ESET researchers uncovered a multiplatform supply-chain assault by North Korea-aligned APT group ScarCruft, focusing on the Yanbian area in China – dwelling to ethnic Koreans and a crossing level for North Korean refugees and defectors. Within the assault, in all probability ongoing since late 2024, ScarCruft compromised Home windows and Android parts of a online game platform devoted to Yanbian-themed video games, trojanizing them with a backdoor.
The backdoor, named BirdCall by ESET, was initially recognized to focus on Home windows solely; the Android model was found as a part of this supply-chain assault. On this blogpost, we offer an summary of the assault, and the primary public evaluation of the Android backdoor.
Key factors of this blogpost:
- North Korea-aligned APT group ScarCruft compromised a online game platform utilized by ethnic Koreans residing within the Yanbian area in China.
- The gaming platform’s Home windows consumer was compromised via a malicious replace resulting in the RokRAT backdoor, which deployed the extra subtle BirdCall backdoor.
- Android video games out there on the gaming platform have been trojanized to include the Android model of the BirdCall backdoor – a brand new device in ScarCruft’s arsenal.
- The purpose of the marketing campaign is espionage, with the backdoor able to amassing private knowledge and paperwork, taking screenshots, and making voice recordings.
Scarcruft profile
ScarCruft, also called APT37 or Reaper, has been working since no less than 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, however different Asian nations have additionally been focused. ScarCruft appears to be primarily in authorities and navy organizations, and corporations in varied industries linked to the pursuits of North Korea. The group additionally targets North Korean defectors, with the most recent such exercise introduced on this blogpost.
BirdCall backdoor
Home windows model
BirdCall is a Home windows backdoor written in C++ that we found in 2021 and attributed to ScarCruft as a part of the ESET Risk Intelligence reporting.
The backdoor has a variety of spying capabilities, together with taking screenshots, logging keystrokes and clipboard content material, stealing credentials and information, and executing shell instructions. For C&C functions, the backdoor makes use of official cloud storage companies, corresponding to Dropbox or pCloud, or compromised web sites. BirdCall is normally deployed in a multistage loading chain, beginning with a Ruby or Python script, and containing parts encrypted utilizing a computer-specific key. The preliminary model of BirdCall was publicly described by South Korean distributors in 2021 as a sophisticated model of RokRAT (S2W, AhnLab).
Android model
The Android model of BirdCall, found within the assault that we describe on this blogpost, implements a subset of the instructions and capabilities of the Home windows backdoor – it collects contacts, SMS messages, name logs, paperwork, media information, and personal keys. It may possibly additionally take screenshots and file surrounding audio.
Primarily based on our analysis, Android BirdCall was actively developed over a span of a number of months. We recognized seven variations, starting from model 1.0 (created roughly in October 2024) to model 2.0 (created roughly in June 2025).
Discovery
Our investigation began with a suspicious APK file discovered on VirusTotal. Upon preliminary evaluation, we decided that the APK is malicious and incorporates a backdoor.
Apparently, the APK turned out to be a trojanized card sport known as 延边红十 (machine translation: Yanbian Purple Ten), which we traced to its official web site, https://www.sqgame[.]web. sqgame is a gaming platform tailor-made for the folks of Yanbian and hosts conventional Yanbian video games for Home windows, Android, and iOS. The gamers can compete in card and board video games (see Determine 1) with associates or be a part of organized tournaments.
Surprisingly, the APK out there for obtain on the official web site is identical because the APK we initially discovered on VirusTotal. Furthermore, a second Android sport (新画图, machine translation: New Drawing) out there for obtain from sqgame was additionally trojanized with the identical backdoor. Additional evaluation revealed that the backdoor is an Android port of the ScarCruft group’s BirdCall backdoor.
The Home windows desktop consumer hyperlink on the sqgame web site results in a few-years-old installer that seems to be clear. It does obtain updates as soon as put in, however we didn’t establish any malicious code there throughout our evaluation.
Investigating additional in ESET telemetry, we recognized a trojanized mono.dll library, originating from an replace package deal for the desktop consumer. ESET telemetry reveals that this replace package deal had been malicious since no less than November 2024, for an unknown interval. On the time of writing, this replace package deal was now not malicious.
We additionally checked the iOS sport out there on the sqgame web site and didn’t discover any malicious code. We predict that ScarCruft skipped this platform, for the reason that trojanization and supply of the app can be rather more tough in comparison with different platforms, probably operating into Apple’s evaluation course of.
