North Korean hackers target gamers with trojanized platform – here’s what to look out for
- North Korean APT37 (ScarCruft) gang compromised a Yanbian gaming platform to deliver the BirdCall backdoor
- On Windows, it enabled data theft and command execution; on Android, it exfiltrated contacts, messages, media, and ambient audio
- The malware is actively maintained, with Android versions still hosted, targeting ethnic Koreans and defectors in China
North Korean state-sponsored threat actors are apparently targeting their compatriots living in (or moving through) China with advanced Android backdoors across gaming platforms.
A report from security researchers ESET claims to have seen an advanced supply-chain attack that probably began in late 2024. The threat actors, most likely ScarCruft (also known as APT37, or Reaper), managed to compromise SQgame, a multi-platform gaming service built specifically for the people of Yanbian.
The Yanbian Korean Autonomous Prefecture is an autonomous prefecture in China’s Jilin Province. It is located near the border with North Korea and Russia, and was established to give administrative autonomy to the large population of ethnic Koreans living there. According to ESET, Yanbian is also a key crossing point for North Korean refugees and defectors, which could be one of the reasons why it’s being targeted.
Article continues below
BirdCall malware
“In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor,” ESET said.
The backdoor is called BirdCall and, depending on the platform it is installed on, can do different things. On Windows, it can grab screenshots, log keystrokes, steal the contents of the clipboard, execute shell commands, and exfiltrate data. All of the stolen info is then uploaded to legitimate cloud services such as Dropbox or pCloud.
On Android, things are a bit different, allowing ScarCruft to also exfiltrate contact lists, SMS messages, call logs, media files, documents, screenshots, and even ambient audio. So far, the malware was updated seven times, leading researchers to believe it is being actively maintained.
ESET says that the platform is still hosting malicious games. However, these seem to be limited to the Android platform.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The best antivirus for all budgets

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Source
North Korean APT37 (ScarCruft) gang compromised a Yanbian gaming platform to deliver the BirdCall backdoor On Windows, it enabled data theft and command execution; on Android, it exfiltrated contacts, messages, media, and ambient audio The malware is actively maintained, with Android versions still hosted, targeting ethnic Koreans and defectors in…
Recent Posts
- Dave Eggers told OpenAI staff that ChatGPT was ‘silencing an entire generation’
- France doubles down on restricting access to Polymarket
- Apple has banned home service content on upcoming Maps ads
- Google might not kneecap the Pixel 11a with an old processor
- How to watch France vs England: Free Streams, TV Channels & Kick-Off time for FIFA World Cup 2026 third place play-off
Archives
- July 2026
- June 2026
- May 2026
- April 2026
- March 2026
- February 2026
- January 2026
- December 2025
- November 2025
- October 2025
- September 2025
- August 2025
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023