SCARCRUFT , the North Korea-aligned threat group, has compromised the sqgame[.]net gaming platform in a supply-chain style attack and trojanised its components with a backdoor named BirdCall, likely to target ethnic Koreans in China. While earlier BirdCall variants targeted Windows, the campaign is now described as multi‑platform, with the Android version included as part of the same supply-chain intrusion.
According to ESET, the attack on the Yanbian‑themed platform marks a deliberate tactic to reach users in the Yanbian region, which sits along the China–North Korea border and is a transit point for North Korean defectors. The backdoor offers typical capabilities such as screenshot capture, keystroke logging, clipboard data theft, shell execution and data gathering, and, as with RokRAT, relies on legitimate cloud services like Dropbox and pCloud for C2.
The Android variant collects contact lists, SMS messages, call logs, media, documents, screenshots and ambient audio, with seven versions traced back to October 2024, and the Windows DLL used as a downloader has been seen since at least November 2024 in a trojanised update package. The Android APKs poisoned on sqgame[.]net’s download pages include sqgame.com[.]cn/ybht[.]apk and sqgame.com[.]cn/sqybhs[.]apk, though the Windows desktop client and iOS games remain unaffected.