Victimology
For the reason that web site compromised on this assault is devoted to the folks of Yanbian and their conventional video games, we infer that the first targets are ethnic Koreans residing in Yanbian. Yanbian Korean Autonomous Prefecture is a area in China that borders North Korea and is dwelling to the most important ethnic Korean group exterior Korea.
On this context, we imagine that it’s possible that the assault was geared toward amassing info on people primarily based in (or originating from) the Yanbian area and deemed of curiosity to the North Korean regime – most definitely refugees or defectors.
Assault overview
Android
Two of the Android video games out there on the sqgame web site have been discovered to be trojanized to include the BirdCall backdoor. The obtain web page out there at https://www.sqgame[.]web/video games/gamedownload.aspx is proven in Determine 2, with obtain buttons for the 2 trojanized video games highlighted in pink. The third out there Android sport was clear on the time of our evaluation.
We discovered proof that the victims downloaded the trojanized video games through an internet browser on their units and possibly put in them deliberately. Now we have not discovered some other APK places. We additionally haven’t discovered the malicious APKs on the official Google Play retailer.
We have been unable to find out when the web site was first compromised and the supply-chain assault began. Nonetheless, primarily based on our evaluation of the deployed malware, we estimate that it occurred in late 2024.
Desk 1 reveals the internet hosting URLs of the 2 trojanized APK information, together with the hashes of information served on the time of discovery. On the time of writing of this blogpost, the malicious information have been nonetheless up on the sqgame web site. We notified sqgame of the compromise in December 2025, however haven’t obtained a response.
Desk 1. Malicious samples
| Time of discovery | URL | SHA‑1 | Description |
| 2025-10 | http://sqgame.com |
03E3ECE9F48CF4104AAF |
Trojanized sport with the BirdCall |
| 2025-10 | http://sqgame.com |
FC0C691DB7E2D2BD3B0B |
Trojanized sport with the BirdCall |
Home windows
Whereas the Home windows desktop consumer out there on the sqgame web site didn’t include malicious code after we analyzed it, we later recognized a trojanized mono.dll library, originating from an replace package deal of the desktop consumer hosted on the URL http://xiazai.sqgame.com[.]cn/relationship/20240429.zip. ESET telemetry reveals that this replace package deal had been malicious since no less than November 2024, for an unknown interval – however on the time of writing, this replace package deal was now not malicious.
ScarCruft took a clear mono library and patched it with further code and knowledge, containing a downloader. The downloader first checks operating processes for evaluation instruments and digital machine environments and doesn’t proceed if any are discovered. In any other case, it seems for the method of the sqgame consumer and constructs a path to the mono library in its set up folder.
Subsequent, it downloads and executes shellcode, which contained the RokRAT backdoor on the time of discovery. Lastly, the downloader terminates the consumer course of and downloads the unique clear model of the mono library, changing the trojanized one within the put in consumer folder. Each the payload and clear mono library are downloaded from official South Korean web sites that have been compromised for this objective – a typical TTP of ScarCruft.
Based on our telemetry, the RokRAT backdoor was subsequently used to obtain and set up the BirdCall backdoor on the victimized machines.
Android BirdCall evaluation
On this part, we offer a technical evaluation of the Android BirdCall backdoor – an Android port of the eponymous Home windows backdoor written in C++. Internally, the backdoor is called zhuagou, which might be translated (from Chinese language) as “catching canines”.
Trojanized Android video games
Android BirdCall is distributed through trojanized Android video games. Within the assault described on this blogpost, we imagine that ScarCruft didn’t achieve entry to the sport’s supply code, solely to the sqgame web site or net server, and as a substitute took the unique sport APKs and recompiled or repackaged them with malicious code added.
Within the trojanized APKs, the AndroidManifest.xml entry level exercise is modified and factors to the added malicious code – which, after beginning the backdoor, executes the unique entry exercise of the sport.
Within the analyzed samples, the modified entry level exercise was both com.instance.zhuagou.SplashScreen or com.mob.util.MobSs (within the newest pattern). The modifications to AndroidManifest.xml additionally embody new exercise and repair definitions for the backdoor, in addition to extra permissions required for its operation. A comparability of packages within the authentic sport and its trojanized model is proven in Determine 3.
For the reason that Android BirdCall backdoor is part of a trojanized Android app put in on the system, it doesn’t robotically begin after set up or a tool reboot; as a substitute, it depends on consumer execution.
