A rigged game: compromises gaming platform in a supply-chain attack
The North Korea-aligned APT group ScarCruft (APT37) conducted a supply-chain attack compromising a gaming platform focused on Yanbian-themed games, targeting ethnic Koreans in China's Yanbian region. The attackers trojanized both Windows and Android components with the BirdCall backdoor, marking the first known Android BirdCall variant capable of extensive surveillance such as data collection, screenshots, and voice recording. The Windows client was compromised via malicious updates deploying RokRAT and BirdCall. This campaign is espionage-focused, targeting refugees and defectors of interest to the North Korean regime. No patch or remediation information is provided, and no known exploits in the wild are reported.
AI Analysis
Technical Summary
ScarCruft (APT37) executed a multiplatform supply-chain attack against a video gaming platform dedicated to Yanbian-themed games, targeting ethnic Koreans in the Yanbian region of China. The attack involved trojanizing Windows and Android game components with the BirdCall backdoor. The Windows client was compromised through malicious updates that deployed RokRAT followed by BirdCall, while Android games were directly trojanized with BirdCall, marking the first discovery of this backdoor on Android. BirdCall enables comprehensive surveillance capabilities including data theft, screenshots, and voice recording. The campaign's objective is espionage against North Korean refugees and defectors. No patch or official remediation guidance is available, and the platform is not a cloud service.
Potential Impact
The attack enables persistent espionage through the BirdCall backdoor on both Windows and Android platforms, allowing attackers to collect sensitive data, capture screenshots, and record voice communications. The compromise of a supply-chain gaming platform used by a targeted ethnic group facilitates covert surveillance of individuals of interest to the North Korean regime. There are no known exploits in the wild beyond this campaign, and no official patch or fix has been documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation information is provided, organizations should monitor vendor communications for updates. Given the supply-chain nature of the attack, verifying the integrity of gaming platform updates and binaries is recommended. Users in the affected community should exercise caution when installing or updating Yanbian-themed games. No cloud service remediation applies as this is a client-side compromise.
Indicators of Compromise
- domain: zohomail.com
- hash: 21ca0287ec5eaee8fb2f5d0542e378267d6ca0a6
- hash: 2c6cc71b7e7e4b28c2c176b504bc5bdb687c4d41
- hash: 5b70453ab58824a65ed0b6175c903aa022a87d6a
- hash: d9a369e328ea4f1b8304b6e11b50275f798e9d6b
- hash: f9f6c0184cee9c1e4e15c2a73e56d7b927ea685b
- domain: 1980food.co.kr
- hash: 7331602726f61959d8f0e7820d457370
- hash: 03e3ece9f48cf4104aafc535790ca2fb3c6b26cf
- hash: 33d887ca2e57fa03fc807dfba5376bf96718ee88f56e90d95ee4896a2c019bd0
- hash: 23a1eacad84be4f2c5830755b1948582
- hash: 3d3d2dc34f01bcf890f185a5421836c7
- hash: 72ac1287a8d71b27c437ec1f379ab506
- hash: a0830ce48537ba052f1d3b905d11a5bf
- hash: a48b62e55a692bf6d1046d2be64d7150
- hash: 01a33066fbc6253304c92760916329abd50c3191
- hash: 2b81f78ec4c3f8d6cf8f677d141c5d13c35333af
- hash: 409c5acaed587f62f7e23da47f72c4d9ec3144d9
- hash: 59a9b9d47ae36411b277544f25ad2cc955d8dd2c
- hash: 7356d7868c81499fb4e720f7c9530e5763b4c1d0
- hash: 95bdb94f6767a3cce6d92363bbf5bc84b786bdb0
- hash: b06110e0feb7592872e380b7e3b8f77d80dd1108
- hash: fc0c691db7e2d2bd3b0b4c1e24d18df72168b7d9
- hash: 185633e5dbe9235fc7e6a1ccb8631650afefd8f7da88c5c07d9b99ea38159822
- hash: 415b253a81e67c8c860a97c73edc9017ce732b3c025d943d3b1a445b4ac82822
- hash: 5aa7afd790481ad98357636fa4d9927ae01111409c8d7ce69998d2485c1d5e6f
- hash: 95cda8431419f77407484ab72dc1e356421dcd801eccabe8869f77ee0eb58eb2
- hash: dfa9c6adac98311d0f62e0eeecb947d92f7bda41ddf4ce9a6f9e20af7990422d
- domain: cndsoft.co.kr
- domain: colorncopy.co.kr
- domain: sejonghaeun.com
- domain: www.inodea.com
- domain: www.lawwell.co.kr
- hash: a8fe823d451d636d0a0366c0629ef5c3
- domain: inodea.com
- domain: sqgame.com
- domain: sqgame.com.cn
- domain: www.sqgame.net
- domain: xiazai.sqgame.com.cn
A rigged game: compromises gaming platform in a supply-chain attack
Description
The North Korea-aligned APT group ScarCruft (APT37) conducted a supply-chain attack compromising a gaming platform focused on Yanbian-themed games, targeting ethnic Koreans in China's Yanbian region. The attackers trojanized both Windows and Android components with the BirdCall backdoor, marking the first known Android BirdCall variant capable of extensive surveillance such as data collection, screenshots, and voice recording. The Windows client was compromised via malicious updates deploying RokRAT and BirdCall. This campaign is espionage-focused, targeting refugees and defectors of interest to the North Korean regime. No patch or remediation information is provided, and no known exploits in the wild are reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ScarCruft (APT37) executed a multiplatform supply-chain attack against a video gaming platform dedicated to Yanbian-themed games, targeting ethnic Koreans in the Yanbian region of China. The attack involved trojanizing Windows and Android game components with the BirdCall backdoor. The Windows client was compromised through malicious updates that deployed RokRAT followed by BirdCall, while Android games were directly trojanized with BirdCall, marking the first discovery of this backdoor on Android. BirdCall enables comprehensive surveillance capabilities including data theft, screenshots, and voice recording. The campaign's objective is espionage against North Korean refugees and defectors. No patch or official remediation guidance is available, and the platform is not a cloud service.
