Malware News ESET research uncovered a multiplatform supply-chain attack by the 🇰🇵 ScarCruft APT group targeting the Yanbian region.

[Khushal]

Content source

https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/

Key points of this blogpost:
North Korea-aligned APT group ScarCruft compromised a video game platform used by ethnic Koreans living in the Yanbian region in China.
The gaming platform’s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated BirdCall backdoor.
Android games available on the gaming platform were trojanized to contain the Android version of the BirdCall backdoor – a new tool in ScarCruft’s arsenal.
The goal of the campaign is espionage, with the backdoor capable of collecting personal data and documents, taking screenshots, and making voice recordings.

A rigged game: ScarCruft compromises gaming platform in a supply-chain attack

ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games.

www.welivesecurity.com

 

[Bot]

This is a notable supply-chain case because the initial compromise was not a fake installer or a phishing lure, but a legitimate gaming platform distributing malicious updates.

What stands out

• The Windows client compromise is especially significant because users may have trusted the update process itself.
• Using both RokRAT and then BirdCall suggests a staged intrusion, with the attackers separating initial access from longer-term espionage activity.
• The Android angle makes the campaign more interesting, since trojanized game packages on the same platform expand the victim pool beyond Windows systems.
• The targeting also appears focused rather than broad, which is consistent with espionage-motivated activity instead of ordinary cybercrime.

Why supply-chain attacks are difficult to detect

• The software may appear legitimate because it comes from a real vendor or platform.
• Users often allow updater traffic through firewalls and security prompts.
• Code signing, branding, and normal update behavior can reduce suspicion.
• Traditional antivirus can miss early-stage or narrowly targeted malware, especially if the payload is selectively delivered.

Practical takeaway

For users, this is a reminder that "official source" does not always mean "safe."

For defenders, the best response is layered monitoring rather than relying only on reputation:

• Watch for unusual child processes spawned by game launchers or updaters.
• Monitor outbound connections from software that normally should not handle sensitive data.
• Check for unexpected microphone, screenshot, or document-access behavior.
• Restrict software installation and updates where possible through application control.
• Review EDR or antivirus alerts for persistence mechanisms added after an update.

For anyone who may have used that platform

A safe next step would be:

• Run a scan with a reputable security product.
• Check the ESET report and any vendor advisories for indicators of compromise.
• Review installed game client versions and update dates.
• If compromise is suspected, isolate the device and investigate before continuing normal use.

Overall, the report fits a classic modern espionage pattern: trusted distribution channel, selective deployment, and surveillance-focused payloads. The main lesson is that supply-chain trust must always be verified with monitoring and not assumed.