ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

North Korea-linked ScarCruft has compromised a video gaming platform in a supply chain attack, injecting malware called BirdCall into its software distribution channels. The trojanized components target both Android and Windows systems, marking a significant expansion from the backdoor's previous Windows-only scope.

BirdCall operates as a remote access tool, granting attackers command execution and data exfiltration capabilities on infected devices. Security researchers assess the operation targets ethnic Koreans in China, leveraging the gaming platform's user base to reach this specific demographic. ScarCruft, also tracked as Blackberry, has conducted similar supply chain campaigns since at least 2013, focusing on software development tools and legitimate applications to infiltrate targets across multiple countries.

The attack demonstrates how state-sponsored actors exploit trusted distribution channels to bypass traditional endpoint defenses. Users who downloaded the compromised gaming application versions receive BirdCall alongside legitimate functionality, creating persistent infection vectors. The malware's dual-platform support indicates ScarCruft's investment in cross-device persistence strategies, allowing attackers to maintain access across victims' personal and work devices.

Organizations and individuals face multiple risks from this campaign. Direct users of the affected gaming platform face device compromise and potential surveillance. Organizations with employees in affected regions should assume potential lateral movement from compromised personal devices to corporate networks. The supply chain angle presents particular concern for software vendors and gaming studios, as ScarCruft's tactics demonstrate willingness to maintain access within development pipelines for extended periods.

Security teams should prioritize identifying and isolating affected gaming platform installations. Endpoint detection tools should focus on BirdCall's command execution patterns and outbound communications to identified command-and-control infrastructure. Users in affected regions require immediate notification and remediation guidance. The campaign underscores the persistent threat state-sponsored actors pose through supply chain manipulation, particularly when targeting specific geographic or ethnic populations