#ESETresearch uncovered a multiplatform supply-chain attack by the 🇰🇵 #ScarCruft APT group targeting the Yanbian region via backdoor-laced Windows and Android games. https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
In the attack, likely ongoing since late 2024, ScarCruft compromised sqgame, a video game platform used by ethnic Koreans living in the #Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors.
The sqgame Windows client was compromised through a malicious update serving the #RokRAT backdoor, which deployed ScarCruft’s more advanced #BirdCall backdoor. Android games were trojanized with the Android version of BirdCall – a new tool in ScarCruft’s arsenal.
The Android version of BirdCall implements a subset of the capabilities of its Windows counterpart – it collects contacts, SMS messages, call logs, and various documents, media files, and private keys. It can also take screenshots and record surrounding audio.
We believe that this campaign is probably aimed at collecting information on individuals in the Yanbian region and deemed of interest to the 🇰🇵 regime.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/scarcruft

Read the full analysis on WeLiveSecurity: https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/#article-2