{"id":325,"date":"2026-05-06T06:06:25","date_gmt":"2026-05-06T06:06:25","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/05\/06\/scarcruft-compromises-gaming-platform-in-a-supply-chain-attack\/"},"modified":"2026-05-06T06:06:25","modified_gmt":"2026-05-06T06:06:25","slug":"scarcruft-compromises-gaming-platform-in-a-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/05\/06\/scarcruft-compromises-gaming-platform-in-a-supply-chain-attack\/","title":{"rendered":"ScarCruft compromises gaming platform in a supply-chain attack"},"content":{"rendered":"<div>\n<p>ESET researchers uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China \u2013 home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor.<\/p>\n<p>The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was discovered as part of this supply-chain attack. In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>North Korea-aligned APT group ScarCruft compromised a video game platform used by ethnic Koreans living in the Yanbian region in China.<\/li>\n<li>The gaming platform\u2019s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated BirdCall backdoor.<\/li>\n<li>Android games available on the gaming platform were trojanized to contain the Android version of the BirdCall backdoor \u2013 a new tool in ScarCruft\u2019s arsenal.<\/li>\n<li>The goal of the campaign is espionage, with the backdoor capable of collecting personal data and documents, taking screenshots, and making voice recordings.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Scarcruft profile<\/h2>\n<p>ScarCruft, also known as APT37 or Reaper, has been operating since at least 2012 and is <a href=\"https:\/\/attack.mitre.org\/groups\/G0067\/\" target=\"_blank\" rel=\"noopener\">suspected to be a North Korean espionage group<\/a>. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea. The group also targets North Korean defectors, with the latest such activity presented in this blogpost.<\/p>\n<h2>BirdCall backdoor<\/h2>\n<h3>Windows version<\/h3>\n<p>BirdCall is a Windows backdoor written in C++ that we discovered in 2021 and attributed to ScarCruft as part of the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> reporting.<\/p>\n<p>The backdoor has a wide range of spying capabilities, including taking screenshots, logging keystrokes and clipboard content, stealing credentials and files, and executing shell commands. For C&amp;C purposes, the backdoor utilizes legitimate cloud storage services, such as Dropbox or pCloud, or compromised websites. BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key. The initial version of BirdCall was publicly described by South Korean vendors in 2021 as an advanced version of RokRAT (<a href=\"https:\/\/medium.com\/s2wblog\/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48\" target=\"_blank\" rel=\"noopener\">S2W<\/a>, <a href=\"https:\/\/www.ahnlab.com\/ko\/contents\/content-center\/30164\" target=\"_blank\" rel=\"noopener\">AhnLab<\/a>).<\/p>\n<h3>Android version<\/h3>\n<p>The Android version of BirdCall, discovered in the attack that we describe in this blogpost, implements a subset of the commands and capabilities of the Windows backdoor \u2013 it collects contacts, SMS messages, call logs, documents, media files, and private keys. It can also take screenshots and record surrounding audio.<\/p>\n<p>Based on our research, Android BirdCall was actively developed over a span of several months. We identified seven versions, ranging from version 1.0 (created approximately in October 2024) to version 2.0 (created approximately in June 2025).<\/p>\n<h2>Discovery<\/h2>\n<p>Our investigation started with a suspicious APK file found on VirusTotal. Upon initial analysis, we determined that the APK is malicious and contains a backdoor.<\/p>\n<p>Interestingly, the APK turned out to be a trojanized card game called \u5ef6\u8fb9\u7ea2\u5341 (machine translation: Yanbian Red Ten), which we traced to its official website, <span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.sqgame[.]net<\/span>. sqgame is a gaming platform tailored for the people of Yanbian and hosts traditional Yanbian games for Windows, Android, and iOS. The players can compete in card and board games (see Figure\u00a01) with friends or join organized tournaments.<\/p>\n<figure><img decoding=\"async\" title=\"Figure 1. Yanbian Red Ten game\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/04-26\/scarcruft\/figure-1.jpg\" alt=\"Figure 1. Yanbian Red Ten game\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Yanbian Red Ten game<\/em><\/figcaption><\/figure>\n<p>Surprisingly, the APK available for download on the official website is the same as the APK we initially found on VirusTotal. Moreover, a second Android game (\u65b0\u753b\u56fe, machine translation: New Drawing) available for download from sqgame was also trojanized with the same backdoor. Further analysis revealed that the backdoor is an Android port of the ScarCruft group\u2019s BirdCall backdoor.<\/p>\n<p>The Windows desktop client link on the sqgame website leads to a few-years-old installer that appears to be clean. It does download updates once installed, but we did not identify any malicious code there during our analysis.<\/p>\n<p>Investigating further in ESET telemetry, we identified a trojanized <span style=\"font-family: courier new, courier, monospace;\">mono.dll<\/span> library, originating from an update package for the desktop client. ESET telemetry shows that this update package had been malicious since at least November 2024, for an unknown period. At the time of writing, this update package was no longer malicious.<\/p>\n<p>We also checked the iOS game available on the sqgame website and didn\u2019t find any malicious code. We think that ScarCruft skipped this platform, since the trojanization and delivery of the app would be much more difficult compared to other platforms, possibly running into Apple\u2019s review process.<\/p>\n<h2>Victimology<\/h2>\n<p>Since the website compromised in this attack is dedicated to the people of Yanbian and their traditional games, we infer that the primary targets are ethnic Koreans living in Yanbian. Yanbian Korean Autonomous Prefecture is a region in China that borders North Korea and is home to the largest ethnic Korean community outside Korea.<\/p>\n<p>In this context, we believe that it is probable that the attack was aimed at collecting information on individuals based in (or originating from) the Yanbian region and deemed of interest to the North Korean regime \u2013 most likely refugees or defectors.