Configuration
Android BirdCall incorporates a default configuration, which is initialized on the primary run. The configuration makes use of JSON format and is endured in a file. Subsequent runs load the prevailing configuration file, and the configuration might be modified through backdoor instructions. An instance of a formatted configuration is proven in Determine 4.
{
"bi": "E823D451D636D0A0",
"skey": "A8FE823D451D636D0A0366C0629EF5C3##@(()(#@",
"si": "20251105141404",
"rft": 20000,
"fst": true,
"kill": false,
"log": true,
"ctm": 10000,
"scr": false,
"rec": false,
"cmd": 0,
"knowledge": 1,
"bd_version": 37,
"extentions": ".jpg;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.txt;.hwp;.pdf;.m4a;.p12;",
"cloud": [
{
"ct": 9,
"idx": 28,
"cid": "1000.2IGB56IS1FHQ1V332R[redacted]",
"cst": "fa7ec5c8b050[redacted]",
"rt": "1000.a7fc479e[redacted]",
"at": "empty",
"fid": "8mwe5bbc0a2759839401f813968808a2f36a6",
"dm": "",
"use": 0
},
[redacted]
]
}Determine 4. Android BirdCall configuration instance
The bd_version configuration entry encodes the model of the backdoor, saved as MAJOR << 5 | MINOR, so worth 37 is the same as model 1.5.
The endured configuration file is saved within the knowledge listing of the app and has a device-specific path. Moreover, through the configuration initialization, the default configuration of cloud storage drives hardcoded within the pattern might be overridden by an exterior supply. If out there, the backdoor downloads a JPG picture that incorporates an encrypted cloud configuration embedded in its overlay. The picture is normally hosted on a compromised South Korean web site.
C&C communication
Android BirdCall makes use of cloud storage drives for C&C communication, much like the Home windows model. Within the analyzed samples, three cloud suppliers are supported: pCloud, Yandex Disk, and Zoho WorkDrive, though solely Zoho WorkDrive is used. The backdoor communicates through HTTPS, sending requests to API endpoints of the respective supplier utilizing the okhttp3 library.
Throughout our analysis, we noticed 12 Zoho WorkDrive drives utilized by the Android BirdCall backdoor for C&C functions. Particulars of the related accounts are proven in Desk 2.
Desk 2. Android BirdCall Zoho WorkDrive accounts
| client_id | display_name | electronic mail |
| 1000.AJUEYDUIQQ5G |
tomasalfred37 | tomasalfred37@zohomail[.]com |
| 1000.INXKBHQ3698C |
kalimaxim279 | kalimaxim279@zohomail[.]com |
| 1000.FYRJ46E75TUY |
Smith Bentley | smithbentley0617@zohomail[.]com |
| 1000.8QU6D2LJZ3RC |
Mic haelLarrow19 | michaellarrow19@zohomail[.]com |
| 1000.NT1QEE7V73IH |
dsf sdf | amandakurth94@zohomail[.]com |
| 1000.SKXUYYKYL06F |
dsf sdf | rexmedina89@zohomail[.]com |
| 1000.7BMBOS8GV1ZR |
dsf dsf | alishaross751@zohomail[.]com |
| 1000.V0J0QN7SJ2N7 |
sdf sdf | jamesdeeds385@zohomail[.]com |
| 1000.2IGB56IS1FHQ |
asdf sdaf | joyceluke505@zohomail[.]com |
| 1000.W4V2XMB83C6V |
dfsd sdf | marjoriemiller280@zohomail[.]com |
| 1000.LIUBF67S89H0 |
Invoice Jackson | teresadaniels200@zohomail[.]com |
| 1000.8BLOFSFU4WOF |
Zoe Jack | michaelgiesen62@zohomail[.]com |
Capabilities
Android BirdCall options an replace mechanism: a more recent model might be loaded from an replace file, which is anticipated to be within the type of an APK within the app knowledge listing, and its obtain is triggered through the command MP_SEND_FILE.
After the optionally available replace process, the unique sport exercise is began, so as to not elevate suspicion. Then the backdoor checks and waits for an web connection, earlier than continuing to its primary operation.
Information assortment
On the primary run, the backdoor collects a full listing itemizing of the machine’s major shared exterior storage, and consumer knowledge consisting of contact checklist, name log, and SMS messages.
