The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China.
While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the threat actors to also target Android devices, essentially turning it into a multi-platform threat.
According to ESET, the campaign has singled out sqgame[.]net, a gaming platform used by ethnic Koreans living in the Yanbian region in China bordering North Korea and Russia. It’s also known to act as a primary, high-risk transit point for North Korean defectors crossing the Tumen River.
The targeting of this platform is said to be a deliberate strategy given ScarCruft’s storied history of targeting North Korean defectors, human rights activists, and university professors.
“In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor,” the Slovakian cybersecurity company said in a report shared with The Hacker News ahead of publication.
Windows versions of BirdCall, dubbed an advanced evolution of RokRAT, have been detected in the wild since 2021. Over the years, RokRAT has also been adapted to target macOS (CloudMensis) and Android (RambleOn), indicating that the malware family continues to be actively maintained by the threat actors.
BirdCall comes fitted with features typically present in a backdoor, enabling screenshot capture, keystroke logging, clipboard content theft, shell command execution, and data gathering. Like RokRAT, the malware relies on legitimate cloud services like Dropbox and pCloud for command-and-control (C2).
“BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key,” ESET said.
The Android variant of BirdCall, distributed as part of the sqgame[.]net supply chain attack, incorporates a subset of its Windows counterpart, while collecting contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio. An analysis of the malware’s lineage has unearthed seven versions, with the first dating back to October 2024.
Interestingly, the supply chain attack has been found to only poison the Android APKs available for download from the platform, leaving the Windows desktop client and the iOS games intact. The download pages for two Android games hosted on sqgame[.]net have been altered to serve the malicious APKs –
- sqgame.com[.]cn/ybht.apk
- sqgame.com[.]cn/sqybhs.apk
It’s currently not known when the website was breached, and the poisoned APKs began to be distributed. However, it’s believed that the incident…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