<\/p>\n<h2>Attack overview<\/h2>\n<h3>Android<\/h3>\n<p>Two of the Android games available on the sqgame website were found to be trojanized to contain the BirdCall backdoor. The download page available at <span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.sqgame[.]net\/games\/gamedownload.aspx<\/span> is shown in Figure\u00a02, with download buttons for the two trojanized games highlighted in red. The third available Android game was clean at the time of our analysis.<\/p>\n<figure><img decoding=\"async\" title=\"Figure 2. Download page leading to trojanized games\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/04-26\/scarcruft\/figure-2.png\" alt=\"Figure 2. Download page leading to trojanized games\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Download page leading to trojanized games<\/em><\/figcaption><\/figure>\n<p>We found evidence that the victims downloaded the trojanized games via a web browser on their devices and probably installed them intentionally. We have not found any other APK locations. We also have not found the malicious APKs on the official Google Play store.<\/p>\n<p>We were unable to determine when the website was first compromised and the supply-chain attack started. However, based on our analysis of the deployed malware, we estimate that it happened in late 2024.<\/p>\n<p>Table\u00a01 shows the hosting URLs of the two trojanized APK files, along with the hashes of files served at the time of discovery. At the time of writing of this blogpost, the malicious files were still up on the sqgame website. We notified sqgame of the compromise in December 2025, but haven\u2019t received a response.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a01. Malicious samples<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td style=\"width: 72px;\" width=\"68\"><strong>Time of discovery<\/strong><\/td>\n<td style=\"width: 216px;\" nowrap=\"nowrap\" width=\"234\"><strong>URL<\/strong><\/td>\n<td style=\"width: 368px;\" nowrap=\"nowrap\" width=\"151\"><strong>SHA\u20111<\/strong><\/td>\n<td style=\"width: 289px;\" nowrap=\"nowrap\" width=\"189\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"width: 72px;\" nowrap=\"nowrap\" width=\"68\">2025-10<\/td>\n<td style=\"width: 216px;\" nowrap=\"nowrap\" width=\"234\"><span style=\"font-family: courier new, courier, monospace;\">http:\/\/sqgame.com<wbr\/>[.]cn\/ybht.apk<\/span><\/td>\n<td style=\"width: 368px;\" nowrap=\"nowrap\" width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">03E3ECE9F48CF4104AAF<wbr\/>C535790CA2FB3C6B26CF<\/span><\/td>\n<td style=\"width: 289px;\" nowrap=\"nowrap\" width=\"189\">Trojanized game with the BirdCall <wbr\/>backdoor.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 72px;\" nowrap=\"nowrap\" width=\"68\">2025-10<\/td>\n<td style=\"width: 216px;\" nowrap=\"nowrap\" width=\"234\"><span style=\"font-family: courier new, courier, monospace;\">http:\/\/sqgame.com<wbr\/>[.]cn\/sqybhs.apk<\/span><\/td>\n<td style=\"width: 368px;\" nowrap=\"nowrap\" width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">FC0C691DB7E2D2BD3B0B<wbr\/>4C1E24D18DF72168B7D9<\/span><\/td>\n<td style=\"width: 289px;\" nowrap=\"nowrap\" width=\"189\">Trojanized game with the BirdCall <wbr\/>backdoor.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Windows<\/h3>\n<p>While the Windows desktop client available on the sqgame website did not contain malicious code when we analyzed it, we later identified a trojanized <span style=\"font-family: courier new, courier, monospace;\">mono.dll<\/span> library, originating from an update package of the desktop client hosted at the URL <span style=\"font-family: courier new, courier, monospace;\">http:\/\/xiazai.sqgame.com[.]cn\/dating\/20240429.zip<\/span>. ESET telemetry shows that this update package had been malicious since at least November 2024, for an unknown period \u2013 but at the time of writing, this update package was no longer malicious.<\/p>\n<p>ScarCruft took a clean mono library and patched it with extra code and data, containing a downloader. The downloader first checks running processes for analysis tools and virtual machine environments and does not proceed if any are found. Otherwise, it looks for the process of the sqgame client and constructs a path to the mono library in its installation folder.<\/p>\n<p>Next, it downloads and executes shellcode, which contained the RokRAT backdoor at the time of discovery. Finally, the downloader terminates the client process and downloads the original clean version of the mono library, replacing the trojanized one in the installed client folder. Both the payload and clean mono library are downloaded from legitimate South Korean websites that were compromised for this purpose \u2013 a typical TTP of ScarCruft.<\/p>\n<p>According to our telemetry, the RokRAT backdoor was subsequently used to download and install the BirdCall backdoor on the victimized machines.<\/p>\n<h2>Android BirdCall analysis<\/h2>\n<p>In this section, we provide a technical analysis of the Android BirdCall backdoor \u2013 an Android port of the eponymous Windows backdoor written in C++. Internally, the backdoor is named <span style=\"font-family: courier new, courier, monospace;\">zhuagou<\/span>, which can be translated (from Chinese) as \u201ccatching dogs\u201d.<\/p>\n<h3>Trojanized Android games<\/h3>\n<p>Android BirdCall is distributed via trojanized Android games. In the attack described in this blogpost, we believe that ScarCruft did not gain access to the game\u2019s source code, only to the sqgame website or web server, and instead took the original game APKs and recompiled or repackaged them with malicious code added.<\/p>\n<p>In the trojanized APKs, the <span style=\"font-family: courier new, courier, monospace;\">AndroidManifest.xml<\/span> entry point activity is modified and points to the added malicious code \u2013 which, after starting the backdoor, executes the original entry activity of the game.<\/p>\n<p>In the analyzed samples, the modified entry point activity was either <span style=\"font-family: courier new, courier, monospace;\">com.example.zhuagou.SplashScreen<\/span> or <span style=\"font-family: courier new, courier, monospace;\">com.mob.util.MobSs<\/span> (in the latest sample). The modifications to <span style=\"font-family: courier new, courier, monospace;\">AndroidManifest.xml<\/span> also include new activity and service definitions for the backdoor, as well as additional permissions required for its operation. A comparison of packages in the original game and its trojanized version is shown in Figure\u00a03.