top of page
perceptive_background_267k.jpg

ScarCruft hackers push BirdCall Android malware via game platform

Published:

5 May 2026 at 09:04:13

Alert date:

5 May 2026 at 10:00:46

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware, Supply Chain & Dependencies, Data Breach & Exfiltration

North Korean hacker group APT37 (also known as ScarCruft) has been distributing an Android version of the BirdCall backdoor malware through a supply-chain attack targeting a video game platform. This represents an active campaign by a nation-state actor using mobile malware to compromise Android devices through a trusted gaming platform, demonstrating sophisticated supply-chain compromise techniques.

Technical details

BirdCall is an Android backdoor/spyware developed by APT37 around October 2024 with at least seven versions created. The malware is delivered through supply-chain attacks by trojanizing APKs on gaming platforms. Android variant capabilities include: extracting IP geolocation, collecting contacts/call logs/SMS, gathering device information (OS, kernel, IMEI, MAC address), taking periodic screenshots, recording audio from 7-10 PM local time, playing silent MP3 loops to prevent process suspension, and exfiltrating specific file types (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, .p12). The Windows infection chain uses trojanized mono.dll that downloads RokRAT, which deploys the Windows BirdCall version.

Mitigation steps:

Only download software from official marketplaces and trusted publisher sites to minimize malware infection risks.

Affected products:

Android devices
Windows systems
sqgame.net gaming platform

Related links:

https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/
https://www.bleepingcomputer.com/news/security/new-north-korean-android-spyware-slips-onto-google-play/
https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/
https://www.bleepingcomputer.com/news/security/new-windows-malware-also-steals-data-from-victims-mobile-phones/

Related CVE's:

Related threat actors:

IOC's:

sqgame[.]net, mono.dll (trojanized DLL), BirdCall malware family, RokRAT

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page