ScarCruft Compromised sqgame.net to Deliver BirdCall Spyware on Android and Windows
North Korea-linked ScarCruft (also tracked as APT37 and Reaper) compromised the gaming platform sqgame[.]net to distribute trojanized software carrying its BirdCall backdoor, according to reporting based on ESET research. The operation targeted users tied to the Yanbian Korean Autonomous Prefecture in China, a region associated with North Korean defector transit, and likely focused on defectors, activists, and related communities. Researchers said the campaign appears to have begun in late 2024, with attackers likely breaching the site’s web server and repackaging legitimate Android game APKs rather than stealing source code.
The malicious Android apps deployed a mobile variant of BirdCall capable of stealing contacts, SMS messages, call logs, files, media, and private keys, while also taking screenshots and recording ambient audio. Reporting also said ScarCruft briefly trojanized a Windows desktop client update component: a malicious mono.dll fetched RokRAT, which then installed the Windows BirdCall payload. BirdCall is described as an evolution of RokRAT and supports surveillance features including keystroke logging, clipboard theft, shell execution, and screenshot capture on Windows, while its Android command-and-control traffic blended into normal network activity and could use cloud services such as Zoho WorkDrive, pCloud, and Yandex Disk.
Timeline
May 5, 2026
Cisco Talos discloses UAT-8302 and publishes IOCs
On 2026-05-05, Cisco Talos publicly disclosed UAT-8302, detailing its malware arsenal, links to other China-nexus clusters, and use of open-source and Chinese-language tooling. Talos also released detection coverage through ClamAV and Snort along with extensive file and network indicators of compromise.
May 4, 2026
ESET discloses ScarCruft's BirdCall campaign via sqgame.net
In early May 2026, ESET publicly reported that ScarCruft had compromised sqgame.net to distribute BirdCall malware to Android and Windows users in the Yanbian region. The disclosure linked the targeting to communities associated with North Korean defectors and human rights interests.
Mar 8, 2026
Breakglass publishes TernDoor and UAT-9244 technical analysis
On 2026-03-08, Breakglass Intelligence published a detailed analysis of UAT-9244's campaign, describing TernDoor's six-layer unpacking chain, custom TLS 1.3 implementation, AES-encrypted communications, named-pipe lateral movement, and embedded kernel driver. The report also identified live TernDoor command-and-control servers and shared infrastructure across the malware families.
Mar 5, 2026
Cisco Talos publicly discloses UAT-9244
On 2026-03-05, Cisco Talos publicly disclosed UAT-9244 and assessed overlap with FamousSparrow and Tropic Trooper. Talos said it could not establish a solid connection between UAT-9244 and Salt Typhoon.
Dec 1, 2025
ESET notifies sqgame of ScarCruft compromise
ESET said it notified sqgame in December 2025 about the ScarCruft supply-chain compromise affecting the platform's Android and Windows distribution infrastructure. At the time of ESET's publication in May 2026, the researchers said they had not received a response.
Jan 1, 2025
UAT-8302 expands operations into southeastern Europe
Cisco Talos reported that UAT-8302 also targeted government agencies in southeastern Europe during 2025. The activity showed tooling overlap with multiple previously reported China-nexus or Chinese-speaking threat clusters.
Nov 1, 2024
ScarCruft trojanizes Windows sqgame.net update component
For part of the sqgame.net campaign, ScarCruft also compromised a Windows desktop client update component to deliver malware. On Windows, a trojanized mono.dll downloaded RokRAT, which then deployed the BirdCall payload.
Nov 1, 2024
UAT-8302 begins targeting South American governments
Cisco Talos disclosed that the China-nexus APT UAT-8302 had targeted government entities in South America since at least late 2024. The group used reconnaissance, credential theft, lateral movement, proxying, and several custom malware families to maintain long-term access.
Nov 1, 2024
ScarCruft starts sqgame.net supply-chain espionage campaign
ESET reported that the North Korea-aligned group ScarCruft began a supply-chain attack against sqgame.net in late 2024, targeting users in China's Yanbian region. The attackers trojanized Android game APKs with the BirdCall backdoor and likely compromised the website's web server to distribute the malware.
Oct 1, 2024
Android BirdCall variant is developed
ESET found that the Android version of BirdCall used in the sqgame.net campaign was developed around October 2024, with at least seven versions identified. The malware supports surveillance functions including theft of contacts, SMS, call logs, files, screenshots, and ambient audio.
Jun 1, 2024
UAT-9244 begins targeting South American telecom providers
Breakglass Intelligence assessed that the China-nexus cluster UAT-9244 had been targeting telecommunications providers in South America since at least mid-2024. The operation used multiple malware families, including the Windows backdoor TernDoor, the Linux backdoor PeerTime, and the Go-based brute-force tool BruteEntry.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
5 more from sources like lazarusholic bluesky, the record media, talos intelligence blog, govinfosecurity and breakglass intel
Related Stories
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
1 months ago
ResidentBat Android Spyware Linked to Belarusian KGB
A targeted Android spyware implant dubbed **ResidentBat** has been linked to Belarusian state surveillance operations, with reporting tying it to the **Belarusian KGB** and victimology focused on journalists and civil society. The implant is assessed to have been under development since at least **2021** and was publicly exposed in **December 2025** via a joint investigation by Reporters Without Borders (RSF) and RESIDENT.NGO. Unlike mass-distributed mobile malware, ResidentBat is deployed through **hands-on access**: operators use **Android Debug Bridge (ADB)** to sideload an APK, manually grant permissions, and disable *Google Play Protect*, trading scale for high-confidence, deliberate targeting. Post-compromise, ResidentBat supports broad device surveillance and data theft, including access to **SMS and call logs**, **microphone audio recording**, **screenshots**, and **local files**, and it is reported to be able to **intercept traffic from encrypted messaging apps**. Infrastructure analysis attributed to **Censys** described a consistent C2 fingerprint, including **self-signed TLS certificates** with the common name `CN=server` and control traffic over a narrow port range **7000–7257**; observed hosting was concentrated in **Europe and Russia** (including the Netherlands, Germany, Switzerland, and Russia). The C2 is described as supporting data collection, operator tasking, and configuration updates to maintain persistent control over infected devices.
1 months ago
ScarCruft (APT37) Ruby Jumper Campaign Targets Air-Gapped Systems via Zoho WorkDrive C2 and USB Malware
**North Korea-linked ScarCruft (APT37)** has been attributed to a new espionage campaign dubbed **Ruby Jumper** that is designed to compromise **air-gapped** environments using a multi-stage infection chain and removable media. Zscaler ThreatLabz reported the activity was identified in **December 2025** and described an initial access method that relies on a **malicious Windows shortcut (`.LNK`)**; when opened, it triggers **PowerShell** to extract multiple embedded payloads (including a decoy document and staged scripts/binaries) from fixed offsets within the LNK and then decrypts and executes follow-on code in memory. The toolset includes multiple malware components—reported as **RESTLEAF**, **SNAKEDROPPER**, **THUMBSBD**, **VIRUSTASK**, **FOOTWINE** (and additionally **BLUELIGHT** in one account)—used to progress execution, establish persistence, and enable surveillance. **RESTLEAF** was described as using *Zoho WorkDrive* for command-and-control, authenticating with a valid access token and downloading additional shellcode for execution (including via process injection), representing a noted shift to abusing a cloud storage service for C2; the campaign also includes an implant/workflow that uses **removable media (USB)** to relay commands and bridge isolated networks, enabling compromise of systems without direct internet connectivity.
1 months ago