<\/p>\n<figure><img decoding=\"async\" title=\"Figure 3. Package tree of the legitimate game (left) and its trojanized version (right)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/04-26\/scarcruft\/figure-3.png\" alt=\"Figure 3. Package tree of the legitimate game (left) and its trojanized version (right)\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. Package tree of the legitimate game (left) and its trojanized version (right)<\/em><\/figcaption><\/figure>\n<p>Since the Android BirdCall backdoor is a part of a trojanized Android app installed on the system, it does not automatically start after installation or a device reboot; instead, it relies on user execution.<\/p>\n<h3>Configuration<\/h3>\n<p>Android BirdCall contains a default configuration, which is initialized on the first run. The configuration uses JSON format and is persisted in a file. Subsequent runs load the existing configuration file, and the configuration can be modified via backdoor commands. An example of a formatted configuration is shown in Figure\u00a04.<code\/><\/p>\n<pre class=\"language-markup\"><code>{\n    \"bi\": \"E823D451D636D0A0\",\n    \"skey\": \"A8FE823D451D636D0A0366C0629EF5C3##@(()(#@\",\n    \"si\": \"20251105141404\",\n    \"rft\": 20000,\n    \"fst\": true,\n    \"kill\": false,\n    \"log\": true,\n    \"ctm\": 10000,\n    \"scr\": false,\n    \"rec\": false,\n    \"cmd\": 0,\n    \"data\": 1,\n    \"bd_version\": 37,\n    \"extentions\": \".jpg;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.txt;.hwp;.pdf;.m4a;.p12;\",\n    \"cloud\": [\n        {\n            \"ct\": 9,\n            \"idx\": 28,\n            \"cid\": \"1000.2IGB56IS1FHQ1V332R[redacted]\",\n            \"cst\": \"fa7ec5c8b050[redacted]\",\n            \"rt\": \"1000.a7fc479e[redacted]\",\n            \"at\": \"empty\",\n            \"fid\": \"8mwe5bbc0a2759839401f813968808a2f36a6\",\n            \"dm\": \"\",\n            \"use\": 0\n        },\n        [redacted]\n    ]\n}<\/code><\/pre>\n<pre><code\/><\/pre>\n<p><em>Figure\u00a04. Android BirdCall configuration example<\/em><\/p>\n<p>The <span style=\"font-family: courier new, courier, monospace;\">bd_version<\/span> configuration entry encodes the version of the backdoor, stored as <span style=\"font-family: courier new, courier, monospace;\">MAJOR &lt;&lt; 5 | MINOR<\/span>, so value 37 is equal to version 1.5.<\/p>\n<p>The persisted configuration file is stored in the data directory of the app and has a device-specific path. Additionally, during the configuration initialization, the default configuration of cloud storage drives hardcoded in the sample can be overridden by an external source. If available, the backdoor downloads a JPG image that contains an encrypted cloud configuration embedded in its overlay. The image is usually hosted on a compromised South Korean website.<\/p>\n<h3>C&amp;C communication<\/h3>\n<p>Android BirdCall uses cloud storage drives for C&amp;C communication, similar to the Windows version. In the analyzed samples, three cloud providers are supported: pCloud, Yandex Disk, and Zoho WorkDrive, although only Zoho WorkDrive is used. The backdoor communicates via HTTPS, sending requests to API endpoints of the respective provider using the <a href=\"https:\/\/square.github.io\/okhttp\/\" target=\"_blank\" rel=\"noopener\">okhttp3<\/a> library.<\/p>\n<p>During our research, we observed 12 Zoho WorkDrive drives used by the Android BirdCall backdoor for C&amp;C purposes. Details of the associated accounts are shown in Table\u00a02.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a02. Android BirdCall Zoho WorkDrive accounts<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"170\"><strong>client_id<\/strong><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><strong>display_name<\/strong><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><strong>email<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.AJUEYDUIQQ5G<wbr\/>CLFA68[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">tomasalfred37<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">tomasalfred37@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.INXKBHQ3698C<wbr\/>K42YA2[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">kalimaxim279<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">kalimaxim279@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.FYRJ46E75TUY<wbr\/>BWYV5J[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">Smith Bentley<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">smithbentley0617@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.8QU6D2LJZ3RC<wbr\/>GLZWF2[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">Mic haelLarrow19<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">michaellarrow19@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.NT1QEE7V73IH<wbr\/>NZP5YT[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">dsf sdf<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">amandakurth94@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.SKXUYYKYL06F<wbr\/>Q2NW82[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">dsf sdf<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">rexmedina89@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.7BMBOS8GV1ZR<wbr\/>6AWEI2[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">dsf dsf<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">alishaross751@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.V0J0QN7SJ2N7<wbr\/>V6IZVE[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">sdf sdf<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">jamesdeeds385@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.2IGB56IS1FHQ<wbr\/>1V332R[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">asdf sdaf<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">joyceluke505@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.W4V2XMB83C6V<wbr\/>FC7DGZ[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">dfsd sdf<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">marjoriemiller280@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.LIUBF67S89H0<wbr\/>IZEBHE[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">Bill Jackson<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">teresadaniels200@zohomail[.]com<\/span><\/td>\n<\/tr>\n<tr>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">1000.8BLOFSFU4WOF<wbr\/>Y9HB4A[redacted]<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"170\"><span style=\"font-family: courier new, courier, monospace;\">Zoe Jack<\/span><\/td>\n<td nowrap=\"nowrap\" width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">michaelgiesen62@zohomail[.]com<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Capabilities<\/h3>\n<p>Android BirdCall features an update mechanism: a newer version can be loaded from an update file, which is expected to be in the form of an APK in the app data directory, and its download is triggered via the command <span style=\"font-family: courier new, courier, monospace;\">MP_SEND_FILE<\/span>.