ScarCruft Compromised a Yanbian Gaming Site to Hunt North Korean Defectors
ESET disclosed a North Korea-aligned APT37/ScarCruft supply-chain compromise of sqgame.net, a Yanbian-themed gaming platform serving the ethnic-Korean community on the China-North Korea border. Trojanized Android APKs deploy a new BirdCall backdoor port. The APKs are still live.
ESET disclosed a North Korea-aligned APT37/ScarCruft supply-chain compromise of sqgame.net, a Yanbian-themed gaming platform serving the ethnic-Korean community on the Chinese border with North Korea — a primary defector transit zone. Trojanized Android APKs deploy a previously undocumented Android port of the BirdCall backdoor. ESET notified the platform in December 2025; five months later, the malicious APKs are still being served.
ESET researcher Filip Jurčacko published findings on May 5, 2026 documenting a supply-chain attack the firm attributes with confidence to ScarCruft (also tracked as APT37 or Reaper), a North Korea-aligned state-sponsored group active since at least 2012. The campaign — probably ongoing since late 2024 — compromised both Windows and Android components of sqgame.net, a video-game platform "tailored for the people of Yanbian" hosting traditional Korean card and board games. The trojanized Android APKs deploy a new Android port of BirdCall, a backdoor ESET first attributed to ScarCruft on Windows in 2021.
The single most important fact: this is not enterprise-targeted malware. sqgame.net serves the ethnic Korean community in Yanbian Korean Autonomous Prefecture, the Chinese region bordering North Korea that functions as the primary high-risk transit point for North Korean defectors crossing the Tumen River. ESET assesses with confidence that the campaign aims to identify and surveil individuals based in or originating from Yanbian who are of interest to the North Korean regime — most likely refugees and defectors. ESET notified sqgame in December 2025 and received no response. As of publication on May 5, 2026, the trojanized APKs were still hosted on the website.
| ScarCruft sqgame.net Campaign Profile | |
|---|---|
| Detail | Information |
| Threat actor | ScarCruft (also tracked as APT37 / Reaper); North Korea-aligned; MITRE G0067; active since at least 2012 |
| Compromised platform | sqgame[.]net — gaming platform serving the ethnic Korean community in Yanbian Korean Autonomous Prefecture, China |
| Campaign duration | Probably ongoing since late 2024; trojanized APKs still hosted as of May 5, 2026 |
| Backdoor deployed | BirdCall (ESET name); internally named "zhuagou" (Chinese: "catching dogs"); previously undocumented Android port of ScarCruft's existing Windows tool |
| Trojanized Android apps | 延边红十 ("Yanbian Red Ten" / ybht.apk) and 新画图 ("New Drawing" / sqybhs.apk); third Android game on the platform was clean |
| Distribution | Sideloaded from sqgame.com[.]cn via web browser; not present on Google Play Store |
| Windows component | Trojanized mono.dll in update package at xiazai.sqgame.com[.]cn — chained downloader → RokRAT → BirdCall; malicious since at least November 2024 |
| iOS component | Not trojanized; ESET assesses ScarCruft skipped iOS due to Apple's review process |
| Android versions identified | Seven Android BirdCall versions, v1.0 (October 2024) through v2.0 (June 2025) — active development |
| Command-and-control | HTTPS to legitimate cloud storage (pCloud, Yandex Disk, Zoho WorkDrive); 12 Zoho WorkDrive accounts used in the analyzed samples |
| Disclosure timeline | ESET notified sqgame December 2025; no response received; ESET published May 5, 2026 |
Why Yanbian, and Why a Card-Game Site
The geographic and demographic specificity of the target is the lead, not the technical detail. Yanbian Korean Autonomous Prefecture sits in northeastern China, directly across the Tumen River from North Korea. It hosts the largest ethnic Korean community outside the Korean peninsula and functions, in practice, as the primary corridor through which North Korean defectors transit on their way to South Korea or onward to third countries. The community there includes families with relatives still in North Korea, NGOs that assist defectors, and individuals — both ethnic-Korean Chinese citizens and recently arrived North Korean refugees — whose movements and contacts the North Korean regime has long-standing operational interest in monitoring.
sqgame.net offers traditional Yanbian card and board games for Windows, Android, and iOS. It is exactly the kind of platform that would attract a high concentration of users from the targeted demographic without raising obvious suspicion. ESET's framing is precise: the campaign is designed to collect information on individuals "based in or originating from Yanbian who are of interest to the North Korean regime — most likely refugees or defectors." Compromising a community-specific gaming platform is a structural choice. The infection vector is whoever installs a regional card game, not whoever clicks a phishing email — which means the targeting is automatic for the threat actor and invisible to the victim.
