Full Report
The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the
Analysis Summary
# Threat Actor: ScarCruft
## Attribution & Identity
* **Name:** ScarCruft
* **Aliases:** APT37, Reaper, Group123
* **Affiliation:** North Korea-aligned (DPRK) state-sponsored hacking group.
* **Associated Groups:** Linked to activities involving the development and use of the "RokRAT" malware family.
## Activity Summary
* **Campaign:** Targeted supply chain attack against a video game platform (sqgame[.]net) likely active since late 2024.
* **Operations:** Trojanizing Windows and Android components of the platform to deploy "BirdCall" malware.
* **Methodology:** Poisoning Android APKs and delivering trojanized DLLs via legitimate desktop client update packages.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Infiltrating a software provider to distribute malicious updates/installers.
* **Multi-Stage Loading:** Uses Ruby or Python scripts for initial infection; components are often encrypted with computer-specific keys.
* **Anti-Analysis:** Checks running processes for sandbox environments, virtual machines, and security analysis tools before execution.
* **Living off the Land:** Leveraging legitimate cloud services for Command and Control (C2) to bypass traditional network security filters.
* **Surveillance:**
* Screenshot capture and audio recording.
* Keystroke logging and clipboard theft.
* Exfiltration of contact lists, SMS, call logs, and documents.
## Targeting
* **Sectors:** Gaming, Civil Society (Defectors, Human Rights activists), Academia.
* **Geography:** Primarily ethnic Koreans residing in the Yanbian region of China (bordering North Korea and Russia).
* **Victims:** Users of the sqgame[.]net platform; specifically targeting individuals associated with North Korean defection or research.
## Tools & Infrastructure
* **Malware Families:**
* **BirdCall:** An advanced evolution of RokRAT available for both Windows and Android.
* **RokRAT:** The group's signature backdoor; historical variants include **CloudMensis** (macOS) and **RambleOn** (Android).
* **Infrastructure (Defanged):**
* **C2 Services:** Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive.
* **Malicious Domains:**
* sqgame[.]net
* sqgame.com[.]cn/ybht.apk
* sqgame.com[.]cn/sqybhs.apk
## Implications
ScarCruft continues to demonstrate high technical agility by evolving its primary backdoor (RokRAT/BirdCall) into a multi-platform threat. The shift toward supply chain attacks on niche gaming platforms signifies a highly tactical approach to targeting specific vulnerable populations (defectors and their networks) while evading standard detection by leveraging trusted software channels and legitimate cloud infrastructure.
## Mitigations
* **Application Whitelisting:** Restrict the execution of unknown scripts (Python/Ruby) and unsigned DLLs.
* **Cloud Monitoring:** Monitor and audit traffic to personal cloud storage providers (pCloud, Zoho, Yandex) from corporate or sensitive environments.
* **Mobile Security:** Implement Mobile Threat Defense (MTD) to detect side-loaded malicious APKs and unusual permission requests (e.g., ambient audio recording).
* **Integrity Checking:** Verify the checksums of software updates and installers, even from trusted regional providers.