ScarCruft sqgame[.]net supply-chain espionage campaign
Campaign
Summary
Hide ▲
Show ▼
ScarCruft's late-2024 supply-chain campaign against sqgame[.]net expanded a niche gaming platform compromise into a multi-platform espionage channel. The operation trojanized Android APKs and a Windows update package to deliver the BirdCall backdoor to targeted users in Yanbian, China. The platform's user base includes ethnic Koreans and may also intersect with North Korean defectors, increasing the intelligence value of the access path. Discovery in October 2025 shows the malicious delivery remained active long enough to evade detection for months.
Related Happenings
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
First: 11.05.2026 18:15
Last: 11.05.2026 18:15
Sources 1
About this happening:
The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
CampaignAbout this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityAbout this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
Sqgame[.]net gaming platform hit by network compromise
Incident
First: 05.05.2026 18:00
Last: 05.05.2026 18:00
Sources 1
How related:
A North Korea-aligned espionage group has compromised a regional gaming platform serving ethnic Koreans in China.
About this happening:
The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Sqgame[.]net gaming platform hit by network compromise
IncidentHow related: A North Korea-aligned espionage group has compromised a regional gaming platform serving ethnic Koreans in China.
About this happening: The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
BirdCall Android spyware variant
Malware Activity
First: 05.05.2026 12:04
Last: 05.05.2026 12:04
Sources 1
How related:
BirdCall was first identified by ESET as a Windows backdoor in 2021. The Android port, internally named zhuagou, implemented a subset of its predecessor's capabilities and saw active development across seven versions between October 2024 and June 2025.
About this happening:
The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...
BirdCall Android spyware variant
Malware ActivityHow related: BirdCall was first identified by ESET as a Windows backdoor in 2021. The Android port, internally named zhuagou, implemented a subset of its predecessor's capabilities and saw active development across seven versions between October 2024 and June 2025.
About this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...
APT37 BirdCall Android supply-chain campaign
Campaign
First: 05.05.2026 12:04
Last: 05.05.2026 12:04
Sources 1
About this happening:
The **APT37** campaign now delivers a new **Android** variant of **BirdCall** through **trojanized APKs** on **sqgame[.]net**, expanding the operation beyond its known **Windows**...
APT37 BirdCall Android supply-chain campaign
CampaignAbout this happening: The **APT37** campaign now delivers a new **Android** variant of **BirdCall** through **trojanized APKs** on **sqgame[.]net**, expanding the operation beyond its known **Windows**...
Timeline
-
05.05.2026 12:07 2 articles · 22d ago
ScarCruft compromises sqgame[.]net with BirdCall
Initial DisclosureScarCruft, a North Korea-aligned hacking group, compromised sqgame[.]net in a supply-chain espionage operation that trojanized Android APKs and a Windows update package with BirdCall to target ethnic Koreans in Yanbian, China. The campaign was discovered in October 2025, with evidence indicating it was probably ongoing since late 2024 and that a Windows desktop-client DLL had been trojanized since at least November 2024.
Show sources
- ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows — thehackernews.com — 05.05.2026 12:07
- North Korean APT Targets Yanbian Gamers via Trojanized Platform — www.infosecurity-magazine.com — 05.05.2026 18:00