ScarCruft targets Korean diaspora via trojanised gaming platform

ESET Research has disclosed a multiplatform supply-chain attack by ScarCruft, a North Korea-aligned advanced persistent threat group also tracked as APT37 or Reaper, in which the group compromised a video game platform serving ethnic Koreans in China's Yanbian region. The campaign, which ESET estimates began in late 2024 and is assessed as probably still ongoing, represents an expansion of ScarCruft's tooling to Android devices for the first time under this particular operation.

Filip Jurčacko, the ESET researcher who uncovered the attack, said victims downloaded trojanised Android games directly from a single page on the platform's website — meaning they were likely installed intentionally, with no indication of compromise on the Google Play store. Windows users were hit via a malicious update to the platform's desktop client that installed the RokRAT backdoor, which in turn deployed the more sophisticated BirdCall implant.

The BirdCall backdoor

BirdCall on Windows was first documented by ESET in 2021 and attributed to ScarCruft then. Its capabilities are extensive: screenshot capture, keystroke and clipboard logging, credential theft, arbitrary shell-command execution, and command-and-control (C2) traffic routed through legitimate cloud storage services such as Dropbox and pCloud to blend with normal enterprise traffic.

The Android variant, newly discovered in this campaign, implements a targeted subset of those capabilities. It collects contacts, SMS messages, call logs, documents, media files and private keys, can take screenshots, and records ambient audio. ESET found at least seven distinct versions of the Android build deployed across a span of several months, indicating active, iterative development by the threat actor rather than a one-off implant drop.

ESET's analysis concludes that the primary targets are ethnic Koreans in the Yanbian area — a region that borders North Korea and serves as a transit route for refugees and defectors — and that the campaign's likely goal is intelligence collection on individuals of interest to the Pyongyang regime.

Market and threat landscape context

ScarCruft has been active since at least 2012, primarily targeting South Korean government, military and industry targets, with periodic operations against North Korean defector communities and sympathiser networks across the wider Asia-Pacific region. The group's tactics align with a broader pattern among North Korean state-sponsored actors — including Lazarus Group and Kimsuky — of weaponising trust in legitimate software distribution channels, from software update mechanisms to app stores, to achieve initial access without exploiting zero-day vulnerabilities.

Supply-chain compromise as an initial access vector has risen sharply across the threat landscape. The 2020 SolarWinds and 2021 Kaseya incidents demonstrated the technique's potency against Western enterprise targets; North Korean actors have increasingly applied the same approach against diaspora communities and civil-society targets where traditional spear-phishing awareness may be lower and software provenance less scrutinised.

The extension to Android is significant. Mobile espionage tools that harvest contacts, call records and ambient audio are particularly high-value for identifying social networks around defectors and cross-border activists. Defenders in organisations that support at-risk Korean communities should treat the Yanbian gaming platform as a confirmed indicator of compromise and audit devices accordingly. Google Play integrity checks provide no protection here, since the malicious APKs were distributed outside the official store.

ESET has published full technical indicators in an accompanying blog post on WeLiveSecurity. The research also underscores the ongoing relevance of endpoint detection on both Windows and Android for human-rights and civil-society organisations operating in East Asia, where nation-state threat actors routinely prioritise soft targets over hardened corporate networks.