North Korean APT ScarCruft Trojans Gaming Platform for Ethnic Koreans in China
What Happened — The sqgame.net gaming portal serving ethnic Koreans in China was compromised in late‑2024. Attackers replaced legitimate Windows mono.dll and Android APKs with back‑doored versions that delivered the RokRAT and BirdCall implants, enabling long‑term surveillance of users.
Why It Matters for TPRM —
- Supply‑chain compromise of a seemingly benign consumer app can expose sensitive personal data and communications.
- State‑aligned espionage groups target niche communities, expanding the attack surface beyond traditional enterprise vendors.
- Persistent backdoors (RokRAT/BirdCall) collect contacts, messages, files, screenshots and audio, creating a high‑value intelligence haul.
Who Is Affected — Gaming/entertainment platforms, mobile app distributors, and any third‑party services that integrate or host downloadable client software for end‑users.
Recommended Actions —
- Review any third‑party gaming or entertainment applications used by your workforce or customers for supply‑chain risk.
- Validate that all software updates are signed, integrity‑checked, and delivered via trusted channels.
- Conduct endpoint monitoring for RokRAT/BirdCall indicators (e.g., unusual mono.dll loads, unknown C++ implants, abnormal network callbacks).
Technical Notes — Attack vector: malicious update package (trojanized mono.dll) delivered via a sub‑domain (xiazai.sqgame.com.cn) and repackaged Android APKs with altered AndroidManifest.xml. Payloads: RokRAT downloader → BirdCall C++ backdoor (Windows) and “zhuagou” (Android) implants. Collected data includes contacts, call logs, SMS, documents (doc‑x, pdf, hwp, etc.), screenshots and timed microphone recordings. Source: Help Net Security