North Korean hackers weaponize gaming platform to spy on ethnic Koreans in China

North Korean hackers have compromised a gaming platform popular with ethnic Koreans in China, delivering a Trojanized backdoor that steals data and executes commands.

2

The threat, allegedly carried out by the state-sponsored group ScarCruft (APT37), has been active since late 2024 and targets users of the SQgame platform, which hosts traditional card and board games. The malware, dubbed BirdCall, exfiltrates everything from messages and media to ambient audio and clipboard data.

ESET researchers uncovered the BirdCall backdoor embedded in both Windows and Android versions of the platform. On Windows, it captures screenshots, logs keystrokes, and executes shell commands, while on Android, it steals contact lists, SMS, and call logs. All stolen data is uploaded to cloud services such as Dropbox. The malware has been updated seven times, indicating active development and maintenance.

"In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor," ESET said.

The Yanbian Korean Autonomous Prefecture near the North Korean border serves as a key crossing point for refugees and defectors, as it holds the largest number of ethnic Koreans in China. Due to its proximity to the border, Yanbian is considered a strategic target for North Korean state-sponsored espionage.

SQgame remains compromised, with malicious Android builds still being distributed. The attack highlights how cybercriminals exploit niche, culturally specific platforms to target vulnerable and unsuspecting people.

With North Korean APT groups growing bolder, the security implications extend beyond the gaming space. Gamers and users of region-specific platforms should remain vigilant, especially when downloading apps or games from less mainstream sources.