Sunday 31 May 2026 15:43:59 GMT+02:00

Netcrook

HomeManifesto
News
Corporate Security IncidentsCloud, SaaS & Identity SecurityIndustrial Cybersecurity & Critical InfrastructureCyber Intelligence, TrendsAI Security & Agentic SystemsCyber Intelligence & Threat TrendsCyber WarfareCyber Warfare & Nation-State OperationsCyber CriminalityBreaches & Data LeaksCybercrimeMalware & BotnetsRansomware & ExtortionSecurity Awareness & Social EngineeringLegal PolicyLegal, Policy & Government CybersecurityPrivacy, Regulation & ComplianceTechnology, InnovationTechnology, Innovation & Digital InfrastructureVulnerabilities Patch ManagementResearch, Exploits & Offensive SecurityVulnerabilities & Patch Management
Techcrook
Tutte le tecnologieIdentita e accessoFirewall e reteBackup e archiviazioneEnergia e continuitaPrivacy e sicurezza fisicaLaboratorio e prototipazioneStampa e tracciabilitaTecnologia quotidiana
Geocrook
AfricaAsiaEuropeMiddle EastNorth AmericaOceaniaSouth America
WikicrookTeamAppContact
EnglishItalianoArabic
Cyber Warfare & Nation-State Operations

Game of Shadows: North Korean Hackers Infiltrate Yanbian Gaming Platform With Stealthy Backdoors

05 May 2026 17:04Cyber Warfare & Nation-State OperationsAsiaAGONY

Subtitle: A notorious North Korean cyber-espionage group has weaponized a popular gaming platform, targeting ethnic Koreans in China with advanced Windows and Android surveillance tools.

It began as innocent fun: Yanbian-themed card and board games, a community pastime for ethnic Koreans in China’s borderlands. But beneath the surface, a silent breach was underway. By late 2024, a North Korea-aligned hacking group known as ScarCruft had transformed a beloved digital playground into a sophisticated espionage pipeline-one that reached deep into the lives of refugees, defectors, and anyone else of interest to Pyongyang.

Fast Facts

  • ScarCruft (APT37) compromised sqgame[.]net, a gaming platform popular in China’s Yanbian region.
  • Both Windows and Android versions of traditional games were trojanized to deliver the BirdCall backdoor.
  • The campaign targeted ethnic Koreans, especially refugees and defectors, for surveillance and data theft.
  • The Android backdoor harvested contacts, messages, documents, and even recorded audio during set hours.
  • Malicious tools used legitimate cloud services like Dropbox and Zoho WorkDrive for covert communications.

Inside the Hack: From Games to Global Espionage

The Yanbian Korean Autonomous Prefecture, bordering North Korea, is home to the world’s largest ethnic Korean community outside the peninsula. For years, the sqgame[.]net platform has connected this diaspora with digital versions of cherished card and board games. But in late 2024, cyber researchers uncovered a chilling twist: ScarCruft, a North Korean state-backed group active since at least 2012, had breached the platform’s supply chain.

The attackers first targeted the Windows desktop client, injecting a malicious version of the mono.dll library into the game’s update process. This allowed them to quietly install the RokRAT backdoor, which then deployed the more advanced BirdCall spyware. To evade detection, ScarCruft’s malware even replaced itself with a clean library pulled from compromised South Korean websites, erasing its tracks.

Android users were not spared. The group distributed trojanized versions of popular games-Yanbian Red Ten and New Drawing-directly from the official website. Hidden inside was a new variant of the BirdCall backdoor, codenamed “zhuagou.” This mobile malware harvested sensitive data: contacts, SMS messages, call logs, and a wide array of document and media files. Notably, it sought out .hwp files, a format favored by South Korean users, confirming ScarCruft’s focus on Korean-speaking victims. The Android version also featured audio recording-silently activating the microphone each evening, and cleverly looping audio tracks to keep the app running in the background.

Researchers traced at least seven Android BirdCall versions between October 2024 and June 2025, each iteration more evasive than the last. For command-and-control, ScarCruft exploited trusted cloud services-Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive-making their operations harder to block and detect. Twelve unique Zoho WorkDrive accounts, all tied to ScarCruft’s infrastructure, were used to manage stolen data.

Implications: The New Face of State-Backed Cyber Espionage

This campaign marks a leap in ScarCruft’s capabilities, blending technical sophistication with deep cultural targeting. By compromising a platform beloved by a vulnerable diaspora, North Korean operatives have demonstrated not just hacking prowess, but a chilling understanding of their targets’ digital lives. As supply-chain attacks grow more common, even seemingly innocent platforms may now conceal the shadows of international espionage.

WIKICROOK

  • Supply: A supply chain attack targets third-party vendors or services to compromise multiple organizations by exploiting trusted external relationships.
  • Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • DLL (Dynamic Link Library): A DLL is a Windows file containing shared code used by programs. Malicious DLLs can be exploited by hackers to gain control over a system.
  • Obfuscation: Obfuscation is the practice of disguising code or data to make it difficult for humans or security tools to understand, analyze, or detect.
AGONY
AuthorAGONY

Cyber Warfare & Nation-State Operations