ScarCruft Supply Chain Attack Injects BirdCall Malware into Gaming Platform

The North Korea‑aligned advanced persistent threat (APT) group ScarCruft, also tracked as Group 123 and Reaper, has resurfaced with a fresh supply‑chain intrusion that targets a popular video‑game distribution platform. According to researchers at Volexity, the operation leverages the platform’s update mechanism to deliver a trojanized component that ultimately installs the group’s signature backdoor, BirdCall, on both Windows and Android devices.

In the attack chain, ScarCruft compromised a third‑party software development kit (SDK) used by the gaming service. The malicious SDK includes a side‑loading DLL that is invoked when the game executable runs. This DLL is a variant of BirdCall, a modular remote‑access trojan (RAT) that communicates with a C2 server over HTTPS using a custom‑encoded protocol. BirdCall’s capabilities include harvesting device information, capturing screenshots, logging keystrokes, and executing arbitrary PowerShell commands on infected hosts.

Once the compromised SDK is distributed to end‑users, the malware adapts its behavior to the host OS. On Windows, it masquerades as a legitimate signed executable to bypass User Account Control (UAC) and runs with standard user privileges, while on Android it abuses the accessibility service API to collect call logs, contacts, SMS messages, and to surreptitiously record audio. The campaign primarily targeted users in South Korea and Japan who downloaded the game from the official portal or from third‑party mirrors that replicated the poisoned installer.

Security teams have been advised to verify the integrity of all third‑party libraries and to monitor for anomalous DLL loading patterns indicative of side‑loading. Volexity published a set of YARA rules and indicators of compromise (IOCs), including MD5 hashes of the malicious DLL (e.g., d7f9a2b3c4e5f678...), the C2 domain birdcall‑c2[.]tk, and registry keys associated with the dropper. Organizations are urged to employ endpoint detection and response (EDR) solutions, enforce code‑signing validation, and apply the latest patches to mitigate the threat posed by this ScarCruft supply‑chain campaign.