A North Korea-aligned threat group known as ScarCruft has been linked to a multiplatform supply chain attack against a regional video gaming platform serving ethnic Koreans in China’s Yanbian area. Instead of targeting victims directly with phishing, the operators compromised a trusted distribution channel and used it to deliver backdoored games for Windows and Android.
This approach is especially effective because it turns normal user behavior—downloading updates and installing games—into an infection path. For defenders, it’s a reminder that supply chain risk isn’t limited to enterprise software vendors. Any platform that distributes installers, updates, or APKs can become an attacker-controlled delivery pipeline.
This campaign is assessed to have been active since late 2024, with an espionage focus aimed at collecting personal and device data from individuals likely deemed of interest, including refugees and defectors.
In this article, you’ll learn:
- What was compromised and how the attack spread
- How the Android and Windows backdoors work
- Why this is a high-risk supply chain pattern for SOC teams
- Practical detection and mitigation steps for enterprises and individuals
What Was Targeted: A Regional Gaming Platform Turned Into an Espionage Tool
The compromised platform is sqgame, a service hosting traditional Yanbian-themed card and board games for Windows, Android, and iOS users.
Attackers did not appear to compromise the game source code directly. Instead, the activity suggests they accessed the platform’s web server or distribution infrastructure, then:
- Repackaged Android APKs to include malicious code
- Delivered a malicious Windows update package containing a trojanized DLL
Notably:
- Android and Windows builds were compromised
- The iOS version showed no signs of tampering, likely due to stronger distribution controls and review barriers
Threat Actor Profile: ScarCruft (APT37 / Reaper)
ScarCruft (also tracked as APT37 and Reaper) is widely assessed as a state-aligned espionage actor with a long operational history. The group has historically focused on South Korea and adjacent regional targets, including individuals and organizations linked to national security interests.
The Yanbian region fits the group’s targeting profile: it borders North Korea and hosts a large ethnic Korean community outside the peninsula, making it relevant for intelligence collection related to cross-border movement and defector networks.
How the Android Infection Worked: Trojanized APKs Deliver BirdCall
Delivery method
Two Android games hosted on the platform were modified to carry the BirdCall backdoor. The malware was embedded into trojanized game packages distributed directly from the platform’s download page.
How execution is triggered (stealthy startup hijack)
The attackers modified the AndroidManifest.xml so that the app’s startup path is redirected through the backdoor’s code first. When a user launches the game:
- The backdoor runs silently in the background
- Control returns to the legitimate game UI
- The user sees a normal game experience, reducing suspicion
Data collection on first run
On first execution, Android BirdCall performs broad surveillance and data harvesting, including:
- Full shared storage directory listing
- Contacts
- Call logs
- SMS messages
Device and environment profiling
The backdoor collects device identifiers and system telemetry such as:
- RAM and device state data
- IMEI
- IP and MAC address
- Geolocation signals (when available)
Exfiltration via cloud services
A key design choice in this campaign is blending in with normal HTTPS traffic by using legitimate cloud infrastructure. The Android backdoor communicates over HTTPS and uploads stolen data to cloud storage using embedded credentials. Researchers observed multiple cloud “drives” used in the campaign.
Surveillance capabilities
Android BirdCall also supports:
- Screenshot capture
- File theft for targeted extensions including:
.jpg, .doc, .pdf, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .m4a, .p12 - In some versions: microphone recording during a defined evening window (local time)
Key takeaway: This is not generic adware. The collection scope and targeting signals indicate an espionage-grade spyware capability delivered via a trusted gaming distribution channel.
How the Windows Infection Worked: Malicious Update → RokRAT → BirdCall
Delivery method
On Windows, victims were hit through a malicious update package. The package included a trojanized mono.dll—a strategically chosen library name that can look legitimate in gaming environments.
Execution chain
The Windows chain follows a classic staged backdoor pattern:
- Trojanized mono.dll is loaded as part of the update process
- A downloader routine performs anti-analysis checks (e.g., looking for sandbox/VM traits and analysis tools)
- It retrieves and executes shellcode that installs RokRAT as a first-stage backdoor
- RokRAT then drops the more capable BirdCall backdoor onto the system
Evidence hiding
After executing the payload, the malicious DLL replaces itself with a clean copy to reduce artifacts and frustrate forensic review.
Key takeaway: The Windows infection path blends supply chain compromise with stealth tradecraft: anti-analysis checks, staged payloads, and self-cleanup behavior.
