THREATNOIR
Subscribe
Back to Feed
MalwareMay 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

APT37 delivers Android BirdCall backdoor via compromised game platform targeting North Korean refugees.

Read at source

Summary

North Korean hacker group APT37 (ScarCruft) has deployed an Android variant of the BirdCall backdoor through a supply-chain attack on sqgame[.]net, a Chinese video game platform catering to Koreans in Yanbian region. The Android version, developed around October 2024, functions as spyware with capabilities including contact/SMS collection, screenshot capture, audio recording, and device fingerprinting. This marks the first documented Android iteration of the Windows-based BirdCall malware family, which has been associated with APT37 since 2021.

Full text

ScarCruft hackers push BirdCall Android malware via game platform By Bill Toulas May 5, 2026 05:04 AM 0 The North Korean hacker group APT37 has been delivering an Android version of a backdoor called BirdCall in a supply-chain attack through a video game platform. While BirdCall is a known backdoor for Windows systems, APT37, also known as ScarCruft and Ricochet Chollima, has developed a variant for Android that doubles as spyware. According to researchers at cybersecurity company ESET, the threat actor created BirdCall for Android around October 2024 and developed at least seven versions. The attacks that ESET observed delivered the malware through sqgame[.]net, a Chinese site hosting games for Android, iOS, and Windows. However, the researchers found that only Android and Windows are targeted by the ScarCruft attacks. The particular platform caters to Koreans in the autonomous Yanbian region in China, which acts as a crossing point for North Korean defectors and refugees. Games on the compromised platformSource: ESET BirdCall spyware BirdCall is a known malware family associated with ScarCruft and documented since 2021. The Windows version can record keystrokes, take screenshots, steal from the clipboard, exfiltrate files, and execute commands. The campaign identified by ESET introduces a previously undocumented version of BirdCall developed for Android, which was delivered by trojanizing APKs on sqgame[.]net. Trojanized version (right) vs clean APK (left)Source: ESET The Android variant of BirdCall has the following capabilities: Extracts IP geolocation information Collects contact list, call log, and SMS Collects device OS, kernel, rooted status, IMEI number, MAC address, IP address, and network info Sends to C2 info about battery temperature, RAM, and storage, cloud configuration, backdoor version, and file extensions of interest (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12) Periodically takes screenshots Records audio via the microphone from 7 pm to 10 pm local time Plays a silent MP3 in a loop to prevent the suspension of its process Exfiltrates files from a specified directory ESET’s analysis shows that the Android version of BirdCall does not feature all the commands present in the Windows version yet. Missing capabilities on Android include shell command execution, traffic proxying, targeting data from browsers and messenger apps, file deletion and dropping, and process killing. On Windows systems, the infection chain begins with the installation of a trojanized DLL (mono.dll) that downloads and executes RokRAT, which then deploys the Windows version of BirdCall. ScurCraft is notorious for using a broad range of custom malware, including THUMBSBD, which targets air-gapped Windows systems, the KoSpy Android malware that previously infiltrated Google Play, the M2RAT malware used in targeted espionage attacks, and the Dolphin mobile backdoor. To minimize the risk of malware infections, users are advised to only download software from official marketplaces and trusted publisher sites. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: 'NoVoice' Android malware on Google Play infected 2.3 million devicesGoogle adds ‘Advanced Flow’ for safe APK sideloading on AndroidNew ‘Perseus’ Android malware checks user notes for secretsNew BeatBanker Android malware poses as Starlink app to hijack devicesCloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs

Indicators of Compromise

  • domain — sqgame[.]net
  • malware — BirdCall
  • malware — RokRAT

Entities

APT37 (threat_actor)ScarCruft (threat_actor)Ricochet Chollima (threat_actor)ESET (vendor)Android (technology)