- North Korean gang APT37 (ScarCruft) compromised a Yanbian gaming platform to deliver the BirdCall backdoor
- On Windows, it allowed data theft and command execution; on Android it exfiltrated contacts, messages, media and ambient sound
- The malware is actively maintained, with Android versions still hosted, targeting ethnic Koreans and defectors in China.
North Korean state-sponsored threat actors are apparently targeting their compatriots living in (or passing through) China with advanced Android backdoors on gaming platforms.
A report from ESET security researchers claims to have observed an advanced supply chain attack that likely began in late 2024. The threat actors, most likely ScarCruft (also known as APT37, or Reaper), managed to compromise SQgame, a cross-platform gaming service designed specifically for residents of Yanbian.
Yanbian Korean Autonomous Prefecture is an autonomous prefecture in Jilin Province of China. It is located near the border with North Korea and Russia and was created to give administrative autonomy to the large ethnic Korean population living there. According to ESET, Yanbian is also a key crossing point for North Korean refugees and defectors, which could be one of the reasons it is being targeted.
Article continues below
BirdCall malware
“In the attack, likely underway since late 2024, ScarCruft compromised the Windows and Android components of a video gaming platform dedicated to Yanbian-themed games, Trojanizing them with a backdoor,” ESET said.
The backdoor is called BirdCall and, depending on the platform it is installed on, can do different things. On Windows, it can grab screenshots, record keystrokes, steal clipboard contents, execute shell commands, and exfiltrate data. All stolen information is then uploaded to legitimate cloud services such as Dropbox or pCloud.
On Android, things are a little different, allowing ScarCruft to also exfiltrate contact lists, SMS messages, call logs, media files, documents, screenshots, and even ambient audio. So far, the malware has been updated seven times, leading researchers to believe that it is being actively maintained.
ESET says the platform still hosts malicious games. However, these seem limited to the Android platform.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
