A state-sponsored hacking group tied to North Korea, known as ScarCruft, has been linked to a supply chain attack involving a gaming platform, where attackers secretly embedded spyware into game components to monitor targeted users.
Security researchers from ESET say the campaign focuses on a gaming website used by ethnic Koreans living in China, particularly in the Yanbian region near the North Korean border.
Targeted Espionage Through Gaming Apps
The attackers compromised a platform known as sqgame.net, distributing infected versions of games that contained a backdoor malware called BirdCall.
Unlike earlier campaigns that mainly targeted Windows systems, this operation expands the threat to Android devices, making it a multi-platform surveillance effort.
Researchers believe this is a deliberate move, as the group has a history of targeting sensitive individuals such as North Korean defectors, activists, and academics.
How the Attack Works
The attack involves modifying legitimate software downloads to include hidden malware. Once installed, the malicious code runs silently in the background.
On Windows systems, the infection chain can involve multiple stages, including scripts that eventually load the backdoor. In some cases, compromised update packages were used to deliver malicious files that download additional payloads.
On Android, infected app packages (APKs) were distributed directly through the platform’s download pages, exposing users who installed them.
What BirdCall Can Do
The BirdCall malware is an advanced spying tool with capabilities that include:
- Capturing screenshots
- Recording keystrokes
- Stealing clipboard data
- Executing remote commands
- Collecting files and system information
On Android devices, it goes even further by accessing:
- Contacts and call logs
- SMS messages
- Media files and documents
- Ambient audio recordings
Use of Legitimate Cloud Services
To stay hidden, the malware communicates with attackers using trusted cloud platforms such as Dropbox, pCloud, and Zoho WorkDrive. This makes detection more difficult, as the traffic appears normal.
Ongoing Activity and Evolution
Researchers say the malware has been evolving over time, with multiple versions identified since late 2024. Some earlier versions were based on tools like RokRAT, but BirdCall has developed into a more advanced and independent threat.
Interestingly, only Android game downloads on the platform were found to be actively infected at the time of analysis, while other versions remained unaffected.
Why This Matters
This attack highlights the growing risk of supply chain compromises, where trusted platforms are used to distribute malware. Users downloading apps from seemingly legitimate sources can unknowingly expose themselves to surveillance.
Given the targeted nature of the campaign, the operation appears focused on intelligence gathering rather than widespread disruption.
Recommended Action
Users should avoid downloading apps from untrusted or unofficial sources and verify the integrity of software before installation. Organizations should also monitor for unusual activity, especially involving cloud-based communications that could indicate hidden malware.