A North Korean state hacking group has been running an undetected spy operation through a legitimate gaming platform for over a year — and the malware it deployed now works on both Android phones and Windows computers simultaneously.
A Trusted Platform, a Hidden Payload
Security researchers have confirmed that ScarCruft (also tracked as APT37), a hacking group operating on behalf of North Korea’s intelligence services, quietly compromised sqgame[.]net, a gaming platform used by ethnic Korean communities, at some point before November 2024. The platform was not merely a lure — it became an active delivery mechanism.
Windows users who downloaded what appeared to be a standard platform update received a trojanized DLL file instead. That file was engineered to check whether it was running inside a security analysis sandbox before proceeding. If the environment looked clean, it fetched and executed shellcode that installed BirdCall, the group’s latest evolution of its long-running RokRAT backdoor.
The Android side of the campaign ran in parallel. Malicious APK files — Android application packages — were hosted directly on the compromised platform’s servers and distributed to mobile users. Researchers identified seven distinct Android versions of BirdCall, the earliest dating to October 2024.
What BirdCall Can Do
BirdCall is not a simple piece of spyware. Once installed on a device, it can capture screenshots, log every keystroke, read clipboard contents, execute shell commands, and harvest contacts, call records, and SMS messages. On Android, it can also activate the microphone to record ambient audio.
The operational infrastructure behind BirdCall is designed to resist network-level detection. Rather than communicating with obvious attacker-controlled servers, it routes stolen data through legitimate cloud storage services — Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive. For security teams monitoring outbound traffic, distinguishing malicious BirdCall traffic from ordinary cloud sync activity is difficult without behavioral analytics.
Who Is Being Targeted — and Why
The primary victims identified are ethnic Koreans living in the Yanbian region of northeastern China, a demographic that historically includes North Korean defectors, human rights activists, and academics studying the Korean peninsula. This is not a financially motivated campaign. ScarCruft collects intelligence on individuals who represent political interests to Pyongyang — dissidents, defectors, and their networks.
BirdCall represents the first confirmed RokRAT variant that operates natively across both Android and Windows in the same campaign. The cross-platform capability is significant: targets who communicate via phone are just as exposed as those using desktop computers, making compartmentalization far harder for potential victims.
Why the Supply Chain Angle Matters Beyond This Campaign
What elevates this story beyond a targeted espionage operation is the method of delivery. Using a legitimate software update mechanism as a trojan horse mirrors tactics seen in several of the most damaging cyberattacks of recent years — the SolarWinds compromise, the 3CX supply chain attack, and the XZ Utils backdoor. In each case, attackers inserted themselves into a delivery channel the victim had every reason to trust.
Organizations relying on third-party software, particularly platforms targeting specific communities or industries, face the same underlying risk: if the vendor’s update infrastructure is compromised, any client becomes a potential victim. The gaming platform’s users had no reason to suspect the update they installed was anything other than what it claimed to be.
Impact and Takeaway
For security teams, the BirdCall campaign surfaces three actionable concerns.
Software Update Verification
Software update verification is not optional. Signed updates that can be validated against a known-good hash provide a baseline defense against trojanized packages. Organizations deploying software from smaller or regional vendors should verify that the vendor’s update distribution is secured.
Behavioral Detection for Cloud-Based C2
Cloud service command-and-control requires behavioral detection rather than blocklist-based blocking. Blocking Dropbox or Google Drive outright is not a practical defense for most organizations. Monitoring for abnormal data volumes, unusual process-to-cloud-service relationships, and off-hours exfiltration activity is the more viable approach.
Mobile Device Coverage
Mobile devices are not a safe harbor. The Android capability of BirdCall reinforces the need for mobile device management and threat detection coverage alongside traditional endpoint security. If a target communicates sensitive information only via phone in the belief that their laptop is monitored, a cross-platform implant nullifies that precaution entirely.