The backdoor periodically checks in with the C&C and uploads fundamental info, which consists of:
- identifier values from configuration and present time,
- battery temperature, RAM and storage info, cloud configuration, backdoor model, and file extensions of curiosity,
- IP geolocation info from https://ipinfo[.]io/json, and
- on the primary run, extra details about the machine, community, and the applying is included:
○ model, mannequin, OS, kernel, and rooted standing,
○ IMEI quantity, IP tackle, MAC tackle, and community sort, and
○ utility package deal and permissions.
The backdoor can periodically take screenshots (scr flag). In some variations, we noticed the strategy of taking part in a silent MP3 file in a loop whereas taking screenshots, which is used to stop the trojanized app from being suspended whereas operating within the background.
In among the variations, the backdoor can file audio through the microphone and snoop on the environment of the compromised machine. Unusually, even when the recording is enabled (rec flag), it’s restricted to a three-hour time interval within the night, from 7 pm to 10 pm native time.
The backdoor periodically searches the shared exterior storage for information with extensions of curiosity (extentions) and phases them for exfiltration. Within the samples we analyzed, exfiltration was geared toward media information, paperwork, and personal keys: .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12.
Instructions
Android BirdCall periodically checks the cloud storage drive for instructions issued for the sufferer. Decrypted instructions begin with the magic DWORD 0x2A7B4C33, and this worth matches the Home windows model of BirdCall. The instructions have zero or extra parameters, relying on their sort. Desk 3 reveals an summary of the supported instructions with their descriptions for each platforms.
The Android model of the backdoor implements solely a subset of instructions out there within the Home windows model.
Desk 3. BirdCall backdoor instructions
| Sort | Title | Android description | Home windows description |
| 0x48 | MP_SET_FILESEARCH_EXTENTION | Units file extensions of curiosity within the configuration. | |
| 0x49 | MP_SET_THREADS | Toggles screenshot taking and voice recording. | Consists of extra capabilities corresponding to clipboard stealing and keylogging. |
| 0x4A | MP_SET_CLOUD | Units cloud API credentials within the configuration. | |
| 0x4B | MP_SET_REGISTER_FILE_CONTROL | N/A | Modifies filter used throughout file search. |
| 0x4C | MP_SET_MODE | Toggles assortment of the backdoor execution logs. | Toggles varied collection-related flags. |
| 0x4D | MP_ACTION_KILLME | Disables the backdoor. The unique sport continues working. | Uninstalls the backdoor and exits. |
| 0x4E | MP_ACTION_KILLPROCESS | N/A | Makes use of the taskkill utility to kill a course of. |
| 0x4F | MP_ACTION_FILE_OR_DIRECTORY | Helps add of a specified file or listing. | Helps a number of file and listing operations: delete, rename, open, and add. |
| 0x50 | MP_ACTION_DOWNLOAD_COMMAND | N/A | Downloads and executes instructions from a URL or cloud drive. |
| 0x51 | MP_ACTION_RESET_WORKDIRECTORIES | N/A | Can delete working directories utilized by the backdoor. |
| 0x52 | MP_ACTION_EXECUTE_SIMPLE_COMMAND | N/A | Can restart the backdoor and execute a command through cmd.exe. |
| 0x53 | MP_ACTIONS_MORE | N/A | Can carry out three operations: · Delete endured configuration. · Allow macros in Phrase (Microsoft and Hancom Workplace). · Restart the backdoor. |
| 0x54 | MP_ACTION_SHELL | N/A | Begins shell (primarily based on WCMD). |
| 0x55 | MP_ACTION_WEBSCAN | N/A | Performs HTTP scan of specified hosts/ports. |
| 0x56 | MP_GET_DATA | Can receive: · contacts, name logs, and SMS messages, · full listing itemizing of the first shared exterior storage, and · fundamental info. |
Can receive: · backdoor configuration and varied system info, · credentials from browsers and different software program, · information from IM apps – KakaoTalk, WeChat, and Sign, · digital camera pictures, and · listing itemizing. |
| 0x57 | MP_GET_TREES | Retrieves listing itemizing. | |
| 0x59 | MP_SEND_FILE | Helps backdoor updating. | Helps dropping of a file to a specified location, dropping and execution of extra executables, and updating of the backdoor. |
| 0x5A | MP_SEND_SHELL | N/A | Executes shell instructions. |
| 0x5C | MP_SET_PROXY | N/A | Connects to a specified |
A dump containing the Home windows model of BirdCall that intently resembles the one we noticed on this assault and options all of the instructions listed above might be discovered on VirusTotal with SHA‑1 B06110E0FEB7592872E380B7E3B8F77D80DD1108. The pattern was uploaded from China on July 15th, 2024.
