ScarCruft Supply Chain Attack Deploys BirdCall Backdoor on Android and Windows

The North Korea-aligned threat actor known as ScarCruft (also tracked as APT37, InkySquid, and Reaper — a state-sponsored hacking group assessed to operate under North Korea's Reconnaissance General Bureau) has compromised a video game platform to conduct a supply chain espionage attack against ethnic Korean communities in China. Researchers at ESET discovered that ScarCruft trojanized both the Windows and Android components of sqgame[.]net, a gaming platform serving ethnic Koreans living in China's Yanbian region (a Korean autonomous prefecture bordering North Korea and Russia), deploying a multi-platform backdoor called BirdCall. The campaign is assessed to have been running since at least late 2024.

Attack Chain: Supply Chain Compromise

Supply chain attacks (intrusion campaigns in which attackers compromise a software distribution channel — an app store, update server, or download website — to deliver malware to users who trust that channel) have become a favored vector for state-sponsored actors because they bypass the target's own security controls. Rather than phishing individual targets, ScarCruft compromised sqgame[.]net at the distribution level, so any user who downloaded or updated the platform's software received a trojanized (maliciously modified) installer.

According to ESET's research, ScarCruft modified both Windows executable components and the Android APK (Android Package — the installation file format for Android applications) distributed through the platform's website. The Windows backdoor is a version of BirdCall that predates the Android component; ESET assesses that the Android capability was developed around October 2024, with at least seven versions created and deployed over the following months.

The choice of target is strategically deliberate. The Yanbian Korean Autonomous Prefecture population represents a diaspora community of interest to North Korean intelligence for several reasons: individuals in the region often maintain family and business connections across the China–North Korea border, may possess information about movement of personnel and goods, and represent a recruitment or influence target for North Korean state operations.

BirdCall: Capabilities and Technical Profile

BirdCall is a full-featured surveillance backdoor designed for long-term, stealthy intelligence collection. ESET's analysis documents the following capabilities across the Windows and Android variants:

Windows variant (BirdCall for Windows):

• Screenshot capture at configurable intervals
• Keystroke logging (recording every key pressed on the device)
• Clipboard content theft (capturing text copied to the Windows clipboard, which frequently includes passwords, authentication tokens, and sensitive communications)
• Shell command execution (running arbitrary operating system commands on the infected host)
• Data exfiltration of documents, credentials, and browser data

Android variant (BirdCall for Android):

• Contact list extraction
• SMS message interception (including OTPs — One-Time Passwords sent via SMS for two-factor authentication)
• Call log collection
• Media file exfiltration (photos, videos, audio recordings stored on the device)
• Document collection
• Screenshot capture
• Ambient audio recording (activating the device microphone to record the surrounding environment)

The ambient audio recording capability is a significant escalation from standard mobile spyware. Combined with the device's location services and contact list, it enables comprehensive real-time surveillance of a target's physical environment — not just their digital communications.

BirdCall communicates with attacker-controlled command-and-control (C2) infrastructure using encrypted channels, making it resistant to passive network monitoring. ESET has not published the full C2 infrastructure indicators at time of writing.

Exploitation Status and Threat Landscape

ScarCruft is a persistent, well-resourced threat actor with a documented history of targeting Korean diaspora communities, South Korean government entities, journalists covering North Korean affairs, and human rights organizations. The group has been active since at least 2012 and is assessed by multiple Western intelligence agencies to be a component of North Korea's foreign intelligence apparatus.

Prior ScarCruft campaigns have used:

• Watering hole attacks (compromising websites visited by target communities)
• Spear-phishing with Korean-language lures
• RokRAT (a Windows backdoor also attributed to the group)
• CVE-exploitation against Internet Explorer, Adobe Flash, and Hangul Word Processor (widely used in South Korea)

This campaign is notable for two reasons: the extension to Android (BirdCall was previously Windows-only) and the supply chain delivery mechanism, which reaches targets without requiring them to click a phishing link or open a malicious attachment.