<\/p>\n<p>After the optional update procedure, the original game activity is started, in order not to raise suspicion. Then the backdoor checks and waits for an internet connection, before proceeding to its main operation.<\/p>\n<h4>Data collection<\/h4>\n<p>On the first run, the backdoor collects a full directory listing of the device\u2019s primary <a href=\"https:\/\/developer.android.com\/reference\/android\/os\/Environment.html#getExternalStorageDirectory()\" target=\"_blank\" rel=\"noopener\">shared external storage<\/a>, and user data consisting of contact list, call log, and SMS messages.<\/p>\n<p>The backdoor periodically checks in with the C&amp;C and uploads basic information, which consists of:<\/p>\n<ul>\n<li>identifier values from configuration and current time,<\/li>\n<li>battery temperature, RAM and storage information, cloud configuration, backdoor version, and file extensions of interest,<\/li>\n<li>IP geolocation information from <span style=\"font-family: courier new, courier, monospace;\">https:\/\/ipinfo[.]io\/json<\/span>, and<\/li>\n<li>on the first run, additional information about the device, network, and the application is included:\n<p style=\"margin-top: 0.8em; margin-bottom: 0; display: flex; align-items: flex-start; gap: 0.6em;\"><span style=\"color: #00a0a0; font-size: 1em; line-height: 1em; flex-shrink: 0;\">\u25cb<\/span> <span style=\"margin: 0;\">brand, model, OS, kernel, and rooted status,<\/span><\/p>\n<p style=\"margin-top: 0.2em; margin-bottom: 0; display: flex; align-items: flex-start; gap: 0.6em;\"><span style=\"color: #00a0a0; font-size: 1em; line-height: 1em; flex-shrink: 0;\">\u25cb<\/span> <span style=\"margin: 0;\">IMEI number, IP address, MAC address, and network type, and <\/span><\/p>\n<p style=\"margin-top: 0.2em; margin-bottom: 0; display: flex; align-items: flex-start; gap: 0.6em;\"><span style=\"color: #00a0a0; font-size: 1em; line-height: 1em; flex-shrink: 0;\">\u25cb<\/span> <span style=\"margin: 0;\">application package and permissions.<\/span><\/p>\n<\/li>\n<\/ul>\n<p>The backdoor can periodically take screenshots (<span style=\"font-family: courier new, courier, monospace;\">scr<\/span> flag). In some versions, we observed the technique of playing a silent MP3 file in a loop while taking screenshots, which is used to prevent the trojanized app from being suspended while running in the background.<\/p>\n<p>In some of the versions, the backdoor can record audio via the microphone and eavesdrop on the surroundings of the compromised device. Strangely, even if the recording is enabled (<span style=\"font-family: courier new, courier, monospace;\">rec<\/span> flag), it is limited to a three-hour time period in the evening, from 7 pm to 10 pm local time.<\/p>\n<p>The backdoor periodically searches the shared external storage for files with extensions of interest (<span style=\"font-family: courier new, courier, monospace;\">extentions<\/span>) and stages them for exfiltration. In the samples we analyzed, exfiltration was aimed at media files, documents, and private keys: <span style=\"font-family: courier new, courier, monospace;\">.jpg<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.doc<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.docx<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.xls<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.xlsx<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.ppt<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.pptx<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.txt<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.hwp<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.pdf<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.m4a<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">.p12<\/span>.<\/p>\n<h4>Commands<\/h4>\n<p>Android BirdCall periodically checks the cloud storage drive for commands issued for the victim. Decrypted commands start with the magic DWORD <span style=\"font-family: courier new, courier, monospace;\">0x2A7B4C33<\/span>, and this value matches the Windows version of BirdCall. The commands have zero or more parameters, depending on their type. Table\u00a03 shows an overview of the supported commands with their descriptions for both platforms.<\/p>\n<p>The Android version of the backdoor implements only a subset of commands available in the Windows version.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a03. BirdCall backdoor commands<\/em><\/p>\n<table style=\"width: 783px;\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<thead style=\"font-size: 12.5px;\">\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><strong>Type<\/strong><\/td>\n<td style=\"width: 246px;\" nowrap=\"nowrap\"><strong>Name<\/strong><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\"><strong>Android description<\/strong><\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\"><strong>Windows description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x48<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_SET_FILESEARCH_EXTENTION<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 481px;\" colspan=\"2\">Sets file extensions of interest in the configuration.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x49<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_SET_THREADS<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">Toggles screenshot taking and voice recording.<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Includes additional capabilities such as clipboard stealing and keylogging.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x4A<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_SET_CLOUD<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 481px;\" colspan=\"2\">Sets cloud API credentials in the configuration.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x4B<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_SET_REGISTER_FILE_CONTROL<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Modifies filter used during file search.