Conclusion
Now we have uncovered a multiplatform supply-chain assault focusing on the Yanbian area via a compromised online game platform. Analyzing the trojanized Android video games on the platform, we found a brand new device in ScarCruft’s arsenal – an Android model of the group’s BirdCall backdoor. The Android backdoor has seen energetic growth, and offers surveillance capabilities, corresponding to assortment of private knowledge and paperwork, taking screenshots, and making voice recordings.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis presents personal APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
A complete checklist of indicators of compromise (IoCs) and samples might be present in our GitHub repository.
Recordsdata
| SHA-1 | Filename | Detection | Description |
| 01A33066FBC6253304C9 |
sqybhs.apk | Android/Spy.Agent.EXM | Trojanized sport with Android BirdCall model 2.0. |
| 03E3ECE9F48CF4104AAF |
ybht.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.3. |
| 2B81F78EC4C3F8D6CF8F |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.5. |
| 59A9B9D47AE36411B277 |
ybht.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.0. |
| 7356D7868C81499FB4E7 |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.0. |
| FC0C691DB7E2D2BD3B0B |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized sport with Android BirdCall model 1.5. |
| 95BDB94F6767A3CCE6D9 |
mono.dll | Win32/TrojanDownloader |
Trojanized mono library. |
| 409C5ACAED587F62F7E2 |
N/A | Win32/TrojanDownloader |
Downloader resulting in the RokRAT backdoor. |
| B06110E0FEB7592872E3 |
N/A | Win64/Agent.EGN | Publicly out there dump of Home windows BirdCall backdoor. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| 39.106.249[.]68 | sqgame.com[.]cn | Hangzhou Alibaba Promoting Co.,Ltd. | 2024‑06‑01 | Compromised sqgame web site internet hosting trojanized video games and malicious updates. |
| 211.239.117[.]117 | 1980food.co[.]kr | Hostway IDC | 2025‑03‑07 | Compromised South Korean web site used to host Android BirdCall configuration. |
| 114.108.128[.]157 | inodea[.]com | LG DACOM Company | 2025‑07‑03 | Compromised South Korean web site used to host Android BirdCall configuration. |
| 221.143.43[.]214 | www.lawwell.co[.]kr | SK Broadband Co Ltd | 2024‑11‑04 | Compromised South Korean web site used to host shellcode and clear mono library. |
| 222.231.2[.]20 | colorncopy.co[.]kr swr.co[.]kr |
LG DACOM Company | 2025‑03‑18 | Compromised South Korean web site used to host shellcode. |
| 222.231.2[.]23 | sejonghaeun[.]com | IP Supervisor | 2025‑03‑18 | Compromised South Korean web site used to host clear mono library. |
| 222.231.2[.]41 | cndsoft.co[.]kr | IP Supervisor | 2025‑03‑18 | Compromised South Korean web site used to host shellcode. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 18 of the MITRE ATT&CK Enterprise framework.
| Tactic | ID | Title | Description |
| Useful resource Improvement | T1584.004 | Compromise Infrastructure: Server | ScarCruft compromised South Korean web sites to host payloads and configurations. ScarCruft compromised the sqgame web site to carry out a supply-chain assault. |
| T1585.003 | Set up Accounts: Cloud Accounts | ScarCruft created Zoho WorkDrive accounts and used their cloud storage drives for C&C functions. | |
| T1587.001 | Develop Capabilities: Malware | ScarCruft developed the Android model of the BirdCall backdoor. | |
| T1608.001 | Stage Capabilities: Add Malware | ScarCruft uploaded trojanized video games to the compromised sqgame web site. | |
| Preliminary Entry | T1195.002 | Provide Chain Compromise: Compromise Software program Provide Chain | ScarCruft compromised an sqgame replace server to distribute malicious updates. |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | BirdCall can execute shell instructions. |
| Protection Evasion | T1027.013 | Obfuscated Recordsdata or Info: Encrypted/Encoded File | BirdCall has encrypted strings and loading chain parts. The trojanized mono library incorporates encrypted shellcode. |
| T1070.004 | Indicator Removing: File Deletion | The trojanized mono library is changed with a clear one. | |
| T1112 | Modify Registry | BirdCall can modify settings of phrase processors to allow macros. | |
| T1140 | Deobfuscate/Decode Recordsdata or Info | BirdCall decrypts strings and loading chain parts. | |
| T1480.001 | Execution Guardrails: Environmental Keying | BirdCall’s loading chain has parts encrypted with a computer-specific key. | |
