BirdCall

BirdCall is a North Korea-linked backdoor family attributed by ESET to ScarCruft, also tracked as APT37, Reaper, and Ricochet Chollima. It was previously known as a Windows backdoor and was publicly linked to ScarCruft in 2021; ESET later documented a new Android variant used in a multiplatform supply-chain attack against the sqgame gaming platform serving ethnic Koreans in China’s Yanbian region. The campaign was assessed as likely active since late 2024 and appears espionage-focused, likely targeting ethnic Koreans in Yanbian, including North Korean refugees or defectors.

In the sqgame compromise, attackers appear to have accessed the platform’s web server and repackaged legitimate Android game APKs rather than compromising source code. Two Android games distributed from sqgame were trojanized with BirdCall, and victims typically sideloaded the apps via a web browser rather than Google Play. ESET identified seven Android BirdCall versions, ranging from version 1.0 around October 2024 to version 2.0 around June 2025. The Android implant executed silently in the background before returning control to the legitimate game.

The Android BirdCall variant functions as spyware/backdoor malware. Reported capabilities include collecting contacts, SMS messages, call logs, media files, documents, private keys, directory listings of shared storage, and device/network metadata such as brand, model, OS, kernel, rooted status, IMEI, IP address, MAC address, geolocation, RAM, storage, permissions, battery temperature, and backdoor version. It can take screenshots, exfiltrate files from targeted directories, and record ambient audio via the microphone; some samples activated microphone recording between 7 PM and 10 PM local time. Reported targeted file extensions include .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12. One report also states the Android variant plays a silent MP3 in a loop to avoid process suspension.

BirdCall’s Android command-and-control was designed to blend with normal traffic and supports cloud services including pCloud, Yandex Disk, and Zoho WorkDrive; ESET observed Zoho WorkDrive used in this campaign, including 12 separate Zoho WorkDrive instances/accounts and HTTPS communications with hardcoded credentials. The malware stores a local JSON configuration and can override hardcoded cloud settings by downloading an encrypted configuration hidden in a JPG image.

BirdCall also has a Windows variant associated with ScarCruft. Reported Windows capabilities include screenshot capture, keystroke logging, clipboard theft, credential theft, file theft, shell command execution, and general data gathering; some reporting describes it as an evolution of RokRAT. In the sqgame campaign, the Windows infection chain used a trojanized mono.dll in an update package, which acted as a downloader, checked for analysis tools and virtual environments, fetched shellcode from compromised South Korean websites, installed RokRAT, and then deployed BirdCall. The malicious Windows update had been active since at least November 2024 before later being cleaned up.

Known Android sample/file details from ESET IoCs include trojanized sqybhs.apk and ybht.apk samples detected as Android/Spy.Agent.EGE or Android/Spy.Agent.EXM, with SHA-1 values 59A9B9D47AE36411B277544F25AD2CC955D8DD2C, 7356D7868C81499FB4E720F7C9530E5763B4C1D0, 2B81F78EC4C3F8D6CF8F677D141C5D13C35333AF, FC0C691DB7E2D2BD3B0B4C1E24D18DF72168B7D9, 03E3ECE9F48CF4104AAFC535790CA2FB3C6B26CF, and 01A33066FBC6253304C92760916329ABD50C3191. A Windows BirdCall sample was listed as SHA-1 B06110E0FEB7592872E380B7E3B8F77D80DD1108, detected as Win64/Agent.EGN. Related infrastructure in the IoC set includes URLs such as http://www.lawwell[.]co.kr/upload/me.jpg, http://cndsoft[.]co.kr/jbcgi/zmSpamFree/Fonts/me.jpg, http://colorncopy[.]co.kr/ino/FileUpload/Online/004313.jpg, http://sejonghaeun[.]com/board/data/notice/1458796029/passenger_logo.jpg, http://www.lawwell[.]co.kr/img/bgcontrol.jpg, http://swr.co[.]kr/html/favicon.jpg, http://1980food.co[.]kr/board/userfiles/202387463_editor_image.jpg, and http://www.inodea[.]com/inobbs/data/ibd00_board2/11.jpg.