ScarCruft Compromised sqgame.net to Deliver BirdCall Spyware on Android and Windows
North Korea-linked ScarCruft (also tracked as APT37 and Reaper) compromised the gaming platform sqgame[.]net to distribute trojanized software carrying its BirdCall backdoor, according to reporting based on ESET research. The operation targeted users tied to the Yanbian Korean Autonomous Prefecture in China, a region associated with North Korean defector transit, and likely focused on defectors, activists, and related communities. Researchers said the campaign appears to have begun in late 2024, with attackers likely breaching the site’s web server and repackaging legitimate Android game APKs rather than stealing source code.
The malicious Android apps deployed a mobile variant of BirdCall capable of stealing contacts, SMS messages, call logs, files, media, and private keys, while also taking screenshots and recording ambient audio. Reporting also said ScarCruft briefly trojanized a Windows desktop client update component: a malicious mono.dll fetched RokRAT, which then installed the Windows BirdCall payload. BirdCall is described as an evolution of RokRAT and supports surveillance features including keystroke logging, clipboard theft, shell execution, and screenshot capture on Windows, while its Android command-and-control traffic blended into normal network activity and could use cloud services such as Zoho WorkDrive, pCloud, and Yandex Disk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Cisco Talos discloses UAT-8302 and publishes IOCs
On 2026-05-05, Cisco Talos publicly disclosed UAT-8302, detailing its malware arsenal, links to other China-nexus clusters, and use of open-source and Chinese-language tooling. Talos also released detection coverage through ClamAV and Snort along with extensive file and network indicators of compromise.
ESET discloses ScarCruft's BirdCall campaign via sqgame.net
In early May 2026, ESET publicly reported that ScarCruft had compromised sqgame.net to distribute BirdCall malware to Android and Windows users in the Yanbian region. The disclosure linked the targeting to communities associated with North Korean defectors and human rights interests.
Breakglass publishes TernDoor and UAT-9244 technical analysis
On 2026-03-08, Breakglass Intelligence published a detailed analysis of UAT-9244's campaign, describing TernDoor's six-layer unpacking chain, custom TLS 1.3 implementation, AES-encrypted communications, named-pipe lateral movement, and embedded kernel driver. The report also identified live TernDoor command-and-control servers and shared infrastructure across the malware families.
Cisco Talos publicly discloses UAT-9244
On 2026-03-05, Cisco Talos publicly disclosed UAT-9244 and assessed overlap with FamousSparrow and Tropic Trooper. Talos said it could not establish a solid connection between UAT-9244 and Salt Typhoon.
ESET notifies sqgame of ScarCruft compromise
ESET said it notified sqgame in December 2025 about the ScarCruft supply-chain compromise affecting the platform's Android and Windows distribution infrastructure. At the time of ESET's publication in May 2026, the researchers said they had not received a response.
UAT-8302 expands operations into southeastern Europe
Cisco Talos reported that UAT-8302 also targeted government agencies in southeastern Europe during 2025. The activity showed tooling overlap with multiple previously reported China-nexus or Chinese-speaking threat clusters.
ScarCruft trojanizes Windows sqgame.net update component
For part of the sqgame.net campaign, ScarCruft also compromised a Windows desktop client update component to deliver malware. On Windows, a trojanized mono.dll downloaded RokRAT, which then deployed the BirdCall payload.
UAT-8302 begins targeting South American governments
Cisco Talos disclosed that the China-nexus APT UAT-8302 had targeted government entities in South America since at least late 2024. The group used reconnaissance, credential theft, lateral movement, proxying, and several custom malware families to maintain long-term access.
ScarCruft starts sqgame.net supply-chain espionage campaign
ESET reported that the North Korea-aligned group ScarCruft began a supply-chain attack against sqgame.net in late 2024, targeting users in China's Yanbian region. The attackers trojanized Android game APKs with the BirdCall backdoor and likely compromised the website's web server to distribute the malware.
