ESET details ScarCruft supply‑chain breach

Supply-chain attacks sound abstract, but this one is very concrete. A real gaming platform used by ethnic Koreans in China’s Yanbian region was turned into a spyware delivery channel. ESET laid out the campaign on May 5, saying the North Korea-aligned group ScarCruft compromised both the platform’s Windows side and its Android game downloads. The point was not smash-and-grab crime. It was quiet surveillance of a very specific community. (eset.com) ### What actually got compromised? The target was a Yanbian-themed gaming platform, identified in outside coverage as sqgame[.]net, serving traditional card and board games to Korean-speaking users in northeastern China. On Windows, the platform’s client was pushed through a malicious update chain. On Android, ind(eset.com)ready trusted. (thehackernews.com) ### Why Yanbian? Yanbian is not a random geography pick. It is home to a large ethnic Korean population and also matters as a transit area tied to North Korean refugees and defectors. ESET’s read is that the campaign was probably built to gather intelligence on people the North Korean regime cares about — especially defectors, refugees, or people co(thehackernews.com)where trust is high and scrutiny is low. (eset.com) ### What malware did victims get? Windows victims were first hit with RokRAT, which then deployed BirdCall. Android victims got something newer — the first publicly described Android version of BirdCall. That matters because BirdCall had been known as a Windows backdoor. In this campaign, ScarCruft turned it into a cross-platform espionage toolset, which is a sign of deliberate investment rather than a one-off hack. (eset.com) ### What can Android BirdCall do? Plenty. ESET says the Android strain can collect contacts, SMS messages, call logs, documents, media files, and even private keys. It can also take screenshots and record surrounding audio. Researchers say the malware was actively developed over several months, with at least seven deployed versions. Basically, this was not a crude implant. It was iterated, tested, and refined while the campaign was live. (eset.com) ### When did this start? The campaign was probably ongoing since late 2024. ESET says it could not determine the exact moment the website was first compromised, which is its own warning sign. Supply-chain breaches often blur the start date because the whole point is to hide inside normal software distribution. By the time a malicious update or app is spotted, victims may already have been running it for months. (eset.com) ### Why is the supply-chain part the real story? Because the attacker did not need to trick each victim one by one. They poisoned the place users already went for software. It is the difference between picking pockets and swapping the cash machine. Once a trusted platform is compromised, downloading a game, updati(eset.com)ers alike. (eset.com) ### So what’s the bottom line? This was a targeted espionage operation hiding inside ordinary software delivery. The novelty is not just “North Korean hackers used malware.” The novelty is that ScarCruft appears to have built an Android BirdCall line, paired it with a Windows infection chain, and used a community-(eset.com)ce infrastructure overnight. (eset.com)