A rigged game: compromises gaming platform in a supply-chain attack
North Korea-aligned APT group ScarCruft executed a multiplatform supply-chain attack targeting ethnic Koreans in China's Yanbian region, an area significant for North Korean refugees and defectors. Since late 2024, the group compromised a video gaming platform dedicated to Yanbian-themed games, trojanizing both Windows and Android components with the BirdCall backdoor. The Windows client received malicious updates leading to RokRAT and subsequently BirdCall deployment, while Android games were directly trojanized. This marks the first discovery of Android BirdCall, capable of comprehensive surveillance including data collection, screenshots, and voice recording. The campaign focuses on espionage against individuals of interest to the North Korean regime, particularly refugees and defectors.
AI Analysis
Technical Summary
ScarCruft (APT37) executed a multiplatform supply-chain attack against a video gaming platform dedicated to Yanbian-themed games, targeting ethnic Koreans in the Yanbian region of China. The attack involved trojanizing Windows and Android game components with the BirdCall backdoor. The Windows client was compromised through malicious updates that deployed RokRAT followed by BirdCall, while Android games were directly trojanized with BirdCall, marking the first discovery of this backdoor on Android. BirdCall enables comprehensive surveillance capabilities including data theft, screenshots, and voice recording. The campaign's objective is espionage against North Korean refugees and defectors. No patch or official remediation guidance is available, and the platform is not a cloud service.
Potential Impact
The attack enables persistent espionage through the BirdCall backdoor on both Windows and Android platforms, allowing attackers to collect sensitive data, capture screenshots, and record voice communications. The compromise of a supply-chain gaming platform used by a targeted ethnic group facilitates covert surveillance of individuals of interest to the North Korean regime. There are no known exploits in the wild beyond this campaign, and no official patch or fix has been documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation information is provided, organizations should monitor vendor communications for updates. Given the supply-chain nature of the attack, verifying the integrity of gaming platform updates and binaries is recommended. Users in the affected community should exercise caution when installing or updating Yanbian-themed games. No cloud service remediation applies as this is a client-side compromise.
Indicators of Compromise
- domain: zohomail.com
- hash: 21ca0287ec5eaee8fb2f5d0542e378267d6ca0a6
- hash: 2c6cc71b7e7e4b28c2c176b504bc5bdb687c4d41
- hash: 5b70453ab58824a65ed0b6175c903aa022a87d6a
- hash: d9a369e328ea4f1b8304b6e11b50275f798e9d6b
- hash: f9f6c0184cee9c1e4e15c2a73e56d7b927ea685b
- domain: 1980food.co.kr
- hash: 7331602726f61959d8f0e7820d457370
- hash: 03e3ece9f48cf4104aafc535790ca2fb3c6b26cf
- hash: 33d887ca2e57fa03fc807dfba5376bf96718ee88f56e90d95ee4896a2c019bd0
- hash: 23a1eacad84be4f2c5830755b1948582
- hash: 3d3d2dc34f01bcf890f185a5421836c7
- hash: 72ac1287a8d71b27c437ec1f379ab506
- hash: a0830ce48537ba052f1d3b905d11a5bf
- hash: a48b62e55a692bf6d1046d2be64d7150
- hash: 01a33066fbc6253304c92760916329abd50c3191
- hash: 2b81f78ec4c3f8d6cf8f677d141c5d13c35333af
- hash: 409c5acaed587f62f7e23da47f72c4d9ec3144d9
- hash: 59a9b9d47ae36411b277544f25ad2cc955d8dd2c
- hash: 7356d7868c81499fb4e720f7c9530e5763b4c1d0
- hash: 95bdb94f6767a3cce6d92363bbf5bc84b786bdb0
- hash: b06110e0feb7592872e380b7e3b8f77d80dd1108
- hash: fc0c691db7e2d2bd3b0b4c1e24d18df72168b7d9
- hash: 185633e5dbe9235fc7e6a1ccb8631650afefd8f7da88c5c07d9b99ea38159822
- hash: 415b253a81e67c8c860a97c73edc9017ce732b3c025d943d3b1a445b4ac82822
- hash: 5aa7afd790481ad98357636fa4d9927ae01111409c8d7ce69998d2485c1d5e6f
- hash: 95cda8431419f77407484ab72dc1e356421dcd801eccabe8869f77ee0eb58eb2
- hash: dfa9c6adac98311d0f62e0eeecb947d92f7bda41ddf4ce9a6f9e20af7990422d
- domain: cndsoft.co.kr
- domain: colorncopy.co.kr
- domain: sejonghaeun.com
- domain: www.inodea.com
- domain: www.lawwell.co.kr
- hash: a8fe823d451d636d0a0366c0629ef5c3
- domain: inodea.com
- domain: sqgame.com
- domain: sqgame.com.cn
- domain: www.sqgame.net
- domain: xiazai.sqgame.com.cn
A rigged game: compromises gaming platform in a supply-chain attack
Description
North Korea-aligned APT group ScarCruft executed a multiplatform supply-chain attack targeting ethnic Koreans in China's Yanbian region, an area significant for North Korean refugees and defectors. Since late 2024, the group compromised a video gaming platform dedicated to Yanbian-themed games, trojanizing both Windows and Android components with the BirdCall backdoor. The Windows client received malicious updates leading to RokRAT and subsequently BirdCall deployment, while Android games were directly trojanized. This marks the first discovery of Android BirdCall, capable of comprehensive surveillance including data collection, screenshots, and voice recording. The campaign focuses on espionage against individuals of interest to the North Korean regime, particularly refugees and defectors.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ScarCruft (APT37) executed a multiplatform supply-chain attack against a video gaming platform dedicated to Yanbian-themed games, targeting ethnic Koreans in the Yanbian region of China. The attack involved trojanizing Windows and Android game components with the BirdCall backdoor. The Windows client was compromised through malicious updates that deployed RokRAT followed by BirdCall, while Android games were directly trojanized with BirdCall, marking the first discovery of this backdoor on Android. BirdCall enables comprehensive surveillance capabilities including data theft, screenshots, and voice recording. The campaign's objective is espionage against North Korean refugees and defectors. No patch or official remediation guidance is available, and the platform is not a cloud service.
