A video game platform used by ethnic Koreans living along China's border with North Korea has been compromised. The attackers? A North Korean state-sponsored hacking group known as ScarCruft.
The ScarCruft supply chain attack video game platform campaign targeted sqgame[.]net, a gaming platform popular in the Yanbian region of China. This area borders North Korea and Russia and is known as a primary transit point for North Korean defectors crossing the Tumen River.
According to cybersecurity firm ESET, the ScarCruft supply chain attack video game platform trojanized both Windows and Android components of the platform with a backdoor called BirdCall. The campaign is believed to have been ongoing since late 2024.
Why Target This Platform?
The ScarCruft supply chain attack video game platform specifically targeted sqgame[.]net because of its user base. The platform features Yanbian-themed games and is used by ethnic Koreans living in China.
ScarCruft has a long history of targeting North Korean defectors, human rights activists, and university professors. The ScarCruft supply chain attack video game platform fits this pattern perfectly. The attackers are likely trying to monitor or infiltrate ethnic Koreans in China, including potential defectors.
BirdCall: The Multi-Platform Backdoor
The ScarCruft supply chain attack video game platform delivered a backdoor called BirdCall. This malware is an advanced evolution of RokRAT, a well-known ScarCruft tool.
Windows versions of BirdCall have been detected since 2021. However, the ScarCruft supply chain attack video game platform marks the first time BirdCall has been used to target Android devices, turning it into a genuine multi-platform threat.
BirdCall includes a comprehensive selection of espionage features including the following:
1. Ability to take screenshots remotely
2. Functionality for recording keystrokes remotely
3. Capability to steal clipboard contents remotely
4. Support for executing commands on remote systems via the shell
5. Functionality for collecting and exfiltrating data remotely
Like its predecessor RokRAT, BirdCall relies on legitimate cloud services for command-and-control (C2) communications. The ScarCruft supply chain attack video game platform uses Dropbox and pCloud to hide malicious traffic among legitimate cloud storage activity.
The RokRAT Family Tree
BirdCall is part of a continually evolving family of malware by ScarCruft. The video game platform for ScarCruft's supply chain attacks provides a way for the organisation to maintain and develop their toolset.
1. RokRAT - Windows backdoor that has been active for a number of years
2. CloudMensis - macOS version of RokRAT
3. RambleOn - Android version of RokRAT
4. BirdCall - More advanced Windows and Android version
The ScarCruft supply chain attack video game platform shows that the group continues to actively maintain all variants. Each platform gets regular updates and new capabilities.
How the Windows Attack Worked
The ScarCruft supply chain attack video game platform compromised the Windows desktop client through a trojanized DLL. The malicious update package has been active since at least November 2024.
The modified DLL contained a downloader that performs environment checks before deploying the real payload. The ScarCruft supply chain attack video game platform checks the list of running processes for:
1. Analysis tools (debuggers, disassemblers)
2. Virtual machine environments (sandboxes, VMWare, VirtualBox)
If the environment checks pass, the ScarCruft supply chain attack video game platform downloads and executes shellcode containing RokRAT. The RokRAT backdoor then fetches and installs BirdCall on the infected Windows host.
The update package is no longer malicious at the time of this writing. However, the ScarCruft supply chain attack video game platform operated for an unspecified period with active backdoors.
How the Android Attack Worked
The ScarCruft supply chain attack video game platform targeted Android users more directly. The attackers poisoned the Android APKs available for download from sqgame[.]net.
Two specific Android game download pages were altered to serve malicious APKs:
1. sqgame.com[.]cn/ybht.apk
2. sqgame.com[.]cn/sqybhs.apk
The ScarCruft supply chain attack video game platform only poisoned the Android APKs. The Windows desktop client and iOS games remained intact. This selective targeting suggests the attackers specifically wanted mobile access to victims.
The Android variant of BirdCall incorporates a subset of its Windows counterpart's capabilities.
The ScarCruft supply chain attack video game platform Android backdoor collects:
1. Contact Lists
2. Text Message Texts
3. History of Phone Calls
4. Media Files (Photos and Videos)
5. Documents
6. Screenshots
7. Listening to You to the Ambient Audio Through the Microphone (Using Your Phone’s Microphone).
Android BirdCall Evolution
The Android backdoor/BirdCall has been updated consistently over time and has experienced ongoing development. ESET has identified nine distinct versions of BirdCall since its initial version was discovered in October 2024.
Each version added or refined capabilities. The ScarCruft supply chain attack video game platform operators clearly invested time in making the Android backdoor more effective.
Like the Windows version, Android BirdCall relies on legitimate cloud storage services for C2 communications.
The ScarCruft supply chain attack video game platform uses:
1. pCloud
2. Yandex Disk
3. Zoho WorkDrive
Zoho WorkDrive has become an increasingly common C2 platform across multiple cyber espionage campaigns. The ScarCruft supply chain attack video game platform joins a growing list of threat actors abusing legitimate cloud storage.
Multi-Stage Loading Chain
The ScarCruft supply chain attack video game platform uses a sophisticated multi-stage loading chain to deliver BirdCall.
ESET explained: "BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key."
