{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/apk/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["ScarCruft"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Yanbian Red Ten","New Drawing","sqgame"],"_cs_severities":["high"],"_cs_tags":["supply-chain attack","apk","backdoor","android","windows","scarcruft"],"_cs_type":"threat","_cs_vendors":["sqgame"],"content_html":"\u003cp\u003eESET researchers uncovered a multiplatform supply-chain attack by the North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China since late 2024. The group compromised the Windows and Android components of a video game platform called sqgame, which is dedicated to Yanbian-themed games. ScarCruft trojanized the games with a backdoor named BirdCall, originally known to target Windows, with the Android version discovered as part of this supply-chain attack. The compromised gaming platform distributed malicious updates and trojanized Android games, aiming to collect personal data, documents, screenshots, and voice recordings from users in the targeted region.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eScarCruft compromises the sqgame gaming platform\u0026rsquo;s infrastructure, likely through exploiting vulnerabilities or weak credentials.\u003c/li\u003e\n\u003cli\u003eThe attackers trojanize the mono.dll library within an update package for the Windows desktop client of the sqgame platform, hosted at \u003ca href=\"http://xiazai.sqgame.com\"\u003ehttp://xiazai.sqgame.com\u003c/a\u003e[.]cn/dating/20240429.zip.\u003c/li\u003e\n\u003cli\u003eLegitimate users of the sqgame platform download and install the compromised update package, unknowingly deploying the trojanized mono.dll on their Windows systems.\u003c/li\u003e\n\u003cli\u003eThe trojanized mono.dll acts as a downloader, retrieving and executing the RokRAT backdoor on the victim\u0026rsquo;s machine, which then deploys the more sophisticated BirdCall backdoor.\u003c/li\u003e\n\u003cli\u003eScarCruft trojanizes Android game APKs (延边红十 and 新画图) available for download on the official sqgame website, \u003ca href=\"https://www.sqgame\"\u003ehttps://www.sqgame\u003c/a\u003e[.]net.\u003c/li\u003e\n\u003cli\u003eVictims download and install the trojanized Android games (ybht.apk and sqybhs.apk), which contain the Android version of the BirdCall backdoor, onto their Android devices.\u003c/li\u003e\n\u003cli\u003eThe BirdCall backdoor (both Windows and Android versions) establishes command and control (C2) communication with attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe BirdCall backdoor collects sensitive information, including contacts, SMS messages, call logs, documents, media files, private keys, screenshots, and voice recordings, and exfiltrates the data to the attackers, serving as espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply-chain attack targeted ethnic Koreans living in the Yanbian region, a community of interest to the North Korean regime. The compromise of the gaming platform could have affected thousands of users, leading to the theft of personal data, sensitive documents, and private communications. If successful, ScarCruft gains access to information on individuals based in or originating from the Yanbian region, likely refugees or defectors deemed of interest to North Korea.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to the compromised sqgame domain (sqgame.com[.]cn) and associated IPs (39.106.249[.]68) as these are used to deliver malicious content.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for mono.dll and alert on modifications to this file, using the SHA-1 hash (95BDB94F6767A3CCE6D92363BBF5BC84B786BDB0) as a baseline for comparison.\u003c/li\u003e\n\u003cli\u003eBlock downloads from the malicious URLs (\u003ca href=\"http://sqgame.com\"\u003ehttp://sqgame.com\u003c/a\u003e[.]cn/ybht.apk, \u003ca href=\"http://sqgame.com\"\u003ehttp://sqgame.com\u003c/a\u003e[.]cn/sqybhs.apk, \u003ca href=\"http://xiazai.sqgame.com\"\u003ehttp://xiazai.sqgame.com\u003c/a\u003e[.]cn/dating/20240429.zip) at the network perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-scarcruft-gaming-supply-chain/","summary":"The ScarCruft APT group conducted a supply-chain attack targeting the Yanbian region by compromising a gaming platform, sqgame, used by ethnic Koreans, trojanizing Windows and Android games with the BirdCall backdoor for espionage activities since late 2024.","title":"ScarCruft Compromises Gaming Platform in Supply-Chain Attack","url":"https://feed.craftedsignal.io/briefs/2026-05-scarcruft-gaming-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — Apk","version":"https://jsonfeed.org/version/1.1"}