| T1497 | Virtualization/Sandbox Evasion | The downloader within the trojanized mono library checks for evaluation instruments and digital machine environments. | |
| Credential Entry | T1555 | Credentials from Password Shops | BirdCall can receive saved passwords from browsers and different software program. |
| Discovery | T1046 | Community Service Discovery | BirdCall can scan a spread of IPs and ports with an HTTP GET request. |
| T1082 | System Info Discovery | BirdCall can receive varied system info. | |
| T1083 | File and Listing Discovery | BirdCall can receive details about drives and directories. | |
| Assortment | T1005 | Information from Native System | BirdCall can accumulate consumer information from IM shoppers KakaoTalk, WeChat, and Sign. |
| T1056.001 | Enter Seize: Keylogging | BirdCall can log keystrokes. | |
| T1113 | Display Seize | BirdCall can seize screenshots. | |
| T1115 | Clipboard Information | BirdCall can accumulate clipboard contents. | |
| T1119 | Automated Assortment | BirdCall can periodically accumulate information with sure extensions from native and detachable drives. | |
| T1125 | Video Seize | BirdCall can seize a webcam photograph. | |
| T1560 | Archive Collected Information | BirdCall compresses and encrypts collected knowledge earlier than exfiltration. | |
| Command and Management | T1071.001 | Utility Layer Protocol: Net Protocols | BirdCall makes use of HTTP to speak with cloud storage companies. |
| T1090 | Proxy | BirdCall can act as a proxy. | |
| T1102.002 | Net Service: Bidirectional Communication | BirdCall communicates with cloud storage companies to obtain instructions and exfiltrate knowledge. | |
| Exfiltration | T1020 | Automated Exfiltration | BirdCall periodically exfiltrates collected knowledge. |
| T1041 | Exfiltration Over C2 Channel | BirdCall exfiltrates knowledge to its C&C server. | |
| T1567.002 | Exfiltration Over Net Service: Exfiltration to Cloud Storage | BirdCall exfiltrates knowledge to cloud storage companies. |
This desk was constructed utilizing model 18 of the MITRE ATT&CK Cell framework.
| Tactic | ID | Title | Description |
| Preliminary Entry | T1474.003 | Provide Chain Compromise: Compromise Software program Provide Chain | ScarCruft carried out a supply-chain assault, compromising the sqgame web site, to distribute trojanized video games containing the Android BirdCall backdoor. |
| Protection Evasion | T1406 | Obfuscated Recordsdata or Info | Model 2.0 of the Android BirdCall backdoor is obfuscated. |
| T1407 | Obtain New Code at Runtime | The Android BirdCall backdoor can obtain and cargo newer variations of itself. | |
| T1541 | Foreground Persistence | Android BirdCall makes use of the startForeground API to take screenshots whereas within the background. | |
| Discovery | T1420 | File and Listing Discovery | Android BirdCall creates a listing itemizing and searches for information with specified extensions. |
| T1422 | Native Community Configuration Discovery | Android BirdCall obtains the machine’s IMEI, IP tackle, and MAC tackle. | |
| T1426 | System Info Discovery | Android BirdCall obtains system info of the compromised machine together with model, mannequin, OS model, kernel model, rooted standing, battery temperature, RAM, and storage info. | |
| Assortment | T1532 | Archive Collected Information | Android BirdCall compresses and encrypts collected knowledge. |
| T1429 | Audio Seize | Android BirdCall can file voice utilizing the microphone. | |
| T1430 | Location Monitoring | Android BirdCall obtains approximate machine location utilizing the ipinfo[.]io service. | |
| T1513 | Display Seize | Android BirdCall can take screenshots. | |
| T1533 | Information from Native System | Android BirdCall collects native information with the next extensions: .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12. | |
| T1636.002 | Protected Consumer Information: Name Log | Android BirdCall collects the decision log. | |
| T1636.003 | Protected Consumer Information: Contact Listing | Android BirdCall collects the contact checklist. | |
| T1636.004 | Protected Consumer Information: SMS Messages | Android BirdCall collects SMS messages. | |
| Command and Management | T1437.001 | Utility Layer Protocol: Net Protocols | Android BirdCall communicates with the C&C cloud storage drive utilizing HTTPS. |
| T1481.002 | Net Service: Bidirectional Communication | Android BirdCall makes use of a Zoho WorkDrive service cloud storage drive for C&C functions. | |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | Android BirdCall makes use of the C&C channel for knowledge exfiltration. |