This is a continuity point with our prior coverage of North Korean APT37 sub-cluster activity targeting macOS via AppleScript and ClickFix. That earlier piece covered Sapphire Sleet and UNC1069 hunting fintech and crypto operators on Macs. This is a different ScarCruft sub-cluster (APT37/Reaper proper) running a separate operational thrust against a defined ethnic community. The DPRK's APT37 ecosystem is broader and more diversified than the financially motivated Lazarus subgroups that get most Western coverage.
The Android BirdCall: Capability Set and Tradecraft
Android BirdCall is, per ESET, a previously undocumented port of ScarCruft's existing Windows backdoor. The first version (v1.0) is timestamped October 2024; ESET identified seven distinct versions through v2.0 in June 2025 — sustained, iterative development typical of a tooled APT operation rather than a one-off. The capability set is consistent with surveillance malware purpose-built for individual-targeting operations rather than enterprise espionage:
- Collection of contacts, SMS messages, and call logs
- Theft of documents and media files matching specific extensions:
.jpg,.doc,.docx,.xls,.xlsx,.ppt,.pptx,.txt,.hwp,.pdf,.m4a,.p12 - Screenshot capture, with some versions playing a silent MP3 in a loop to prevent the trojanized app from being suspended in the background while screenshots are being taken
- Ambient audio recording, restricted to a three-hour evening window (7 p.m.–10 p.m. local time) when enabled
- Periodic upload of device info, IP geolocation (via ipinfo.io/json), and cloud-storage configuration to command-and-control
The file extension list is itself an attribution signal. The inclusion of .hwp — Hancom Office, the dominant Korean word processor — is standard for Korean-targeting malware and a reliable indicator of operations against Korean-language users. The inclusion of .p12 is the more interesting choice: PKCS#12 files contain private keys and certificates, the kind of credential material that would let an operator impersonate a victim across services rather than just observe them.
Command-and-control is routed through legitimate cloud-storage services over HTTPS — pCloud, Yandex Disk, and Zoho WorkDrive in the codebase, with only Zoho WorkDrive actively used in the analyzed samples. ESET observed 12 Zoho WorkDrive accounts being used as C&C, with display names ("tomasalfred37," "Smith Bentley," "Mic haelLarrow19") and registration emails on the zohomail[.]com domain. This is an instance of a recurring 2025–2026 pattern of threat actors abusing Zoho WorkDrive for malware C&C; ScarCruft is not the only operator using this technique.
The Windows Component and Why ESET's Tradecraft Read Holds
The Windows attack chain is more elaborate than the Android one and is what allowed ESET to make the attribution call with confidence. The platform's standalone desktop client itself was clean at the time of analysis. The compromise was instead in an update package — a ZIP file at http://xiazai.sqgame.com[.]cn/dating/20240429.zip — containing a trojanized mono.dll library. ESET's telemetry shows the package was malicious since at least November 2024; by the time of writing, it had been replaced with a clean version, suggesting either the operators rotated their staging or a third party removed the payload.
The trojanized DLL was a downloader. On execution, it ran sandbox and VM checks, then downloaded shellcode containing RokRAT — ScarCruft's longtime Windows tool. RokRAT then deployed BirdCall as the second-stage implant. After payload delivery, the downloader replaced the trojanized library with a clean version on the victim's disk, eliminating the obvious forensic trail. Both the shellcode and the clean replacement library were hosted on compromised legitimate South Korean websites — what ESET describes as "a typical TTP of ScarCruft" and one of the strongest single attribution signals in the report.
The decision to skip iOS is operationally interesting. ESET assesses ScarCruft chose not to trojanize the iOS games because Apple's review process would catch the modified app at submission. That assessment is consistent with the broader pattern of state-sponsored mobile-targeting operations preferring Android sideload as the path of least resistance. It also implicitly limits the targetable population — Yanbian community members on iPhones are out of scope for this particular operation, though the broader APT37 ecosystem has documented iOS-targeting capability.
The Five-Month Notification Gap
The most uncomfortable detail in ESET's disclosure is the unaddressed compromise. ESET notified sqgame in December 2025. Five months later, on May 5, 2026, the trojanized APKs were still being hosted on the website. ESET did not receive a response.
The interpretive options are limited. The platform's operators may be unresponsive in the routine sense — small operators frequently miss vulnerability disclosures, particularly from foreign-language security firms. They may lack the technical capacity to identify or remediate the compromise even after notification. Or, in the worst case, the operators may be aware and unwilling to act for reasons ESET does not speculate on. ESET makes no allegation in any direction; the report simply notes the gap.
