Borderline Intrusion: North Korean Hackers Deploy ‘BirdCall’ Malware Against Ethnic Koreans in China
Subtitle: A covert cyber-espionage campaign leveraged a rigged mobile card game to spy on ethnic Koreans living near North Korea’s border.
On a quiet winter evening in Yanbian-a region known as “Third Korea” for its large ethnic Korean population-someone downloads a new card game onto their Android phone, eager to pass the time. Unbeknownst to them, hidden within the game’s code is a digital spy-one that listens, watches, and steals. This isn’t fiction, but the chilling reality uncovered by cybersecurity experts investigating North Korea’s latest cyber-espionage offensive.
Fast Facts
- North Korean hacking group APT37 targeted ethnic Koreans in China’s Yanbian region with Android malware.
- The malware, called ‘BirdCall’, was embedded in popular card games distributed by the company Sqgame.
- BirdCall can record calls, steal data, take screenshots, and eavesdrop on conversations.
- Victims installed the infected games directly from the web, bypassing official app stores.
- The attack campaign likely aimed at refugees and defectors near the North Korean border.
Inside the ‘BirdCall’ Operation
The Yanbian Korean Autonomous Prefecture, nestled against the North Korean border, has long been a hotspot for cross-border migration and defection. Now, it’s the stage for a sophisticated supply-chain attack orchestrated by APT37-a hacking group believed to work under North Korea’s Ministry of State Security. According to ESET researchers, the group weaponized a suite of Android card games from the publisher Sqgame, infecting them with a malicious backdoor dubbed ‘BirdCall’.
BirdCall is no ordinary piece of malware. Once installed, it quietly grants attackers sweeping access to the victim’s device: it can take screenshots, record phone calls, steal contacts, intercept SMS messages, and even collect private cryptographic keys. The malware’s most insidious feature? The ability to activate the microphone and eavesdrop on the user’s environment, turning an innocent phone into a bugging device.
ESET’s investigation revealed that victims typically downloaded the compromised apps directly from the Sqgame website, sidestepping the Google Play store’s security checks. The initial game download appeared legitimate, but a subsequent update-delivered after the platform was compromised in late 2024-unleashed the BirdCall payload. Over several months, researchers identified seven iterations of the Android backdoor, indicating a persistent and evolving threat.
While APT37 has a history of targeting government agencies, military entities, and defectors, this campaign marks a notable escalation: targeting civilians in a sensitive border region, likely seeking intelligence on refugees or those fleeing the North Korean regime. The group’s Android malware arsenal has grown more sophisticated, with earlier versions even slipping into the Google Play store itself.
The Aftermath and Ongoing Risks
ESET reached out to Sqgame to alert them of the breach, but received no response. The compromised update package is reportedly no longer malicious, yet the incident serves as a stark warning: in the shadowy world of cyberwarfare, even casual mobile games can become tools of surveillance and control.
As borders blur in cyberspace, the digital safety of vulnerable communities remains at risk-reminding us that the war for privacy and security is being fought quietly, one compromised app at a time.
WIKICROOK
- APT37: APT37 is a North Korean cyber-espionage group targeting government, defense, and human rights organizations with advanced hacking and surveillance techniques.
- Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
- Supply: A supply chain attack targets third-party vendors or services to compromise multiple organizations by exploiting trusted external relationships.
- Payload: A payload is the harmful part of a cyberattack, like a virus or spyware, delivered through malicious emails or files when a victim interacts with them.
- Private key: A private key is a secret code that gives access and control over digital assets or cryptocurrency wallets; anyone with it can access the funds.




