ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows  Ravie Lakshmanan  May 05, 2026 Cyber Espionage / Surveillance The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCall to likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the threat actors to also target Android devices, essentially turning it into a multi-platform threat. According to ESET, the campaign has singled out sqgame[.]net, a gaming platform used by ethnic Koreans living in the Yanbian region in China bordering North Korea and Russia. It's also known to act as a primary, high-risk transit point for North Korean defectors crossing the Tumen River. The targeting of this platform is said to be a deliberate strategy given ScarCruft's storied history of targeting North Korean defectors, human rights activists, and university professors. "In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor," the Slovakian cybersecurity company said in a report shared with The Hacker News ahead of publication. Windows versions of BirdCall, dubbed an advanced evolution of RokRAT, have been detected in the wild since 2021 . Over the years, RokRAT has also been adapted to target macOS (CloudMensis) and Android ( RambleOn ), indicating that the malware family continues to be actively maintained by the threat actors. BirdCall comes fitted with features typically present in a backdoor, enabling screenshot capture, keystroke logging, clipboard content theft, shell command execution, and data gathering. Like RokRAT, the malware relies on legitimate cloud services like Dropbox and pCloud for command-and-control (C2). "BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key," ESET said. The Android variant of BirdCall, distributed as part of the sqgame[.]net supply chain attack, incorporates a subset of its Windows counterpart, while collecting contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio. An analysis of the malware's lineage has unearthed seven versions, with the first dating back to October 2024. Interestingly, the supply chain attack has been found to only poison the Android APKs available for download from the platform, leaving the Windows desktop client and the iOS games intact. The download pages for two Android games hosted on sqgame[.]net have been altered to serve the malicious APKs - sqgame.com[.]cn/ybht.apk sqgame.com[.]cn/sqybhs.apk It's currently not known when the website was breached, and the poisoned APKs began to be distributed. However, it's believed that the incident occurred sometime in late 2024. What's more, evidence has emerged that an update package of the Windows desktop client delivered a trojanized DLL since at least November 2024 and for an unspecified period. The update package is no longer malicious. Specifically, the modified DLL included a downloader that checks the list of running processes for analysis tools and virtual machine environments, before proceeding to download and execute shellcode containing RokRAT. The backdoor is then used to fetch and install BirdCall on the infected hosts. The Android version of BirdCall also relies on legitimate cloud storage services for C2 communications. This includes pCloud, Yandex Disk, and Zoho WorkDrive, the last of which has become an increasingly common presence across multiple campaigns. "The Android backdoor has seen active development, and provides surveillance capabilities, such as collection of personal data and documents, taking screenshots, and making voice recordings," ESET said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Android , Cloud security , cyber espionage , cybersecurity , data theft , Malware , supply chain attack , surveillance , Threat Intelligence ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production