https://feed.craftedsignal.io/tags/spyware/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 05 May 2026 09:04:13 +0000https://feed.craftedsignal.io/briefs/2026-05-scarcruft-birdcall-android/Tue, 05 May 2026 09:04:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-scarcruft-birdcall-android/The APT37 group (ScarCruft) is distributing an Android version of the BirdCall backdoor via a supply-chain attack targeting a Chinese video game platform, sqgame[.]net, to collect sensitive information from users.The North Korean hacker group APT37, also known as ScarCruft and Ricochet Chollima, is actively distributing an Android version of their BirdCall backdoor through a supply-chain attack affecting the sqgame[.]net video game platform. This platform caters specifically to Koreans in the autonomous Yanbian region in China, which acts as a crossing point for North Korean defectors and refugees. ESET researchers discovered that APT37 created the Android version of BirdCall around October 2024 and has since developed at least seven different versions. The Android variant is designed as spyware, capable of collecting a wide range of sensitive information from compromised devices. This campaign highlights APT37’s continued efforts to target specific communities with sophisticated malware.

Attack Chain

1. The attacker compromises the sqgame[.]net video game platform, a site hosting games for Android, iOS, and Windows.
2. The attacker trojanizes legitimate Android application packages (APKs) available on the platform, embedding the Android version of BirdCall.
3. Victims download the trojanized APK from the compromised game platform (sqgame[.]net) onto their Android devices.
4. Upon installation, the BirdCall malware extracts IP geolocation information from the device.
5. The malware collects contact lists, call logs, and SMS messages from the compromised device.
6. The malware gathers device information including OS version, kernel version, rooted status, IMEI number, MAC address, IP address, and network information.
7. BirdCall transmits collected data, along with battery temperature, RAM, storage, cloud configuration, backdoor version, and targeted file extensions (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12), to its command-and-control (C2) server.
8. The malware periodically takes screenshots and records audio via the microphone from 7 pm to 10 pm local time, exfiltrating these files to the C2 server.

Impact

This campaign allows APT37 to harvest sensitive information from targeted individuals, including personal communications, location data, and device details. The compromise of the sqgame[.]net platform exposes users in the Korean autonomous Yanbian region in China to significant privacy risks. Successful infection enables the threat actor to conduct surveillance, gather intelligence, and potentially identify and track individuals of interest. The collected data can be used for further espionage activities or to compromise other systems and networks.

Recommendation

• Monitor network traffic for connections to the sqgame[.]net domain, blocking it at the firewall or DNS resolver to prevent further infections (IOC: sqgame[.]net).
• Implement application control policies on Android devices to restrict the installation of applications from untrusted sources.
• Deploy the Sigma rule “Detect Network Connection to sqgame.net” to identify potentially infected devices communicating with the malicious domain.
• Educate users about the risks of downloading applications from unofficial sources and encourage them to only use trusted app stores.
• Enable enhanced security measures like Google Play Protect to detect and remove malicious apps.

]]>highthreatandroidmalwarespywareapt37scarcruftsupply-chainhttps://feed.craftedsignal.io/briefs/2024-01-totok-spyware/Sat, 27 Jan 2024 18:22:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-totok-spyware/The ToTok iOS application, developed by Breej Holding Ltd., was identified as a spying tool used by the government of the United Arab Emirates (UAE) to track users' conversations, movements, and relationships by collecting sensitive user data and transmitting it to servers using self-signed certificates.The ToTok application, developed by Breej Holding Ltd., gained popularity in the United Arab Emirates (UAE) due to the blocking of other VoIP services like Skype and WhatsApp. However, American officials identified ToTok as a spying tool used by the UAE government to track users. The application collects extensive user data, including microphone, calendar, location, photos, contacts, and camera information. This data is transmitted over the network, with traffic primarily routed through the capi.im.totok.ai server. The application’s Info.plist reveals it requests permissions for accessing sensitive user information, and uses HTTP, which is atypical for iOS applications, as iOS typically enforces HTTPS only. The application has since been removed from the iOS App Store after these concerns were raised.

Attack Chain

1. User downloads and installs the ToTok application from the iOS App Store.
2. The application requests permissions to access microphone, calendar, location, photos, contacts, camera, and Siri integration.
3. User grants the application permissions to access their data.
4. The application collects user data, including contacts, location, and communications.
5. The application transmits collected data to the capi.im.totok.ai server.
6. Network communications are encrypted via SSL, but the application uses a self-signed certificate, potentially undermining trust.
7. The UAE government leverages the collected data for surveillance purposes.
8. The application runs in the background due to UIBackgroundModes, continuously collecting and transmitting data.

Impact

The ToTok application enabled mass surveillance by the UAE government, impacting tens of thousands of users. User privacy was compromised, with conversations, movements, relationships, appointments, sounds, and images being tracked. The application’s ability to run in the background allowed for continuous data collection, and the use of a self-signed certificate raises concerns about the security and integrity of the transmitted data. The removal of the app from the iOS App Store indicates a recognition of the severe security and privacy risks posed by ToTok.

Recommendation

• Monitor network traffic for connections to the domain im.totok.ai and block if found, as this was the primary communication channel (IOC table).
• Implement a detection rule to identify applications using self-signed certificates issued from the United Arab Emirates (AE), as observed with the ToTok application (see rule: “Detect iOS App Connecting to Host with UAE Self-Signed Certificate”).
• Develop a Sigma rule to detect iOS applications requesting access to microphone, camera, location, photos, contacts, siri integration, and calendar permissions simultaneously, as this is indicative of potentially malicious data collection (see rule: “Detect iOS App Requesting Excessive Permissions”).

]]>criticaladvisoryspywareiossurveillancetotok