Overview
- ESET, in research published Tuesday, attributed the compromise of sqgame[.]net to North Korea‑linked ScarCruft and said the Android trojanized games were still downloadable while the Windows update path had been disabled.
- ESET said it notified the platform in December 2025 and received no response, leaving users at risk at the time of publication.
- The Android backdoor, a new port of BirdCall, steals contacts, texts, call logs and documents, takes screenshots, and records audio only from 7 p.m. to 10 p.m. local time, sending data to command servers on Zoho WorkDrive.
- Attackers repackaged the Yanbian Red Ten and New Drawing APKs by redirecting the app entry point to the backdoor before launching the real game, with no Google Play copies and the iOS title left untouched.
- On Windows, a malicious update patched mono.dll to pull RokRAT from compromised South Korean sites and then install BirdCall, after which a clean DLL replaced the altered file to hide the tampering.