

BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key.

The report adds:

The Android backdoor has seen active development, and provides surveillance capabilities, such as collection of personal data and documents, taking screenshots, and making voice recordings.

Sqgame.net hosts Yanbian-themed games and serves ethnic Koreans in China’s Yanbian region. The site is also used as a transit point for North Korean defectors crossing the Tumen River. ScarCruft has previously targeted defectors, human rights activists and academics.

At the time of analysis, only the Android APKs on the platform were found to be poisoned; the Windows desktop client and iOS games were not. The Windows update that delivered the modified DLL is no longer malicious. Investigators were unable to determine when the site was first breached or how long the poisoned APKs were distributed.