Android BirdCall variant is developed
ESET found that the Android version of BirdCall used in the sqgame.net campaign was developed around October 2024, with at least seven versions identified. The malware supports surveillance functions including theft of contacts, SMS, call logs, files, screenshots, and ambient audio.
UAT-9244 begins targeting South American telecom providers
Breakglass Intelligence assessed that the China-nexus cluster UAT-9244 had been targeting telecommunications providers in South America since at least mid-2024. The operation used multiple malware families, including the Windows backdoor TernDoor, the Linux backdoor PeerTime, and the Go-based brute-force tool BruteEntry.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
New ScarCruft Supply Chain Attack Hits Gaming Platform With Windows and Android Backdoors - Cyber Security News
cybersecuritynews.com
Open sourceScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows
thehackernews.com
Open sourceScarCruft hackers push BirdCall Android malware via game platform
bleepingcomputer.com
Open sourceA rigged game: ScarCruft compromises gaming platform in a supply-chain attack
welivesecurity.com
Open sourceUAT-8302 and its box full of malware
blog.talosintelligence.com
Open sourceNorth Korean hackers targeted ethnic Koreans in China with Android ‘BirdCall’ malware | The Record from Recorded Future News
therecord.media
Open sourceNorth Koreans Spy on Defectors Via Android Game Apps
govinfosecurity.com
Open sourceTernDoor Unpacked: Cracking a Chinese APT's Multi-Layer Backdoor Targeting South American Telecom - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ScarCruft Deploys Dolphin Backdoor Against South Korean Targets
ESET reported that **ScarCruft**—also tracked as **APT37** or **Reaper**—used a previously undocumented Windows backdoor called **Dolphin** in intrusions targeting South Korea, including a 2021 watering-hole attack against a South Korean online newspaper. The malware was delivered as a selective second-stage payload through a multistage loader chain that used a downloaded Python 2.7 interpreter, XOR-encrypted shellcode, process injection, and persistence via **Run** registry keys and a scheduled task. Dolphin used **Google Drive** for command-and-control and data exfiltration and supported file theft from fixed, removable, and portable drives, keylogging, screenshots, shell command and shellcode execution, and browser credential theft. ESET said earlier variants also altered victims’ signed-in Google and Gmail security settings to maintain inbox access through IMAP and less secure app access, while later versions added evasion features such as dynamic API resolution and string obfuscation and temporarily removed credential-stealing functions; the activity was observed from April 2021 through January 2022 and attributed to the North Korea-aligned espionage group’s long-running focus on South Korean and other regional targets.
May 26, 2026
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
Mar 21, 2026
PROMPTSPY Android Backdoor Uses AI to Steal Biometrics and Sustain Access
Google and Mandiant disclosed **PROMPTSPY**, an Android backdoor that uses AI-enabled functions to support credential theft, persistence, and operator resilience. The malware can capture biometric authentication input, display deceptive overlays to hinder removal, and relaunch remotely through Firebase Cloud Messaging. Investigators said operators can update command-and-control infrastructure, Gemini API keys, and VNC relay servers without redeploying the payload, allowing the malware to adapt after installation. Google said it disabled infrastructure tied to the activity, found no PROMPTSPY-infected apps on Google Play, and confirmed that Google Play Protect detects known samples. The report also described a broader rise in adversarial use of large language models and agentic tooling across the intrusion lifecycle. Google linked a suspected **PRC-nexus** actor to the use of tools including `Hexstrike`, `Graphiti`, `Strix`, `subfinder`, and `httpx` while targeting a Japanese technology company and an East Asian cybersecurity platform. Separately, the company said information operation actors tied to Russia, Iran, China, and Saudi Arabia are using AI for content generation, localization, reconnaissance, phishing preparation, environmental fingerprinting, and more autonomous attack workflows, including suspected AI voice cloning in the pro-Russia **Operation Overload** campaign.
May 25, 2026