ScarCruft hackers push BirdCall Android malware via game platform

Published:

5 mei 2026 om 09:04:13

Alert date:

5 mei 2026 om 10:00:46

Source:

bleepingcomputer.com

Mobile & IoT, Ransomware & Malware, Supply Chain & Dependencies, Data Breach & Exfiltration

North Korean hacker group APT37 (also known as ScarCruft) has been distributing an Android version of the BirdCall backdoor malware through a supply-chain attack targeting a video game platform. This represents an active campaign by a nation-state actor using mobile malware to compromise Android devices through a trusted gaming platform, demonstrating sophisticated supply-chain compromise techniques.

Technical details

BirdCall is an Android backdoor/spyware developed by APT37 around October 2024 with at least seven versions created. The malware is delivered through supply-chain attacks by trojanizing APKs on gaming platforms. Android variant capabilities include: extracting IP geolocation, collecting contacts/call logs/SMS, gathering device information (OS, kernel, IMEI, MAC address), taking periodic screenshots, recording audio from 7-10 PM local time, playing silent MP3 loops to prevent process suspension, and exfiltrating specific file types (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, .p12). The Windows infection chain uses trojanized mono.dll that downloads RokRAT, which deploys the Windows BirdCall version.

Mitigation steps:

Only download software from official marketplaces and trusted publisher sites to minimize malware infection risks.

Affected products:

Android devices
Windows systems
sqgame.net gaming platform

Related CVE's:

Related threat actors:

APT37

ScarCruft

Ricochet Chollima

IOC's:

sqgame[.]net, mono.dll (trojanized DLL), BirdCall malware family, RokRAT

This article was created with the assistance of AI technology by Perceptive.