This approach makes the ScarCruft supply chain attack video game platform harder to detect. Each component is encrypted differently. The decryption key varies by computer. Static analysis tools cannot easily extract the full payload.
Who Is at Risk?
The ScarCruft supply chain attack video game platform specifically targets users of sqgame[.]net. However, the implications are broader.
1. Primary targets: Ethnic Koreans living in the Yanbian region of China. These individuals are of direct interest to North Korean intelligence.
2. Secondary targets: North Korean defectors and their support networks. The ScarCruft supply chain attack video game platform could be used to identify or monitor defectors.
3. Collateral targets: Anyone who downloaded games from sqgame[.]net between late 2024 and the discovery of the compromise.
The ScarCruft supply chain attack video game platform shows that North Korean hackers are willing to compromise entire gaming platforms to reach their targets. No one using the platform was safe.
Timing of the Attack
The ScarCruft supply chain attack video game platform timeline is still being pieced together.
October 2024 – First Android BirdCall version appears
Late 2024 – Website likely breached; poisoned APKs begin distribution
November 2024 – Trojanized Windows DLL active
2025 – Campaign discovered and analyzed by ESET
The ScarCruft supply chain attack video game platform operated for months before detection. The Windows update package is no longer malicious, but the Android APKs may still pose a risk depending on when users downloaded them.
Why Supply Chain Attacks Are Dangerous
The ScarCruft supply chain attack video game platform is a textbook supply chain compromise.
Instead of phishing individual targets, the attackers compromised a trusted platform. Users who downloaded games from sqgame[.]net willingly installed the backdoors. They had no reason to suspect the software they had used for years was suddenly malicious.
The ScarCruft supply chain attack video game platform approach is efficient. One compromise infects many victims. The attackers do not need to convince each target individually. They simply wait for victims to come to them.
How to Protect Yourself
If you have used sqgame[.]net or downloaded games from the platform, take action immediately.
1. Assume compromise. If you downloaded any game from sqgame[.]net between late 2024 and now, assume your Windows PC or Android device is infected with the ScarCruft supply chain attack video game platform backdoor.
2. Scan with updated security software. Install a good antivirus or an EDR tool you trust. You should be able to identify ScarCruft supply chain attack/malware via an updated security tool
3. Monitor your cloud storage accounts for any unusual activity. For the purpose C2, BirdCall will use pCloud, Yandex Disk and Zoho WorkDrive as storage services. Therefore, you'll want to keep an eye on your accounts and ensure no unexpected traffic or connections.
4. Factory reset Android devices. If you installed a poisoned APK from sqgame[.]net, the safest option is a full factory reset. The ScarCruft supply chain attack video game platform Android backdoor may resist standard removal.
5. Reinstall Windows from trusted media. For Windows infections, a clean operating system reinstall is the only guarantee of removal. The ScarCruft supply chain attack video game platform uses encrypted components that may evade antivirus.
Final Thoughts
The ScarCruft supply chain attack video game platform is a reminder that North Korean hackers are patient, persistent, and clever. They do not just send phishing emails. They compromise entire gaming platforms. They wait months. They deploy backdoors on both Windows and Android.
The ScarCruft supply chain attack video game platform specifically targeted ethnic Koreans in China and North Korean defectors. But the technique could easily be adapted to other platforms, other regions, and other targets.
If you run a platform that serves a specific community, ask yourself: has someone already compromised your software distribution? The ScarCruft supply chain attack video game platform case suggests the answer might be yes.
FAQ Section
Q1: What is the ScarCruft supply chain attack video game platform?
The ScarCruft supply chain attack video game platform is a North Korean state-sponsored hacking campaign that compromised sqgame[.]net, a gaming platform for ethnic Koreans in China. Attackers trojanized Windows and Android components with the BirdCall backdoor.
Q2: What does BirdCall malware do?
BirdCall is a multi-platform backdoor that captures screenshots, logs keystrokes, steals clipboard content, executes shell commands, and exfiltrates data. The Android version also collects contacts, SMS messages, call logs, media files, documents, and ambient audio recordings.
Q3: Who is at risk from this supply chain attack?
The ScarCruft supply chain attack video game platform primarily targets ethnic Koreans in China's Yanbian region and North Korean defectors. However, anyone who downloaded Windows games or Android APKs from sqgame[.]net between late 2024 and the discovery of the compromise is at risk.
Q4: When did the ScarCruft supply chain attack become active?
It is believed that the ScarCruft supply chain attack on video game systems was launched as early as October 2024. A malicious Windows update package was used at least since November 2024 as a way to deliver malware to user devices that used those updates. At some point after October 2024, ScarCruft also posted "poisoned" android APKs to online store repositories to spread malware. The ScarCruft campaign operated for a number of months before its activity was detected.
Q5: Does BirdCall have an impact on iOS users?
No. The digital video game platform, "ScarCruft Supply Chain Attack," was able to attack only Windows desktop clients and Android APKs. All iOS games hosted on sqgame[.]net remain unaffected by the Poisoning of the Supply Chain Attack. Nevertheless, iOS end-users should still be cautious regarding downloads made through compromised application stores.