Cybersecurity researchers identified the operation as the work of ScarCruft, also tracked as APT37, Reaper and Ricochet Chollima, a long-running espionage group aligned with Pyongyang. The campaign appears to have been active since late 2024 and centred on sqgame. net, a platform offering Yanbian-themed card and board games to users on Windows, Android and iOS.
The attack stands out because it used a trusted software distribution channel rather than a conventional phishing lure. By altering game downloads and update components, the operators were able to place backdoors on devices belonging to a community that includes ethnic Koreans, cross-border families, refugees and defectors from North Korea. Yanbian Korean Autonomous Prefecture, in Jilin province, borders North Korea and Russia and has long attracted attention from intelligence services because of its geography, language links and role in cross-border movement.
The Windows part of the campaign involved a malicious update package that replaced a legitimate mono. dll file with a trojanised version. Once installed, the altered file checked the device for virtual machines and analysis tools, then downloaded shellcode from compromised websites. That chain led to RokRAT, another ScarCruft-linked backdoor, which then installed BirdCall, a more advanced espionage implant.
BirdCall had previously been known mainly as a Windows backdoor. The campaign revealed an Android version that had not been publicly documented before, widening the group’s reach from desktop users to mobile devices. Researchers traced at least seven Android builds, beginning with version 1.0 around October 2024 and progressing to version 2.0 by June 2025, with later samples adding obfuscation to make analysis harder.
The Android malware was inserted into repackaged APK files for Yanbian Red Ten and New Drawing, two games offered through the compromised platform. The attackers appear to have modified the apps without access to original source code, altering the AndroidManifest. xml file so the spyware would run before the genuine game opened. The iOS title on the same platform was not found to have been altered, likely because Apple’s review and signing process makes this type of tampering more difficult.
Once active, the Android version of BirdCall collected contacts, SMS messages, call logs, device identifiers, network data and file listings from external storage. It searched for documents and media using extensions including. doc,. docx,. xls,. xlsx,. ppt,. pptx,. txt,. hwp,. pdf,. jpg,. m4a and. p12. The interest in. hwp files, widely used in Korean-language office environments, reinforced the assessment that the victims were likely Korean-speaking users.
The spyware could take screenshots, record audio through the microphone and collect personal documents. Some samples played a silent MP3 file in a loop to keep the infected app running in the background, a technique designed to maintain persistence on Android devices. Audio recording was limited to a three-hour local evening window between 7pm and 10pm, suggesting the operators had tuned the malware to capture conversations during hours when users were likely to be at home.
Command-and-control traffic relied on legitimate cloud services, including Zoho WorkDrive, while code references also pointed to pCloud and Yandex Disk. The use of mainstream cloud platforms has become a recurring feature in state-linked espionage campaigns because it helps malicious traffic blend with ordinary network activity and complicates blocking efforts for defenders.
The Windows version of BirdCall provides a broader set of capabilities, including screenshots, keystroke logging, clipboard theft, credential harvesting, file exfiltration and shell command execution. The Android version does not yet match all of those functions, but its surveillance toolkit is sufficient to expose communications, documents, location-related data and personal identifiers.
ScarCruft has operated for more than a decade and has repeatedly focused on targets connected to North Korea’s political and security interests, including government bodies, defence-linked organisations, human rights activists, academics and defectors. The Yanbian campaign fits that pattern because the region’s Korean-speaking population and border links make it a valuable target for intelligence collection.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