The targeting of ethnic Koreans in China rather than South Koreans suggests an intelligence collection priority focused on cross-border activities and networks, distinct from ScarCruft's more typical South Korean government and media targeting. This is consistent with North Korean intelligence priorities around monitoring diaspora communities that might support defectors or provide intelligence about conditions inside North Korea.

Who Is Affected

Direct victims are users who downloaded or updated software from sqgame[.]net between late 2024 and the present. The platform serves the Yanbian Korean community specifically; the user base is geographically concentrated in northeastern China.

However, the broader implication for security teams is not limited to Yanbian. Any organization or individual with:

• Connections to Korean diaspora communities
• Business relationships crossing the China–North Korea border region
• Access to information of interest to North Korean intelligence

…should consider this an active threat signal and review mobile and endpoint security posture accordingly.

ESET's indicators of compromise (IOCs) for BirdCall are available in their published research and should be loaded into SIEM (Security Information and Event Management) platforms and EDR (Endpoint Detection and Response) tools for detection.

What You Should Do Right Now

• Avoid installing software from sqgame[.]net. If you or users in your organization have installed software from this platform, treat those devices as potentially compromised pending investigation.
• Submit sqgame[.]net for scanning. Use VirusTotal to check any files downloaded from this domain against current threat intelligence feeds.
• Load BirdCall IOCs into your detection stack. ESET's published indicators are available via WeLiveSecurity. Add file hashes, C2 domains, and IP addresses to your threat hunting queries and SIEM rules.
• Review Android MDM (Mobile Device Management) policies. If corporate devices or BYOD (Bring Your Own Device) phones are in scope, verify that sideloading (installing APKs from outside the official app store) is disabled or monitored.
• Enable Google Play Protect. On Android devices, verify that Play Protect scanning is enabled — it provides baseline behavioral detection for sideloaded malicious apps.
• Brief security teams on ScarCruft TTPs. The MITRE ATT&CK framework entries for APT37 (T1195 — Supply Chain Compromise; T1430 — Location Tracking; T1512 — Video Capture) provide structured context for detection rule development.

Background: Understanding the Risk

Supply chain attacks against software platforms targeting specific ethnic or linguistic communities have become a consistent element of North Korean cyber operations. The Lazarus Group's compromise of 3CX (a VoIP software provider) in 2023 demonstrated how a single supply chain compromise can cascade through an entire user population; the ScarCruft BirdCall campaign follows the same structural playbook applied to a smaller, geographically targeted community.

The multi-platform capability development visible in this campaign — at least seven Android BirdCall versions created between October 2024 and early 2026 — indicates sustained investment and operational refinement. This is not a proof-of-concept experiment; it is a mature, production-deployed intelligence collection capability that has been running for over a year.

For defenders, the supply chain delivery method creates a fundamental challenge: users who downloaded the software were doing exactly what they should do (installing software from an apparently legitimate source). Traditional indicators of phishing — suspicious sender addresses, unexpected file attachments — are absent. The defensive response must focus on behavioral detection (BirdCall's screenshot, clipboard, and audio-collection behaviors are anomalous for a gaming platform application) rather than perimeter blocking of the initial delivery.

The BleepingComputer coverage and Help Net Security analysis both confirm the ESET findings. Attribution to ScarCruft/APT37 is assessed with high confidence based on code overlaps with prior BirdCall Windows samples and consistent infrastructure patterns.

Conclusion

ScarCruft's BirdCall supply chain campaign represents a mature, long-running intelligence collection operation using a compromised gaming platform to deploy a full-featured surveillance backdoor on Android and Windows devices. The primary targeted population is ethnic Koreans in China's Yanbian region, but the TTPs and tools have broader implications for any organization tracking North Korean threat actor activity. The most important immediate action is treating any device that ran software from sqgame[.]net as compromised and loading ESET's published IOCs into active detection systems.