For users in the Yanbian community who downloaded these APKs at any point since late 2024, the practical implication is that infection is the default state. The operational asymmetry — five months of confirmed disclosure with continued live distribution — is the part defenders should weight when prioritizing community outreach. CyberSignal's threat intelligence coverage tracks how disclosure-to-remediation gaps shape real-world risk.
Defender Actions for Affected Communities and Adjacent Organizations
- For NGOs and research institutions working with North Korean defectors, Korean-affairs scholars, or members of the broader Korean diaspora: brief affected staff on this specific campaign and the wider ScarCruft pattern. Standard awareness training does not cover targeted ethnic-community surveillance; a tailored brief does. ESET's full IOC list at github.com/eset/malware-ioc/tree/master/scarcruft is the canonical reference.
- For mobile-device-management programs: enforce policies that prevent sideloading from "Unknown sources" on managed Android devices. This campaign's entire initial-access vector is users downloading APKs from a website. MDM-enforced sideload restrictions neutralize it. Where MDM is impractical (personal devices, contractor populations), advise affected staff explicitly to install games and entertainment apps only from Google Play, never via direct APK download.
- For all defenders: add the Zoho WorkDrive abuse pattern to detection coverage. Twelve Zoho WorkDrive accounts being used for malware C&C in this campaign alone is part of a growing 2025–2026 trend across multiple actors. Consider behavioral detection for HTTPS connections from unusual endpoints (mobile or workstation) to Zoho WorkDrive API endpoints, particularly outside business hours and from accounts not associated with your Zoho tenant.
- Hunt for the ESET-published IOCs if your environment overlaps with the Korean-affairs community. The infrastructure list — 39.106.249[.]68, 211.239.117[.]117, 114.108.128[.]157, 221.143.43[.]214, 222.231.2[.]20, 222.231.2[.]23, 222.231.2[.]41 — is high-fidelity for this campaign and includes compromised legitimate South Korean infrastructure. Adding the Windows BirdCall hash to your detection corpus is straightforward; the canonical sample on VirusTotal is SHA-1 B06110E0FEB7592872E380B7E3B8F77D80DD1108.
- For organizations whose users may have personally installed sqgame.net Android apps: assume compromise on those devices and treat them as out-of-scope for sensitive activity until they are wiped and reprovisioned. The trojanized APKs collect
.p12private-key files, which means any credentials stored on those devices should be considered exposed.
The CyberSignal Analysis
Signal 01 — Targeted-community surveillance is a distinct threat model from enterprise APT
Most coverage of North Korean cyber operations focuses on Lazarus-aligned financial-theft activity — crypto exchange heists, bank wire fraud, defense contractor IP theft. APT37/ScarCruft's operations against the Yanbian community are a different category entirely. The targets are individuals defined by ethnic and political identity, the data of interest is contacts and communications rather than IP or money, and the operational tempo is patient, multi-year surveillance rather than smash-and-grab. Defenders who model North Korean cyber risk only through the financial-theft frame miss the dimension entirely. For organizations whose missions touch the defector community, the human-rights NGO ecosystem, or Korean-affairs research, this campaign is the threat model — not Lazarus.
Signal 02 — The disclosure-to-remediation gap is the operational risk
The five months between ESET's December 2025 notification and the May 5 publication, during which the trojanized APKs continued to be served, is the part that should reshape how defenders think about supply-chain compromises of small operators. The vendor-disclosure model assumes the compromised party will act on notification. When the compromised party is a community gaming platform with limited technical capacity, no SOC, and no clear regulatory obligation to respond, the assumption fails. The result is an extended window during which infection is the default for new users — and the population at risk is precisely the one defined by the threat actor's targeting choice. Threat-intelligence teams should expect more of this pattern as APT operators target community-specific platforms whose operators do not meet conventional vendor-disclosure expectations.
Signal 03 — Cloud-service abuse for C&C is now infrastructure, not technique
Twelve Zoho WorkDrive accounts running command-and-control for one campaign is a data point in a much larger pattern. Across 2025–2026, ScarCruft, multiple Russian-speaking operators, and several Chinese clusters have all moved to legitimate cloud storage — Zoho WorkDrive, pCloud, Yandex Disk, Dropbox, Google Drive — as their primary C&C transport. The structural reasons are obvious: HTTPS to legitimate corporate domains evades network-perimeter filtering, the services offer free or low-cost accounts, and abuse takedowns require provider cooperation that lags behind operational tempo. Defenders relying on domain reputation and IP blocklists are fighting the previous war. The current detection model has to be behavioral: which endpoints are reaching which cloud-storage APIs, at what times, in what volumes, against what user-agent and TLS fingerprint baseline. Zoho WorkDrive showing up in this campaign should be read not as an oddity but as confirmation that the cloud-C&C model has matured into operational standard for state-aligned APTs.
