GoKawiilThe North Korean hacker group APT37 has been delivering an Android version of a backdoor called BirdCall in a supply-chain attack through a video game platform.
While BirdCall is a known backdoor for Windows systems, APT37, also known as ScarCruft and Ricochet Chollima, has developed a variant for Android that doubles as spyware.
According to researchers at cybersecurity company ESET, the threat actor created BirdCall for Android around October 2024 and developed at least seven versions.
The attacks that ESET observed delivered the malware through sqgame[.]net, a Chinese site hosting games for Android, iOS, and Windows. However, the researchers found that only Android and Windows are targeted by the ScarCruft attacks.
The particular platform caters to Koreans in the autonomous Yanbian region in China, which acts as a crossing point for North Korean defectors and refugees.
Games on the compromised platform
Source: ESET
BirdCall spyware
BirdCall is a known malware family associated with ScarCruft and documented since 2021. The Windows version can record keystrokes, take screenshots, steal from the clipboard, exfiltrate files, and execute commands.
The campaign identified by ESET introduces a previously undocumented version of BirdCall developed for Android, which was delivered by trojanizing APKs on sqgame[.]net.
... continue reading