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x4C<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_SET_MODE<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">Toggles collection of the backdoor execution logs.<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Toggles various collection-related flags.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x4D<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTION_KILLME<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">Disables the backdoor. The original game continues working.<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Uninstalls the backdoor and exits.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x4E<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTION_KILLPROCESS<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Uses the taskkill utility to kill a process.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x4F<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTION_FILE_OR_DIRECTORY<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">Supports upload of a specified file or directory.<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Supports multiple file and directory operations: delete, rename, open, and upload.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x50<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTION_DOWNLOAD_COMMAND<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Downloads and executes commands from a URL or cloud drive.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x51<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTION_RESET_WORKDIRECTORIES<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Can delete working directories used by the backdoor.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x52<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTION_EXECUTE_SIMPLE_COMMAND<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Can restart the backdoor and execute a command via <span style=\"font-family: courier new, courier, monospace;\">cmd.exe<\/span>.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x53<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTIONS_MORE<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Can perform three operations:<br \/>\u00b7 Delete persisted configuration.<br \/>\u00b7 Enable macros in Word (Microsoft and Hancom Office).<br \/>\u00b7 Restart the backdoor.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x54<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTION_SHELL<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Starts shell (based on <a href=\"https:\/\/gitlab.winehq.org\/wine\/wine\/-\/tree\/master\/programs\/cmd\"><em>WCMD<\/em><\/a>).<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x55<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_ACTION_WEBSCAN<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Performs HTTP scan of specified hosts\/ports.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x56<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_GET_DATA<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">Can obtain:<br \/>\u00b7 contacts, call logs, and SMS messages,<br \/>\u00b7 full directory listing of the primary shared external storage, and<br \/>\u00b7 basic information.<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Can obtain:<br \/>\u00b7 backdoor configuration and various system information,<br \/>\u00b7 credentials from browsers and other software,<br \/>\u00b7 files from IM apps \u2013 KakaoTalk, WeChat, and Signal,<br \/>\u00b7 camera photos, and<br \/>\u00b7 directory listing.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x57<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_GET_TREES<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 481px;\" colspan=\"2\">Retrieves directory listing.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x59<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_SEND_FILE<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">Supports backdoor updating.<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Supports dropping of a file to a specified location, dropping and execution of additional executables, and updating of the backdoor.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x5A<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_SEND_SHELL<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Executes shell commands.<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 12.5px; width: 46px;\"><span style=\"font-family: courier new, courier, monospace;\">0x5C<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 246px;\"><span style=\"font-family: courier new, courier, monospace;\">MP_SET_PROXY<\/span><\/td>\n<td style=\"font-size: 12.5px; width: 227.062px;\">N\/A<\/td>\n<td style=\"font-size: 12.5px; width: 253.938px;\">Connects to a specified <span style=\"font-family: courier new, courier, monospace;\"><ip>:<port\/><\/ip><\/span> and forwards traffic from\/to the C&amp;C server, acting as a proxy.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>A dump containing the Windows version of BirdCall that closely resembles the one we observed in this attack and features all the commands listed above can be found on VirusTotal with SHA\u20111 <span style=\"font-family: courier new, courier, monospace;\">B06110E0FEB7592872E380B7E3B8F77D80DD1108<\/span>. The sample was uploaded from China on July 15<sup>th<\/sup>, 2024.<\/p>\n<h2>Conclusion<\/h2>\n<p>We have uncovered a multiplatform supply-chain attack targeting the Yanbian region through a compromised video game platform. Analyzing the trojanized Android games on the platform, we discovered a new tool in ScarCruft\u2019s arsenal \u2013 an Android version of the group\u2019s BirdCall backdoor. The Android backdoor has seen active development, and provides surveillance capabilities, such as collection of personal data and documents, taking screenshots, and making voice recordings.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/scarcruft\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"187\"><strong>SHA-1<\/strong><\/td>\n<td width=\"107\"><strong>Filename<\/strong><\/td>\n<td width=\"147\"><strong>Detection<\/strong><\/td>\n<td width=\"161\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">01A33066FBC6253304C9<wbr\/>2760916329ABD50C3191<\/span><\/td>\n<td width=\"107\"><span style=\"font-family: courier new, courier, monospace;\">sqybhs.apk<\/span><\/td>\n<td width=\"147\">Android\/Spy.Agent.EXM<\/td>\n<td width=\"161\">Trojanized game with Android BirdCall version 2.0.