A state-sponsored hacking group aligned with North Korea known as <a href="https://delimiter.online/blog/APT37-facebook-rokrat/” title=”ScarCruft”>ScarCruft has compromised a video game platform in a coordinated supply chain espionage attack. The operation involved trojanizing components of the platform with a backdoor called BirdCall, which is designed to target ethnic Koreans living in China.
The attack represents an escalation in the group’s capabilities. While previous versions of the BirdCall backdoor were primarily deployed against Windows users, analysts assess that this supply chain compromise has enabled the hackers to broaden their reach to include Android operating systems as well.
ScarCruft, also tracked by cybersecurity researchers under the names APT37, Reaper, and Group123, has a long history of conducting cyber espionage operations in support of North Korean strategic interests. The group is known for targeting dissidents, journalists, and academics, particularly those connected to North Korean affairs.
Compromised Gaming Platform Details
Security researchers at SentinelLabs, who discovered the campaign, identified the compromised platform as a legitimate online gaming platform popular among the Korean diaspora. The exact name of the platform has not been disclosed to allow for remediation efforts, but it is described as a video game platform with a substantial user base.
The attackers inserted the BirdCall backdoor into one of the platform’s software update components. When users downloaded or updated the gaming software, they unwittingly installed the malicious payload alongside legitimate game files. This method, known as a supply chain attack, allows threat actors to infect a large number of targets by compromising a single trusted source.
BirdCall Backdoor Capabilities
The BirdCall backdoor is a sophisticated piece of malware that provides remote access to infected systems. Once installed, it can exfiltrate files, record keystrokes, capture screenshots, and download additional malicious modules. Researchers noted that the Android version of BirdCall is still relatively nascent compared to its Windows counterpart, but it includes capabilities for stealing SMS messages and call logs.
The malware communicates with command-and-control servers operated by the ScarCruft group. It uses encrypted channels to hide its traffic and avoid detection by security software. The targeting criteria appear to be geographic and linguistic, focusing on devices set to Korean language and located in China or regions with significant Korean communities.
Implications for Users
Users of gaming platforms, particularly those serving ethnic Korean audiences, are advised to update their software only from official sources and to verify digital signatures on updates. Organizations operating in the technology and entertainment sectors in East Asia should also remain vigilant for signs of supply chain compromise.
The use of a gaming platform as a vector for espionage illustrates a growing trend among state-sponsored groups: exploiting the trust users place in popular consumer applications. ScarCruft has previously targeted cryptocurrency exchanges, media outlets, and government agencies in the region.
SentinelLabs has shared indicators of compromise with relevant authorities and the affected gaming company to assist in mitigation efforts. The company has not publicly commented on the breach or the timeline for patching the affected systems.
Experts recommend that users of any software platform in the affected region check for unusual system behavior, unexpected network connections, or unauthorized file transfers. Past ScarCruft campaigns have been linked to the North Korean Reconnaissance General Bureau, the country’s primary military intelligence agency.
As investigations continue, security analysts expect that more details will emerge about the breadth of the infection and the data accessed by the threat actors. The event serves as a reminder that supply chain attacks remain one of the most effective methods for state-sponsored groups to achieve widespread compromise with minimal effort.
Users can expect further patches and security advisories from the affected platform in the coming weeks. Organizations are encouraged to monitor threat intelligence feeds for updates on the BirdCall malware and related infrastructure.
Source: SentinelLabs
