In a troubling development for the gaming community in Asia, a North Korea-aligned espionage group has successfully compromised a popular regional gaming platform that caters specifically to ethnic Koreans residing in China. This platform, known for its engaging traditional games, has recently been found to host Windows and Android software that has been trojanized, incorporating a previously undocumented mobile backdoor that poses significant risks to its users.
Recent investigations led by ESET researchers reveal that this malicious activity may have been ongoing since late 2024, with the primary target being users of sqgame[.]net. This particular website is dedicated to traditional Yanbian-themed card and board games, drawing users interested in these cultural pastimes. The Yanbian Korean Autonomous Prefecture, the area linked to this gaming site, is strategically positioned on the border with North Korea and serves as a known crossing point for many refugees and defectors attempting to escape the oppressive regime.
ESET experts have concluded that the motivation behind the attacks is the collection of intelligence on individuals that are likely of interest to the North Korean government. This brings to light the sinister intersection of gaming culture and cyber espionage, wherein even seemingly benign platforms can serve as a facade for gathering sensitive data.
### Multiplatform Compromise of a Regional Gaming Site
The espionage campaign has been attributed to ScarCruft, alternatively known as APT37, Reaper, or Ricochet Chollima. This sophisticated group has been operational since at least 2012, focusing its efforts on targets linked with the South Korean government, military entities, and North Korean defectors. The analysis identifying the malicious campaign commenced when a suspicious Android Package Kit (APK) was uploaded to VirusTotal. This APK was traced back to a card game named Yanbian Red Ten, which was directly distributed from the sqgame website. It was subsequently revealed that another Android title hosted on the same platform, New Drawing, also carried the same harmful code.
On the Windows operating system, telemetry data indicated that an update package for the desktop client had been distributing a trojanized mono.dll library since at least November 2024. This compromised library operates as a downloader, performing various anti-analysis checks before acquiring shellcode embedded with the RokRAT backdoor. This backdoor then enables the deployment of a more advanced implant dubbed BirdCall, showcasing the evolving tactics employed by the attackers.
Interestingly, the iOS version of the game on the same platform remained untouched. ESET researchers speculated this was likely due to the inherent complexities of circumventing Apple’s stringent app review process, illustrating the different risk profiles associated with various mobile operating systems.
### A New Android Variant of a Known Windows Backdoor
BirdCall, initially recognized by ESET as a Windows backdoor in 2021, has now found its way to the Android platform. Internally referred to as zhuagou, this variant implements a subset of capabilities consistent with its predecessor. Development activities have been noted across seven distinct versions from October 2024 through June 2025, underscoring the sustained focus of the attackers on improving their methods.
The espionage operators employed a technique of recompiling or repackaging legitimate game APKs infested with malicious code, rather than accessing the source code directly. This strategic modification involved altering the AndroidManifest.xml file to redirect the entry point through the backdoor, effectively embedding the malicious functionality within the original game activity.
Once activated, this malware is capable of harvesting a wide range of sensitive information, including contacts, call logs, SMS messages, documents, media files, and private keys. Its capabilities are extensive, allowing for screenshot capture and ambient audio recording. However, researchers have noted that the audio recording functionality is limited to a three-hour window between 7 PM and 10 PM local time, which may suggest a level of operational design by the attackers.
Command-and-control (C2) traffic related to this campaign has been routed through various cloud storage providers such as pCloud, Yandex Disk, and Zoho WorkDrive. However, the investigation revealed that only Zoho WorkDrive was actively utilized in this operation, with 12 separate user accounts identified.
In December 2025, ESET alerted sqgame about the compromise, but as of the publication date, there had been no response from the gaming platform. Alarmingly, the malicious APKs remained accessible on the site, potentially exposing many unsuspecting users to the risks associated with this sophisticated cyber espionage operation. The lack of a timely response further emphasizes the urgent need for vigilance and proactive security measures in an increasingly interconnected digital landscape.