<\/td>\n<\/tr>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">03E3ECE9F48CF4104AAF<wbr\/>C535790CA2FB3C6B26CF<\/span><\/td>\n<td width=\"107\"><span style=\"font-family: courier new, courier, monospace;\">ybht.apk<\/span><\/td>\n<td width=\"147\">Android\/Spy.Agent.EGE<\/td>\n<td width=\"161\">Trojanized game with Android BirdCall version 1.3.<\/td>\n<\/tr>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">2B81F78EC4C3F8D6CF8F<wbr\/>677D141C5D13C35333AF<\/span><\/td>\n<td width=\"107\"><span style=\"font-family: courier new, courier, monospace;\">sqybhs.apk<\/span><\/td>\n<td width=\"147\">Android\/Spy.Agent.EGE<\/td>\n<td width=\"161\">Trojanized game with Android BirdCall version 1.5.<\/td>\n<\/tr>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">59A9B9D47AE36411B277<wbr\/>544F25AD2CC955D8DD2C<\/span><\/td>\n<td width=\"107\"><span style=\"font-family: courier new, courier, monospace;\">ybht.apk<\/span><\/td>\n<td width=\"147\">Android\/Spy.Agent.EGE<\/td>\n<td width=\"161\">Trojanized game with Android BirdCall version 1.0.<\/td>\n<\/tr>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">7356D7868C81499FB4E7<wbr\/>20F7C9530E5763B4C1D0<\/span><\/td>\n<td width=\"107\"><span style=\"font-family: courier new, courier, monospace;\">sqybhs.apk<\/span><\/td>\n<td width=\"147\">Android\/Spy.Agent.EGE<\/td>\n<td width=\"161\">Trojanized game with Android BirdCall version 1.0.<\/td>\n<\/tr>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">FC0C691DB7E2D2BD3B0B<wbr\/>4C1E24D18DF72168B7D9<\/span><\/td>\n<td width=\"107\"><span style=\"font-family: courier new, courier, monospace;\">sqybhs.apk<\/span><\/td>\n<td width=\"147\">Android\/Spy.Agent.EGE<\/td>\n<td width=\"161\">Trojanized game with Android BirdCall version 1.5.<\/td>\n<\/tr>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">95BDB94F6767A3CCE6D9<wbr\/>2363BBF5BC84B786BDB0<\/span><\/td>\n<td width=\"107\"><span style=\"font-family: courier new, courier, monospace;\">mono.dll<\/span><\/td>\n<td width=\"147\">Win32\/TrojanDownloader<wbr\/>.Agent.ILQ<\/td>\n<td width=\"161\">Trojanized mono library.<\/td>\n<\/tr>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">409C5ACAED587F62F7E2<wbr\/>3DA47F72C4D9EC3144D9<\/span><\/td>\n<td width=\"107\">N\/A<\/td>\n<td width=\"147\">Win32\/TrojanDownloader<wbr\/>.Agent.ILQ<\/td>\n<td width=\"161\">Downloader leading to the RokRAT backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"187\"><span style=\"font-family: courier new, courier, monospace;\">B06110E0FEB7592872E3<wbr\/>80B7E3B8F77D80DD1108<\/span><\/td>\n<td width=\"107\">N\/A<\/td>\n<td width=\"147\">Win64\/Agent.EGN<\/td>\n<td width=\"161\">Publicly available dump of Windows BirdCall backdoor.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"123\"><strong>IP<\/strong><\/td>\n<td width=\"123\"><strong>Domain<\/strong><\/td>\n<td width=\"132\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"95\"><strong>First seen<\/strong><\/td>\n<td width=\"170\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">39.106.249[.]68<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">sqgame.com[.]cn<\/span><\/td>\n<td width=\"132\">Hangzhou Alibaba Advertising Co.,Ltd.<\/td>\n<td width=\"95\">2024\u201106\u201101<\/td>\n<td width=\"170\">Compromised sqgame site hosting trojanized games and malicious updates.<\/td>\n<\/tr>\n<tr>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">211.239.117[.]117<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">1980food.co[.]kr<\/span><\/td>\n<td width=\"132\">Hostway IDC<\/td>\n<td width=\"95\">2025\u201103\u201107<\/td>\n<td width=\"170\">Compromised South Korean site used to host Android BirdCall configuration.<\/td>\n<\/tr>\n<tr>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">114.108.128[.]157<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">inodea[.]com<\/span><\/td>\n<td width=\"132\">LG DACOM Corporation<\/td>\n<td width=\"95\">2025\u201107\u201103<\/td>\n<td width=\"170\">Compromised South Korean site used to host Android BirdCall configuration.<\/td>\n<\/tr>\n<tr>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">221.143.43[.]214<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">www.lawwell.co[.]kr<\/span><\/td>\n<td width=\"132\">SK Broadband Co Ltd<\/td>\n<td width=\"95\">2024\u201111\u201104<\/td>\n<td width=\"170\">Compromised South Korean site used to host shellcode and clean mono library.<\/td>\n<\/tr>\n<tr>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">222.231.2[.]20<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">colorncopy.co[.]kr<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">swr.co[.]kr<\/span><\/td>\n<td width=\"132\">LG DACOM Corporation<\/td>\n<td width=\"95\">2025\u201103\u201118<\/td>\n<td width=\"170\">Compromised South Korean site used to host shellcode.<\/td>\n<\/tr>\n<tr>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">222.231.2[.]23<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">sejonghaeun[.]com<\/span><\/td>\n<td width=\"132\">IP Manager<\/td>\n<td width=\"95\">2025\u201103\u201118<\/td>\n<td width=\"170\">Compromised South Korean site used to host clean mono library.<\/td>\n<\/tr>\n<tr>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">222.231.2[.]41<\/span><\/td>\n<td width=\"123\"><span style=\"font-family: courier new, courier, monospace;\">cndsoft.co[.]kr<\/span><\/td>\n<td width=\"132\">IP Manager<\/td>\n<td width=\"95\">2025\u201103\u201118<\/td>\n<td width=\"170\">Compromised South Korean site used to host shellcode.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 18<\/a> of the MITRE ATT&amp;CK Enterprise framework.<\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1584\/004\">T1584.004<\/a><\/td>\n<td width=\"151\">Compromise Infrastructure: Server<\/td>\n<td width=\"265\">ScarCruft compromised South Korean websites to host payloads and configurations.<br \/>ScarCruft compromised the sqgame website to perform a supply-chain attack.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1585\/003\">T1585.003<\/a><\/td>\n<td width=\"151\">Establish Accounts: Cloud Accounts<\/td>\n<td width=\"265\">ScarCruft created Zoho WorkDrive accounts and used their cloud storage drives for C&amp;C purposes.