A North Korea-aligned espionage group known as ScarCruft, also referred to as APT37, Reaper and Ricochet Chollima, has compromised a regional gaming platform serving ethnic Koreans in China, according to new analysis from ESET researchers. The operation targeted users of sqgame[.]net, with both Windows and Android software trojanized to deliver a previously undocumented mobile backdoor, while the iOS game on the same site was left untouched.
On Windows, an update package for the desktop client has been seen since at least November 2024, delivering a downloader that fetches shellcode containing the RokRAT backdoor, which then deployed the newer BirdCall implant. The Android variant, internally named zhuagou, ran across seven versions between October 2024 and June 2025, repackaging legitimate game APKs and redirecting entry points through the backdoor to access data such as contacts, call logs, SMS, documents, media and private keys.
C2 traffic used cloud storage providers, with Zoho WorkDrive identified in the campaign and 12 separate Zoho accounts found. ESET noted the activity likely began in late 2024, and sqgame was notified in December 2025 but received no response at publication.