Multiplatform Espionage: Deconstructing ScarCruft’s Sophisticated Supply-Chain Attack on Gaming Platforms

In a highly targeted display of cyber espionage, the North Korea-aligned APT group ScarCruft (also known as APT37 or Reaper) has executed a complex, multiplatform supply-chain compromise. By hijacking the distribution infrastructure of sqgame[.]net—a video game platform hosting traditional Yanbian-themed card and board games—the threat actors have successfully deployed advanced surveillance tools across both Windows and Android ecosystems.

The campaign, which appears to have been active since late 2024, specifically targets the ethnic Korean community within China’s Yanbian Korean Autonomous Prefecture. Given the region’s proximity to North Korea, researchers believe the primary victims are defectors, refugees, and individuals of political interest to the North Korean regime.

Technical Analysis: The Windows Compromise

The attack on the Windows desktop client is a masterclass in stealthy persistence. The threat actors compromised the platform’s update server to distribute a malicious version of the mono.dll library. This is a classic supply-chain tactic: rather than replacing the entire application, the attackers inject malicious logic into a legitimate dependency.

Yanbian Red Ten game (Source : ESET).
Visual representation of the Yanbian Red Ten game used as a delivery vehicle (Source : ESET).

Upon execution, the trojanized mono.dll initiates a sophisticated anti-analysis routine. It meticulously scans the host environment for debugging tools and virtual machine (VM) artifacts to evade detection by security researchers. Only once the environment is deemed “safe” does the downloader fetch and execute shellcode containing the RokRAT backdoor. This initial stage serves as a staging mechanism to deploy the more advanced BirdCall backdoor.

To minimize its forensic footprint, the malware employs a “self-healing” cleanup tactic: after the malicious payload has been successfully injected, the mono.dll fetches a legitimate, clean version of the library from compromised South Korean websites, effectively erasing the evidence of the compromise from the local file system.

Expansion into Mobile: The “Zhuagou” Android Backdoor

The campaign’s most significant evolution is its expansion into the Android ecosystem. ESET researchers identified trojanized versions of two specific Android games—Yanbian Red Ten and New Drawing—available directly via the official sqgame[.]net download portal.

Package tree comparison (Source : ESET).
A comparison of the package tree: the legitimate game (left) versus the trojanized version (right) (Source : ESET).

The Android variant of BirdCall, internally referred to by the moniker “zhuagou” (meaning “catching dogs”), is a purpose-built mobile surveillance tool. While it lacks the full feature set of its Windows counterpart, it is highly optimized for data exfiltration. The malware targets a wide array of sensitive file extensions, including:

  • Documents: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .pdf
  • Regional Specifics: .hwp (Hancom Office files), which strongly indicates a focus on Korean-speaking populations.
  • Media/Identity: .jpg, .m4a, and .p12 (digital certificates).

The spyware includes advanced behavioral capabilities to ensure persistent surveillance. This includes taking screenshots and playing silent MP3 files in a continuous loop—a clever trick designed to prevent the Android OS from suspending the app’s background processes. Furthermore, the malware features a time-constrained microphone recording function, specifically programmed to activate between 7 PM and 10 PM local time.

Command-and-Control (C2) Infrastructure

To bypass traditional network security filters, ScarCruft utilizes legitimate cloud storage providers for its Command-and-Control (C2) communications. By routing stolen data through services like Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive, the attackers make their traffic appear indistinguishable from legitimate user activity.

During the investigation, researchers identified twelve distinct Zoho WorkDrive accounts linked to the Android operations, all utilizing zohomail addresses. This use of “living-off-the-cloud” techniques highlights the growing sophistication of APT groups in blending malicious traffic with standard enterprise and consumer cloud usage.

This campaign underscores a critical shift toward multiplatform, supply-chain-driven espionage, necessitating a defense-in-depth approach that monitors both desktop and mobile endpoints.

Related Articles

Back to top button