Why This Matters to SOC Teams: Supply Chain + Cloud C2 = Low-Noise Espionage
This campaign combines three attributes that increase defender difficulty:
- Trusted delivery channel
- Users install malware voluntarily by downloading “normal” games/updates
- Multiplatform reach
- Windows and Android backdoors enable parallel compromise across device types
- Cloud-based exfiltration
- HTTPS traffic to legitimate cloud services can be difficult to differentiate from normal app behavior without context-aware monitoring
Risk impact: Credential theft, personal data exposure, surveillance of sensitive populations, and potential footholds in enterprise devices if these games are installed on corporate endpoints.
What to Monitor: High-Signal Detection Opportunities
Even though the campaign uses stealth, defenders still have strong detection angles.
Network signals
- Unexpected HTTPS traffic to cloud storage services originating from:
- Gaming applications
- Unknown or newly installed Android packages
- Windows game clients performing update checks
- Unusual upload patterns (large, repeated uploads) from gaming processes
Endpoint signals (Windows)
- Unusual DLL loading events involving:
- Game client update processes
- mono.dll loaded from unexpected directories
- Suspicious child process activity spawned by game clients during or after updates
- Post-update persistence mechanisms (registry run keys, scheduled tasks, unusual services)
Endpoint signals (Android)
- Games requesting or accessing:
- Contacts
- SMS
- Call logs
- Broad storage access
- Background activity immediately on first launch followed by normal UI behavior
- Screenshot capture or microphone access aligned to scheduled windows
Key takeaway: You’re not just hunting malware—you’re hunting abnormal behavior from software categories that typically should not need deep access to communications data.
Mitigation and Prevention: What to Do Now
For individuals
- Install apps only from trusted, well-controlled app stores where possible
- Avoid sideloading APKs from websites, especially for casual apps like games
- Keep Android devices patched and updated
- Review app permissions and remove games that request excessive access (contacts/SMS/calls)
For organizations (SOC + IT)
- Asset policy
- Restrict installation of unapproved apps on managed Android devices (MDM allowlists)
- Restrict game installs on corporate endpoints where feasible
- Network controls
- Monitor and alert on gaming apps communicating with cloud storage platforms
- Use proxy categories and SSL inspection (where policy allows) to detect suspicious upload behavior
- Endpoint hardening
- Tighten application control and DLL loading controls on Windows endpoints
- Ensure EDR alerts for suspicious DLL replacement, unusual update behaviors, and anti-analysis checks
- Threat hunting
- Hunt for newly installed or unusual gaming applications in sensitive user populations
- Review historical update activity since late 2024 if exposure is suspected
- Incident response readiness
- If compromise is suspected:
- Isolate the device
- Collect forensic triage (process tree, network connections, installed apps)
- Rotate credentials used on the device
- Assess lateral movement risk if the device has enterprise access
- If compromise is suspected:
Common Misconceptions to Avoid
- “It’s just a game, so it can’t be serious.”
Supply chain attacks deliberately target trusted apps to reduce suspicion. - “Cloud traffic is safe traffic.”
Legitimate cloud platforms are often abused to hide command-and-control and data exfiltration. - “If the UI looks normal, it’s clean.”
Many modern backdoors run first, then hand control back to legitimate app workflows.
FAQs
What is a supply chain attack in this context?
An attack where threat actors compromise a legitimate distribution channel (like a game update server or download page) to deliver trojanized software to users.
Why were Android and Windows targeted but not iOS?
iOS distribution controls and review requirements typically make silent repackaging and direct distribution harder compared to web-hosted APKs and Windows installers.
What is BirdCall?
A backdoor used for surveillance and data theft. In this campaign, it appears in both Android and Windows variants, enabling broad collection of personal data and files.
What is RokRAT’s role in this attack?
RokRAT is used as a first-stage backdoor on Windows to establish foothold and deploy BirdCall.
What should SOC teams prioritize first?
Identify affected assets, block unauthorized installs, monitor anomalous cloud uploads from gaming apps, and hunt for suspicious update/DLL behavior on Windows endpoints.
Conclusion
This ScarCruft campaign shows how supply chain attacks are evolving beyond traditional enterprise software: attackers can compromise niche platforms and use them as trusted delivery channels for multiplatform backdoors. By combining trojanized installers, stealthy startup hijacking, and cloud-based exfiltration, the operators created a low-noise espionage pipeline against a targeted user base.
Key takeaway: Treat software distribution infrastructure—especially web-hosted installers and update mechanisms—as part of your attack surface. Monitor unusual cloud traffic from unexpected apps, enforce app controls on managed devices, and assume that “trusted downloads” can be weaponized.