Potential Impact
The attack enables persistent espionage through the BirdCall backdoor on both Windows and Android platforms, allowing attackers to collect sensitive data, capture screenshots, and record voice communications. The compromise of a supply-chain gaming platform used by a targeted ethnic group facilitates covert surveillance of individuals of interest to the North Korean regime. There are no known exploits in the wild beyond this campaign, and no official patch or fix has been documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation information is provided, organizations should monitor vendor communications for updates. Given the supply-chain nature of the attack, verifying the integrity of gaming platform updates and binaries is recommended. Users in the affected community should exercise caution when installing or updating Yanbian-themed games. No cloud service remediation applies as this is a client-side compromise.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/"]
- Adversary
- APT37
- Pulse Id
- 69f9c539da459757922d22d8
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainzohomail.com | — | |
domain1980food.co.kr | — | |
domaincndsoft.co.kr | — | |
domaincolorncopy.co.kr | — | |
domainsejonghaeun.com | — | |
domainwww.inodea.com | — | |
domainwww.lawwell.co.kr | — | |
domaininodea.com | — | |
domainsqgame.com | — | |
domainsqgame.com.cn | — | |
domainwww.sqgame.net | — | |
domainxiazai.sqgame.com.cn | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash21ca0287ec5eaee8fb2f5d0542e378267d6ca0a6 | — | |
hash2c6cc71b7e7e4b28c2c176b504bc5bdb687c4d41 | — | |
hash5b70453ab58824a65ed0b6175c903aa022a87d6a | — | |
hashd9a369e328ea4f1b8304b6e11b50275f798e9d6b | — | |
hashf9f6c0184cee9c1e4e15c2a73e56d7b927ea685b | — | |
hash7331602726f61959d8f0e7820d457370 | — | |
hash03e3ece9f48cf4104aafc535790ca2fb3c6b26cf | — | |
hash33d887ca2e57fa03fc807dfba5376bf96718ee88f56e90d95ee4896a2c019bd0 | — | |
hash23a1eacad84be4f2c5830755b1948582 | — | |
hash3d3d2dc34f01bcf890f185a5421836c7 | — | |
hash72ac1287a8d71b27c437ec1f379ab506 | — | |
hasha0830ce48537ba052f1d3b905d11a5bf | — | |
hasha48b62e55a692bf6d1046d2be64d7150 | — | |
hash01a33066fbc6253304c92760916329abd50c3191 | — | |
hash2b81f78ec4c3f8d6cf8f677d141c5d13c35333af | — | |
hash409c5acaed587f62f7e23da47f72c4d9ec3144d9 | — | |
hash59a9b9d47ae36411b277544f25ad2cc955d8dd2c | — | |
hash7356d7868c81499fb4e720f7c9530e5763b4c1d0 | — | |
hash95bdb94f6767a3cce6d92363bbf5bc84b786bdb0 | — | |
hashb06110e0feb7592872e380b7e3b8f77d80dd1108 | — | |
hashfc0c691db7e2d2bd3b0b4c1e24d18df72168b7d9 | — | |
hash185633e5dbe9235fc7e6a1ccb8631650afefd8f7da88c5c07d9b99ea38159822 | — | |
hash415b253a81e67c8c860a97c73edc9017ce732b3c025d943d3b1a445b4ac82822 | — | |
hash5aa7afd790481ad98357636fa4d9927ae01111409c8d7ce69998d2485c1d5e6f | — | |
hash95cda8431419f77407484ab72dc1e356421dcd801eccabe8869f77ee0eb58eb2 | — | |
hashdfa9c6adac98311d0f62e0eeecb947d92f7bda41ddf4ce9a6f9e20af7990422d | — | |
hasha8fe823d451d636d0a0366c0629ef5c3 | — |
Threat ID: 69f9c827cbff5d8610eb4b4f
Added to database: 5/5/2026, 10:36:23 AM
Last enriched: 5/5/2026, 10:51:23 AM
Last updated: 5/5/2026, 12:46:31 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.