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1587\/001\">T1587.001<\/a><\/td>\n<td width=\"151\">Develop Capabilities: Malware<\/td>\n<td width=\"265\">ScarCruft developed the Android version of the BirdCall backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1608\/001\">T1608.001<\/a><\/td>\n<td width=\"151\">Stage Capabilities: Upload Malware<\/td>\n<td width=\"265\">ScarCruft uploaded trojanized games to the compromised sqgame website.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Initial Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1195\/002\">T1195.002<\/a><\/td>\n<td width=\"151\">Supply Chain Compromise: Compromise Software Supply Chain<\/td>\n<td width=\"265\">ScarCruft compromised an sqgame update server to distribute malicious updates.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1059\/003\">T1059.003<\/a><\/td>\n<td width=\"151\">Command and Scripting Interpreter: Windows Command Shell<\/td>\n<td width=\"265\">BirdCall can execute shell commands.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"6\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1027\/013\">T1027.013<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information: Encrypted\/Encoded File<\/td>\n<td width=\"265\">BirdCall has encrypted strings and loading chain components.<br \/>The trojanized mono library contains encrypted shellcode.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1070\/004\">T1070.004<\/a><\/td>\n<td width=\"151\">Indicator Removal: File Deletion<\/td>\n<td width=\"265\">The trojanized mono library is replaced with a clean one.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1112\">T1112<\/a><\/td>\n<td width=\"151\">Modify Registry<\/td>\n<td width=\"265\">BirdCall can modify settings of word processors to enable macros.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1140\">T1140<\/a><\/td>\n<td width=\"151\">Deobfuscate\/Decode Files or Information<\/td>\n<td width=\"265\">BirdCall decrypts strings and loading chain components.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1480\/001\">T1480.001<\/a><\/td>\n<td width=\"151\">Execution Guardrails: Environmental Keying<\/td>\n<td width=\"265\">BirdCall\u2019s loading chain has components encrypted with a computer-specific key.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1497\">T1497<\/a><\/td>\n<td width=\"151\">Virtualization\/Sandbox Evasion<\/td>\n<td width=\"265\">The downloader in the trojanized mono library checks for analysis tools and virtual machine environments.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Credential Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1555\">T1555<\/a><\/td>\n<td width=\"151\">Credentials from Password Stores<\/td>\n<td width=\"265\">BirdCall can obtain saved passwords from browsers and other software.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1046\">T1046<\/a><\/td>\n<td width=\"151\">Network Service Discovery<\/td>\n<td width=\"265\">BirdCall can scan a range of IPs and ports with an HTTP GET request.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1082\">T1082<\/a><\/td>\n<td width=\"151\">System Information Discovery<\/td>\n<td width=\"265\">BirdCall can obtain various system information.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1083\">T1083<\/a><\/td>\n<td width=\"151\">File and Directory Discovery<\/td>\n<td width=\"265\">BirdCall can obtain information about drives and directories.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"7\" width=\"113\"><strong>Collection<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1005\">T1005<\/a><\/td>\n<td width=\"151\">Data from Local System<\/td>\n<td width=\"265\">BirdCall can collect user files from IM clients KakaoTalk, WeChat, and Signal.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1056\/001\">T1056.001<\/a><\/td>\n<td width=\"151\">Input Capture: Keylogging<\/td>\n<td width=\"265\">BirdCall can log keystrokes.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1113\">T1113<\/a><\/td>\n<td width=\"151\">Screen Capture<\/td>\n<td width=\"265\">BirdCall can capture screenshots.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1115\">T1115<\/a><\/td>\n<td width=\"151\">Clipboard Data<\/td>\n<td width=\"265\">BirdCall can collect clipboard contents.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1119\">T1119<\/a><\/td>\n<td width=\"151\">Automated Collection<\/td>\n<td width=\"265\">BirdCall can periodically collect files with certain extensions from local and removable drives.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1125\">T1125<\/a><\/td>\n<td width=\"151\">Video Capture<\/td>\n<td width=\"265\">BirdCall can capture a webcam photo.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1560\">T1560<\/a><\/td>\n<td width=\"151\">Archive Collected Data<\/td>\n<td width=\"265\">BirdCall compresses and encrypts collected data before exfiltration.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1071\/001\">T1071.001<\/a><\/td>\n<td width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"265\">BirdCall uses HTTP to communicate with cloud storage services.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1090\">T1090<\/a><\/td>\n<td width=\"151\">Proxy<\/td>\n<td width=\"265\">BirdCall can act as a proxy.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1102\/002\">T1102.002<\/a><\/td>\n<td width=\"151\">Web Service: Bidirectional Communication<\/td>\n<td width=\"265\">BirdCall communicates with cloud storage services to download commands and exfiltrate data.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1020\">T1020<\/a><\/td>\n<td width=\"151\">Automated Exfiltration<\/td>\n<td width=\"265\">BirdCall periodically exfiltrates collected data.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1041\">T1041<\/a><\/td>\n<td width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td width=\"265\">BirdCall exfiltrates data to its C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1567\/002\">T1567.002<\/a><\/td>\n<td width=\"151\">Exfiltration Over Web Service: Exfiltration to Cloud Storage<\/td>\n<td width=\"265\">BirdCall exfiltrates data to cloud storage services.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 18<\/a> of the MITRE ATT&amp;CK Mobile framework.<\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td style=\"width: 111.844px;\" width=\"113\"><strong>Tactic<\/strong><\/td>\n<td style=\"width: 111.453px;\" width=\"113\"><strong>ID<\/strong><\/td>\n<td style=\"width: 149.328px;\" width=\"151\"><strong>Name<\/strong><\/td>\n<td style=\"width: 259.375px;\" width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"width: 111.844px;\" width=\"113\"><strong>Initial Access<\/strong><\/td>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1474\/003\">T1474.003<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Supply Chain Compromise: Compromise Software Supply Chain<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">ScarCruft performed a supply-chain attack, compromising the sqgame website, to distribute trojanized games containing the Android BirdCall backdoor.