Full Report
A gaming platform built for ethnic Koreans in China has been serving backdoored Windows and Android software to its users since late 2024. The platform, sqgame[.]net, hosts traditional card and board games for a community that sits along the North Korean border and includes many refugees and defectors. ESET researchers tied the operation to ScarCruft,…
Analysis Summary
# Threat Actor: ScarCruft
## Attribution & Identity
* **Primary Name:** ScarCruft
* **Aliases:** APT37, Reaper
* **Associations:** North Korea-aligned state-sponsored espionage group.
## Activity Summary
Since late 2024, ScarCruft has been conducting a supply chain attack involving a gaming platform targeted at ethnic Koreans in China. The actors compromised the platform `sqgame[.]net` (and its update server) to deliver trojanized versions of Windows and Android card and board games. The campaign involves a multi-stage infection chain where a legitimate library is patched to download shellcode, eventually leading to the deployment of backdoors.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Trojanizing legitimate gaming software and hijacking update mechanisms.
* **Binary Patching:** Patching a legitimate library (`mono.dll`) with malicious downloader code.
* **Evasion & Anti-Analysis:** The downloader checks for the presence of analysis tools and virtual machine (VM) environments before proceeding.
* **Shellcode Execution:** Pulling shellcode from compromised third-party websites (specifically South Korean sites).
* **Artifact Cleanup:** Swapping the malicious `mono.dll` back to a clean copy after execution to hide traces of the infection.
* **MITRE ATT&CK IDs (Inferred):**
* T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain)
* T1027 (Obfuscated Files or Information)
* T1497 (Virtualization/Sandbox Evasion)
* T1106 (Native API)
## Targeting
* **Sectors:** Gaming, Individual users/Defectors.
* **Geography:** China (specifically the community along the North Korean border) and South Korea (used for hosting infrastructure).
* **Victims:** Ethnic Koreans living in China, including North Korean refugees and defectors.
## Tools & Infrastructure
* **Malware Families:**
* **RokRAT:** A long-standing backdoor associated with ScarCruft.
* **BirdCall:** A C++ implant with advanced capabilities, first linked to the actor in 2021.
* **Trojanized mono.dll:** Used as an initial downloader for shellcode.
* **Infrastructure:**
* `sqgame[.]net` (Gaming platform)
* `xiazai.sqgame.com[.]cn` (Malicious update host)
* Compromised South Korean websites used for shellcode delivery and clean artifact storage.
## Implications
This campaign demonstrates ScarCruft's continued focus on surveillance and intelligence gathering regarding North Korean defectors and the diaspora. By targeting a niche gaming platform used by this specific community, the group achieves high-confidence targeting for long-term espionage. The use of sophisticated "living-off-the-land" style cleanup (restoring clean DLLs) highlights their operational maturity and emphasis on stealth.
## Mitigations
* **Application Whitelisting:** Restrict the execution of non-signed or unauthorized DLLs, especially within the folder structures of consumer applications.
* **Endpoint Monitoring:** Monitor for unexpected behavior from gaming applications, such as a game engine library (`mono.dll`) making network connections to unrelated external domains or South Korean IP addresses.
* **Integrity Checking:** Implement periodic file integrity monitoring (FIM) for installed software to detect unauthorized patching of libraries.
* **Vulnerability Management:** Encourage users to download software only from officially verified sources, though in supply-chain cases, users should prioritize the use of reputable VPNs and security suites that scan for behavior-based anomalies in legitimate-looking updates.