Potential Impact
The attack enables persistent espionage through the BirdCall backdoor on both Windows and Android platforms, allowing attackers to collect sensitive data, capture screenshots, and record voice communications. The compromise of a supply-chain gaming platform used by a targeted ethnic group facilitates covert surveillance of individuals of interest to the North Korean regime. There are no known exploits in the wild beyond this campaign, and no official patch or fix has been documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation information is provided, organizations should monitor vendor communications for updates. Given the supply-chain nature of the attack, verifying the integrity of gaming platform updates and binaries is recommended. Users in the affected community should exercise caution when installing or updating Yanbian-themed games. No cloud service remediation applies as this is a client-side compromise.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/"]
- Adversary
- APT37
- Pulse Id
- 69f9c539da459757922d22d8
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainzohomail.com | — | |
domain1980food.co.kr | — | |
domaincndsoft.co.kr | — | |
domaincolorncopy.co.kr | — | |
domainsejonghaeun.com | — | |
domainwww.inodea.com | — | |
domainwww.lawwell.co.kr | — | |
domaininodea.com | — | |
domainsqgame.com | — | |
domainsqgame.com.cn | — | |
domainwww.sqgame.net | — | |
domainxiazai.sqgame.com.cn | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash21ca0287ec5eaee8fb2f5d0542e378267d6ca0a6 | — | |
hash2c6cc71b7e7e4b28c2c176b504bc5bdb687c4d41 | — | |
hash5b70453ab58824a65ed0b6175c903aa022a87d6a | — | |
hashd9a369e328ea4f1b8304b6e11b50275f798e9d6b | — | |
hashf9f6c0184cee9c1e4e15c2a73e56d7b927ea685b | — | |
hash7331602726f61959d8f0e7820d457370 | — | |
hash03e3ece9f48cf4104aafc535790ca2fb3c6b26cf | — | |
hash33d887ca2e57fa03fc807dfba5376bf96718ee88f56e90d95ee4896a2c019bd0 | — | |
hash23a1eacad84be4f2c5830755b1948582 | — | |
hash3d3d2dc34f01bcf890f185a5421836c7 | — | |
hash72ac1287a8d71b27c437ec1f379ab506 | — | |
hasha0830ce48537ba052f1d3b905d11a5bf | — | |
hasha48b62e55a692bf6d1046d2be64d7150 | — | |
hash01a33066fbc6253304c92760916329abd50c3191 | — | |
hash2b81f78ec4c3f8d6cf8f677d141c5d13c35333af | — | |
hash409c5acaed587f62f7e23da47f72c4d9ec3144d9 | — | |
hash59a9b9d47ae36411b277544f25ad2cc955d8dd2c | — | |
hash7356d7868c81499fb4e720f7c9530e5763b4c1d0 | — | |
hash95bdb94f6767a3cce6d92363bbf5bc84b786bdb0 | — | |
hashb06110e0feb7592872e380b7e3b8f77d80dd1108 | — | |
hashfc0c691db7e2d2bd3b0b4c1e24d18df72168b7d9 | — | |
hash185633e5dbe9235fc7e6a1ccb8631650afefd8f7da88c5c07d9b99ea38159822 | — | |
hash415b253a81e67c8c860a97c73edc9017ce732b3c025d943d3b1a445b4ac82822 | — | |
hash5aa7afd790481ad98357636fa4d9927ae01111409c8d7ce69998d2485c1d5e6f | — | |
hash95cda8431419f77407484ab72dc1e356421dcd801eccabe8869f77ee0eb58eb2 | — | |
hashdfa9c6adac98311d0f62e0eeecb947d92f7bda41ddf4ce9a6f9e20af7990422d | — | |
hasha8fe823d451d636d0a0366c0629ef5c3 | — |
Threat ID: 69f9c827cbff5d8610eb4b4f
Added to database: 5/5/2026, 10:36:23 AM
Last enriched: 5/5/2026, 10:51:23 AM
Last updated: 6/19/2026, 2:03:35 PM
Views: 609
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.