ESET researchers have uncovered a sophisticated, multiplatform supply-chain attack carried out by the North Korea-aligned APT group ScarCruft, compromising a gaming platform used by ethnic Koreans in China’s Yanbian region.
The attack involved tampering with both Windows and Android components of the platform, enabling the deployment of advanced backdoors designed for espionage. The compromised Windows client was distributed via a malicious update that installed the RokRAT backdoor, which subsequently deployed a more advanced payload known as BirdCall.
In a notable escalation, researchers also identified an Android version of the BirdCall backdoor embedded within trojanized games available on the platform. This mobile variant is capable of collecting sensitive data including contacts, SMS messages, call logs, documents, media files, and private keys. It can also capture screenshots and record audio, significantly expanding the surveillance capabilities of the campaign.
“Victims likely installed trojanized games intentionally, enabling attackers to deploy advanced backdoors for long-term espionage.”
— Filip Jurčacko, ESET Research
According to ESET, the operation has likely been active since late 2024. The attackers appear to have specifically targeted individuals in the Yanbian region, a known hub for ethnic Koreans and a transit point for North Korean refugees and defectors. The campaign’s objective is believed to be intelligence gathering on individuals of interest to the North Korean regime.
The original Windows version of BirdCall, first identified in 2021, already possessed extensive espionage capabilities such as keystroke logging, credential theft, file exfiltration, and remote command execution. The malware also leverages legitimate cloud services like Dropbox and pCloud for command-and-control communication, helping it evade detection.
ScarCruft, also known as APT37 or Reaper, has been active since at least 2012 and is widely associated with North Korean cyber-espionage efforts. While traditionally focused on government and military targets, this campaign highlights a shift toward more indirect attack vectors, leveraging trusted platforms to infiltrate targeted communities.
The findings underscore the growing sophistication of supply-chain attacks and the increasing use of cross-platform malware to expand reach and persistence, particularly in campaigns driven by geopolitical intelligence objectives.
