• North Korea-aligned APT group ScarCruft compromised a video game platform used by ethnic Koreans living in the Yanbian region of China.
• The gaming platform’s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated BirdCall backdoor.
• Android games available on the gaming platform were trojanized to contain a new tool in ScarCruft’s arsenal – an Android version of the BirdCall backdoor. 
• The goal of the campaign is espionage, with the backdoor capable of collecting personal data and documents, taking screenshots, and making voice recordings.
• It is probable that the attack was aimed at collecting information on individuals deemed of interest to the North Korean regime – most likely refugees or defectors.

BRATISLAVA — May 5, 2026 — ESET researchers have uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor. The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was later discovered as part of this supply-chain attack.  

The Android version of BirdCall, discovered in the latest attack, implements a subset of the commands and capabilities of the Windows backdoor – it collects contacts, SMS messages, call logs, documents, media files, and private keys. It can also take screenshots and record surrounding audio. ESET discovered, based on this investigation, that Android BirdCall has been actively developed over a span of several months and at least seven versions have been deployed.

Since the website compromised in this attack is dedicated to the people of Yanbian and their traditional games, ESET concludes that the primary targets are ethnic Koreans living in Yanbian.  It is probable that the attack was aimed at collecting information on individuals based in (or originating from) the Yanbian region and deemed of interest to the North Korean regime – most likely refugees or defectors.

The gaming platform’s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated BirdCall backdoor. “Victims downloaded the trojanized games via a web browser from a single page on their devices and likely installed them intentionally. We did not identify any other APK locations or any malicious APKs on the official Google Play store. We were unable to determine when the website was first compromised and the supply-chain attack started. However, based on our analysis of the deployed malware, we estimate that it happened in late 2024,” says ESET researcher Filip Jurčacko, who discovered the latest attack by ScarCruft.

The Windows backdoor was initially discovered in 2021 and attributed to ScarCruft as part of ESET Threat Intelligence Reporting . The original Windows backdoor has a wide range of spying capabilities, including taking screenshots, logging keystrokes and clipboard content, stealing credentials and files, and executing shell commands. For C&C purposes, the backdoor utilizes legitimate cloud storage services, such as Dropbox or pCloud, or compromised websites. 

ScarCruft, also known as APT37 or Reaper, has been operating since at least 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea. The group also targets North Korean defectors.

For a more details about BirdCall, check out the latest ESET Research blogpost “A rigged game: ScarCruft compromises gaming platform in a supply-chain attack,”  on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Download page leading to trojanized games

ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown—securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.