A gaming platform built for ethnic Koreans in China has been serving backdoored Windows and Android software to its users since late 2024. The platform, sqgame[.]net, hosts traditional card and board games for a community that sits along the North Korean border and includes many refugees and defectors.
ESET researchers tied the operation to ScarCruft, a North Korea-aligned espionage group also tracked as APT37 and Reaper, which has been active since at least 2012.
How the compromise works
The Windows installer on sqgame’s site is several years old and clean on its own. The malicious code arrived through an update package hosted at xiazai.sqgame.com[.]cn, where attackers patched a legitimate mono.dll library with a downloader. That downloader checks for analysis tools and virtual machines, locates the sqgame client process, and pulls shellcode from compromised South Korean websites. The shellcode delivered the RokRAT backdoor, which then installed BirdCall, a more capable C++ implant ESET first attributed to ScarCruft in 2021. After execution, the trojanized mono.dll is swapped back to a clean copy fetched from another compromised Korean site, erasing the visible artifact.
Download page leading to trojanized games (Source: ESET)
On Android, two of the three games offered for download were repackaged with malicious code: Yanbian Red Ten and New Drawing. The attackers appear to have lacked source code access and instead modified the AndroidManifest.xml of the original APKs to redirect the entry-point activity to the backdoor before launching the original game.
The malicious APKs were distributed only through sqgame’s download page, with no copies surfacing on Google Play. The iOS title on the same site was untouched, likely because Apple’s review process raises the cost of trojanization.
A new Android port of BirdCall
The Android implant, which carries the internal name zhuagou (“catching dogs”), is a port of the Windows BirdCall backdoor and implements a subset of its commands. ESET identified seven builds, ranging from version 1.0 in October 2024 to version 2.0 in June 2025. Version 2.0 adds code obfuscation. The backdoor collects contacts, call logs, SMS messages, and a directory listing of external storage on first run, then sweeps the device for files matching extensions of interest, including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .jpg, .m4a, and .p12. Targeting .hwp files, the format used by the South Korean Hancom Office suite, points to Korean-speaking victims.
Screen capture is supported through Android’s startForeground API, with some samples playing a silent MP3 in a loop to keep the trojanized app alive in the background. Microphone recording is constrained to a three-hour window between 7 p.m. and 10 p.m. local time. Command-and-control traffic runs over HTTPS to Zoho WorkDrive accounts; ESET observed twelve such accounts, all registered with zohomail addresses.
The implant also supports pCloud and Yandex Disk in code, neither of which was active during the investigation. Decrypted commands begin with the magic value 0x2A7B4C33, matching the Windows variant.
Status and notification
The malicious update package on sqgame was no longer serving the trojanized mono.dll at the time of publication, the Android APKs remained available on the site.
ESET notified sqgame of the compromise in December 2025 and received no reply. The campaign’s profile, regional focus, and targeted file types align with prior ScarCruft operations against North Korean defectors and the South Korean government and military.
Webinar: The True State of Security 2026
