A gaming platform for Koreans in China infected by ScarCruft for espionage
A platform for traditional games for Koreans in China has been compromised by ScarCruft (APT37), a group linked to North Korea, to spy on refugees and defectors. The attack, active since late 2024, exploits malicious updates to distribute backdoors like RokRAT and BirdCall.
Quick Response
ScarCruft compromised sqgame[.]net to distribute malware to Koreans in China. The attack uses malicious updates to install RokRAT and BirdCall. The Android implant zhuagou collects sensitive data and supports screenshots and audio recordings. The campaign targets North Korean refugees and defectors.
Compromise technique: malicious updates and sophisticated backdoors
The site sqgame[.]net hosts traditional games for Koreans in China, many of whom are refugees or defectors. The attack begins with a malicious update hosted on xiazai.sqgame.com[.]cn, which modifies a legitimate library (mono.dll) to install a downloader. This downloader downloads shellcode from compromised South Korean sites, which in turn distribute the RokRAT backdoor and the BirdCall implant.
Android: repackaged games and zhuagou backdoor
Two of the three Android games available on the site had been repackaged with malicious code: Yanbian Red Ten and New Drawing. The attackers modified the AndroidManifest.xml file to redirect the main activity to the backdoor before launching the original game. The Android implant, called zhuagou ("catch dogs"), is a ported version of the BirdCall backdoor for Windows and implements a subset of its commands.
Advanced functionality of zhuagou: data collection and remote control
The Android implant collects contacts, call logs, SMS, and directory lists of external storage upon first launch. Subsequently, it scans the device for files with specific extensions, including Office documents, PDFs, images, and audio files. The implant also supports screenshots via Android's startForeground API and audio recordings between 7:00 PM and 12:00 AM, local time.
Communication with command and control: Zoho accounts and encoding
The Android implant's command and control traffic uses HTTPS to communicate with Zoho WorkDrive accounts. ESET observed twelve such accounts, all registered with zohomail addresses. The implant code also supports pCloud and Yandex Disk, although these were not active during the investigation. The decrypted commands start with the magic value 0x2A7B4C33, corresponding to the Windows variant.
Campaign status and security implications
At the time of publication, the malicious update package on the sqgame site was no longer active, but the Android APKs remained available. ESET notified sqgame of the compromise in December 2025, but received no response. The campaign presents a profile consistent with ScarCruft's previous operations against North Korean defectors and South Korean targets.
Protection and mitigation: how to defend against this type of attack
Users who have downloaded games from sqgame[.]net should perform a full system scan for malware and consider removing any games installed from this platform. It is crucial to keep security software up to date and adopt safe browsing practices, such as avoiding downloading applications from unofficial sources.
Geopolitical: ScarCruft and the expansion of North Korean operations
ScarCruft, also known as APT37 or Reaper, is a North Korea-linked hacking group active since at least 2012. This group is known for its targeted attacks against South Korean targets, including the government and military. The campaign described in this article highlights the expansion of ScarCruft's operations, which now include targeting North Korean refugees and defectors in China.
Implications for global cybersecurity
The compromise of sqgame[.]net underscores the importance of monitoring advanced persistent threats (APTs) and adopting robust cybersecurity measures to protect users from sophisticated attacks. Security analysts should pay attention to similar espionage campaigns and collaborate to share information and improve defense capabilities against these threats.
In-depth technical analysis: the role of mono.dll and evading
An particularly interesting aspect of the campaign is the strategic use of mono.dll, which modifies a legitimate library to install a downloader. This downloader downloads shellcode from compromised South Korean sites, which in turn distribute the RokRAT backdoor and the BirdCall implant.
Evolution of tactics: from Windows to Android
The transition of ScarCruft from primarily Windows-based attacks to campaigns that also include Android platforms represents a significant evolution in their tactics. The zhuagou implant demonstrates that the group is capable of adapting its tools to new environments while maintaining advanced functionalities such as data collection and remote control. This adaptation is crucial to maintain the effectiveness of attacks in a constantly evolving technological landscape, where users are increasingly turning to mobile devices for their daily activities.
International collaboration: the need for a joint response
The cross-border nature of this attack underscores the importance of international collaboration in combating cyber threats. ScarCruft's attacks against North Korean refugees in China involve actors in multiple jurisdictions, making it difficult for a single country to effectively address the threat. Sharing information between intelligence agencies, security researchers, and technology platforms is essential to develop coordinated defense strategies. Furthermore, the international community should consider diplomatic measures to pressure North Korea to cease its hacking activities, which represent a violation of international norms.
Lessons learned: how to improve user security
This case offers important lessons to improve user security, particularly for those belonging to vulnerable communities. It is crucial to educate users about the risks of downloading applications from unofficial sources and the importance of verifying the integrity of downloaded files. Software distribution platforms should implement more robust security measures, such as digital signatures for updates and continuous monitoring of suspicious activities. Additionally, users should be encouraged to use advanced security tools, such as intrusion detection solutions and antivirus software, to protect themselves from sophisticated attacks.
The future of APT threats: forecasts and preparation
The ScarCruft campaign against sqgame[.]net suggests that APT threats will continue to evolve, adopting new tactics and technologies to evade user defenses. Organizations and individuals should prepare for an increase in targeted espionage campaigns, particularly against vulnerable communities or strategic targets. Investing in advanced detection and response capabilities, such as threat intelligence and behavioral analysis, will be crucial to addressing future challenges. Furthermore, the cybersecurity community should continue to collaborate to share knowledge and develop innovative solutions to counter emerging threats.
Editorial Note and Disclaimer
The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.
GoYou does not constitute a journalistic publication nor an editorial product pursuant to Law No. 62/2001 and does not perform real-time information activities.
The GoYou project does not provide professional, technical, legal, or financial advice and disclaims any liability for the improper use of the information published.
In the Crypto sector, every investment involves risks: readers are invited to always inform themselves autonomously before making any decision.