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.844px;\" rowspan=\"3\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1406\">T1406<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Obfuscated Files or Information<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Version 2.0 of the Android BirdCall backdoor is obfuscated.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1407\">T1407<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Download New Code at Runtime<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">The Android BirdCall backdoor can download and load newer versions of itself.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1541\">T1541<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Foreground Persistence<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall uses the <span style=\"font-family: courier new, courier, monospace;\">startForeground<\/span> API to take screenshots while in the background.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.844px;\" rowspan=\"3\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1420\">T1420<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">File and Directory Discovery<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall creates a directory listing and searches for files with specified extensions.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1422\">T1422<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Local Network Configuration Discovery<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall obtains the device\u2019s IMEI, IP address, and MAC address.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1426\">T1426<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">System Information Discovery<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall obtains system information of the compromised device including brand, model, OS version, kernel version, rooted status, battery temperature, RAM, and storage information.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.844px;\" rowspan=\"8\" width=\"113\"><strong>Collection<\/strong><\/td>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1532\">T1532<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Archive Collected Data<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall compresses and encrypts collected data.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1429\">T1429<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Audio Capture<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall can record voice using the microphone.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1430\">T1430<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Location Tracking<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall obtains approximate device location using the <span style=\"font-family: courier new, courier, monospace;\">ipinfo[.]io<\/span> service.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1513\">T1513<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Screen Capture<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall can take screenshots.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1533\">T1533<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Data from Local System<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall collects local files with the following extensions: <span style=\"font-family: courier new, courier, monospace;\">.jpg<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.doc<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.docx<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.xls<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.xlsx<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.ppt<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.pptx<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.txt<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.hwp<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.pdf<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.m4a<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">.p12<\/span>.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1636\/002\">T1636.002<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Protected User Data: Call Log<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall collects the call log.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1636\/003\">T1636.003<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Protected User Data: Contact List<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall collects the contact list.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1636\/004\">T1636.004<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Protected User Data: SMS Messages<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall collects SMS messages.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.844px;\" rowspan=\"2\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1437\/001\">T1437.001<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall communicates with the C&amp;C cloud storage drive using HTTPS.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1481\/002\">T1481.002<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Web Service: Bidirectional Communication<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall uses a Zoho WorkDrive service cloud storage drive for C&amp;C purposes.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 111.844px;\" width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td style=\"width: 111.453px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1646\">T1646<\/a><\/td>\n<td style=\"width: 149.328px;\" width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td style=\"width: 259.375px;\" width=\"265\">Android BirdCall uses the C&amp;C channel for data exfiltration.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in<\/p>\n","protected":false},"author":1,"featured_media":326,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-325","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=325"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/325\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/326"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}