North Korean hackers gamers are targeting through a supply-chain attack on sqgame[.]net, a gaming platform dedicated to ethnic Koreans in China’s Yanbian Korean Autonomous Prefecture. ScarCruft, the APT group behind the campaign, has trojanized both Android and Windows versions of games hosted on the platform, distributing a previously undocumented Android variant of the BirdCall backdoor. The operation, likely active since late 2024, remained undetected until ESET researchers discovered suspicious APK files on VirusTotal in October 2025, raising urgent questions about how gaming platforms have become vectors for state-sponsored espionage targeting defectors and activists in border regions.
Key Takeaways
- ScarCruft compromised sqgame[.]net and distributed trojanized Android APKs for Yanbian Red Ten and New Drawing games.
- Windows update package delivered trojanized mono.dll acting as a downloader for RokRAT and BirdCall backdoors since November 2024.
- BirdCall’s Android variant marks the first documented mobile version of the backdoor, expanding ScarCruft’s multi-platform malware family.
- Trojanized Android APKs remained available on sqgame[.]net as of May 2026, despite ESET’s December 2025 notification.
- Campaign targets ethnic Koreans in Yanbian, a transit point for North Korean refugees and defectors, for intelligence collection.
How the North Korean hackers gamers attack unfolds
The infection chains differ between platforms but share a common goal: deploying the BirdCall backdoor while maintaining stealth. On Windows, users download what appears to be a legitimate sqgame client installer—which is clean—but the trojanization happens during the update process. When the application checks for updates, it fetches a malicious mono.dll file from xiazai.sqgame[.]cn that performs anti-analysis checks to detect security tools and virtual machines. Once it confirms the environment is safe, the compromised DLL downloads shellcode from hijacked South Korean websites, which then deploys the RokRAT backdoor. RokRAT subsequently installs the BirdCall implant, after which the trojanized mono.dll swaps itself back to a clean version from another compromised Korean site—erasing the most obvious trace of compromise.
The Android attack is simpler but equally effective. Users download APK files directly from sqgame[.]net for games like Yanbian Red Ten or New Drawing. These APKs have been repackaged with a modified AndroidManifest.xml file that redirects the entry point to the BirdCall backdoor before the legitimate game launches. This approach is particularly insidious because the game runs normally after the backdoor executes, leaving users unaware they are infected.
Why BirdCall’s Android variant changes the threat landscape
Until this campaign, BirdCall was known only as a Windows backdoor that evolved from the RokRAT family, which ScarCruft has maintained since at least 2021. The group has deployed platform-specific variants—CloudMensis for macOS and RambleOn for Android—but BirdCall remained Windows-only. The discovery of an undocumented Android version represents a significant expansion of ScarCruft’s capabilities, transforming BirdCall from a single-platform tool into a multi-platform implant. This shift matters because it suggests the group is consolidating its malware arsenal, potentially making future attacks more efficient and harder to attribute to specific platform vulnerabilities.
The trojanized games remain available on sqgame[.]net despite ESET’s notification in December 2025. While the Windows update package was cleaned by the time of publication in May 2026, the malicious Android APKs for Yanbian Red Ten and New Drawing were still downloadable. This persistence indicates either that the platform operators lack the resources to fully remediate the compromise or that ScarCruft maintains enough access to prevent complete cleanup. Either scenario is troubling for users in the region.
Who is being targeted and why it matters
Yanbian is no ordinary gaming hub. Nestled on the border between North Korea and Russia, the prefecture serves as a transit point for North Korean refugees and defectors fleeing the regime. It is also home to ethnic Korean communities with family ties to both sides of the border. ScarCruft’s focus on this region suggests the group is collecting intelligence on individuals of interest to Pyongyang: defectors, activists, South Korean government and military officials, and anyone else who might pose a threat to the regime’s stability. Gaming platforms offer an ideal cover for recruitment and surveillance because they attract the target demographic without raising obvious suspicion.
This campaign aligns with ScarCruft’s historical targeting patterns. The group has long focused on South Korean government and military networks, as well as North Korean defectors. By compromising a platform specifically designed for ethnic Koreans in Yanbian, ScarCruft is effectively casting a wide net in a geographically strategic location. The fact that iOS games on the platform remain untouched—likely due to Apple’s stricter review process—shows that the attackers are pragmatic about where they can maintain persistence.
What users should do right now
If you use sqgame[.]net, do not download games from the platform until it is confirmed clean by security researchers. Uninstall Yanbian Red Ten and New Drawing if you have already installed them, especially on Android devices. Check your Windows system for the sqgame client and consider removing it entirely if you no longer use it actively. For those in Yanbian or with connections to the region, assume that any gaming platform could be compromised and use a dedicated device for sensitive communications, or avoid gaming platforms altogether if security is a priority.
More broadly, this campaign underscores a critical vulnerability in how software is distributed. Unlike Google Play or the Apple App Store, which have review processes, direct downloads from third-party platforms bypass most security checks. Users downloading games from regional or niche platforms should treat those downloads with the same caution they would apply to any executable file from an untrusted source.
How does BirdCall compare to other North Korean malware?
ScarCruft’s BirdCall differs from other North Korean campaigns in scope and targeting. While BlueNoroff, a subgroup of the Lazarus collective, has focused on cryptocurrency firms using fake Zoom meetings to deliver clipboard-hijacking malware, ScarCruft targets political and military intelligence. BirdCall’s multi-platform nature also distinguishes it from many other North Korean implants, which tend to be platform-specific. The consolidation of BirdCall across Windows and Android suggests ScarCruft is evolving toward a more flexible toolkit.
Is my device at risk if I have never used sqgame[.]net?
No, unless you have downloaded games from sqgame[.]net or the specific APKs mentioned (Yanbian Red Ten or New Drawing), your device is not at direct risk from this campaign. The trojanized games are only distributed through sqgame[.]net, not through Google Play or other mainstream app stores. However, if you live in or have connections to Yanbian, it is worth being cautious about downloading games from any regional platform.
What is BirdCall and why should I care about it?
BirdCall is a backdoor developed by ScarCruft, a North Korean state-sponsored hacking group. It gives attackers remote access to infected devices, allowing them to steal files, monitor communications, and conduct espionage. The Android variant discovered in this campaign is particularly concerning because it expands the backdoor’s reach beyond Windows systems, making it a multi-platform threat that can compromise both computers and smartphones.
This campaign reveals a sobering reality: gaming platforms, especially those serving niche communities, can become espionage infrastructure. ScarCruft’s willingness to compromise sqgame[.]net and leave malicious APKs available for months shows that state-sponsored groups view gaming as a legitimate attack surface. Users in border regions, particularly those with ties to North Korea or involvement in activism, need to treat every download with suspicion. For the broader security community, the discovery of BirdCall’s Android variant signals that ScarCruft is expanding its capabilities and consolidating its toolkit—a sign that future campaigns will likely be more sophisticated and harder to detect.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
