Security researchers have reported a sophisticated supply-chain attack targeting a gaming platform specifically designed for ethnic Koreans in China. The threat actors, identified as North Korean state-sponsored groups, are believed to be responsible for compromising the platform, which is named SQgame. This service was built for the people of Yanbian, an autonomous prefecture located in Jilin Province near the border with North Korea and Russia. Yanbian is noted as a key crossing point for North Korean defectors and refugees.
The group, identified by security researchers ESET as potentially being ScarCruft (also known as APT37 or Reaper), reportedly compromised both Windows and Android components of the Yanbian-themed gaming service. The attackers utilized this access to deliver a malicious backdoor known as BirdCall.
This attack is described as potentially ongoing since late 2024. The malware, BirdCall, is designed to perform different actions depending on whether it is installed on a Windows or Android operating system.
On Windows, the backdoor enables several forms of data theft and system control. Functions include grabbing screenshots, logging keystrokes, stealing clipboard contents, executing shell commands, and exfiltrating data. All of this stolen information is then uploaded to seemingly legitimate cloud services such as Dropbox or pCloud.
On the Android platform, the malicious capabilities are different. ScarCruft leveraged the backdoor to exfiltrate contact lists, SMS messages, call logs, media files, documents, screenshots, and even ambient audio recordings.
Security researchers noted that the malware is actively maintained, as evidenced by the fact that Android versions are still being hosted. The initial reports indicated that the threat actors were targeting their own compatriots and defectors residing in or moving through China.
ESET reported that while the malicious games seem to be limited to the Android platform, the overall platform was trojanized with the BirdCall backdoor, allowing data theft and command execution across multiple platforms. The scope of the targeting points specifically toward ethnic Koreans and defectors in the Yanbian area.