Ethical Hacking News
A state-sponsored hacking group aligned with North Korea has launched a complex supply chain attack that targets ethnic Koreans residing in China. The attack, which began in late 2024, compromised a video game platform called sqgame[.]net and deployed a backdoor called BirdCall on Android and Windows devices. With its multi-platform capabilities and reliance on legitimate cloud services for command-and-control communications, this threat actor poses a significant challenge to cybersecurity experts.
ScarCruft, a state-sponsored hacking group aligned with North Korea, has been involved in a complex supply chain attack. The attack compromised a video game platform called sqgame[.]net and deployed a backdoor called BirdCall on Android and Windows devices. BirdCall is a variant of the RokRAT malware family with features like screenshot capture, keystroke logging, and data gathering. The attack enabled ScarCruft to target not only Windows users but also Android devices, turning it into a multi-platform threat. The malware used legitimate cloud services like Dropbox and pCloud for command-and-control communications. The threat actor's primary goal is to target North Korean defectors, human rights activists, and university professors. The attack was discovered in late 2024 and has been linked to an update package of the Windows desktop client since November 2024.
ScarCruft, a state-sponsored hacking group aligned with North Korea, has been involved in a complex supply chain attack that targets ethnic Koreans residing in China. The attack, which is believed to have begun in late 2024, compromised a video game platform called sqgame[.]net and deployed a backdoor called BirdCall on Android and Windows devices.
The BirdCall malware was found to be a variant of the RokRAT malware family, which has been detected in the wild since 2021. The new threat actor incorporated features typically present in a backdoor, including screenshot capture, keystroke logging, clipboard content theft, shell command execution, and data gathering. Additionally, BirdCall relies on legitimate cloud services like Dropbox and pCloud for command-and-control (C2) communications.
The supply chain attack was found to have enabled ScarCruft to target not only Windows users but also Android devices, turning it into a multi-platform threat. The Android variant of BirdCall incorporated a subset of its Windows counterpart and was able to collect contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio.
ESET, a Slovakian cybersecurity company, reported that the campaign has singled out sqgame[.]net as a primary, high-risk transit point for North Korean defectors crossing the Tumen River. The targeting of this platform is said to be a deliberate strategy given ScarCruft's storied history of targeting North Korean defectors, human rights activists, and university professors.
Furthermore, it was discovered that an update package of the Windows desktop client delivered a trojanized DLL since at least November 2024. The modified DLL included a downloader that checks the list of running processes for analysis tools and virtual machine environments before proceeding to download and execute shellcode containing RokRAT. The backdoor is then used to fetch and install BirdCall on infected hosts.
The Android version of BirdCall also relies on legitimate cloud storage services for C2 communications, including pCloud, Yandex Disk, and Zoho WorkDrive. This has led researchers to consider the threat actor's active development of the malware and its surveillance capabilities.
In conclusion, ScarCruft's supply chain attack on sqgame[.]net has revealed a sophisticated multi-platform threat that targets not only Windows users but also Android devices. The use of legitimate cloud services for command-and-control communications has made it challenging to detect the threat actor's presence. As researchers continue to analyze the malware and its tactics, it is essential to stay vigilant and take necessary precautions to protect against this emerging threat.
Related Information:
https://www.ethicalhackingnews.com/articles/The-North-Korean-Cyber-Espionage-Threat-A-Supply-Chain-Attack-on-Android-and-Windows-ehn.shtml
https://thehackernews.com/2026/05/scarcruft-hacks-gaming-platform-to.html
Published: Tue May 5 06:57:24 2026 by llama3.2 3B Q4_K_M
