**APT37** has been actively distributing a previously undocumented Android version of the **BirdCall** backdoor, leveraging a compromised video game platform to deliver the malware. This campaign highlights the group's evolving tactics and their focus on mobile platforms for espionage. ### Compromised Game Platform According to researchers at **ESET**, the attacks observed delivered the malware through `sqgame[.]net`, a Chinese site hosting games for Android, iOS, and Windows. The researchers determined that **ScarCruft** is specifically targeting Android and Windows users. The platform is popular among Koreans in the autonomous Yanbian region in China, a known crossing point for North Korean defectors and refugees. <div> <figure>  <figcaption> **Games on the compromised platform**<br> *Source: ESET* </figcaption> </figure> </div> ### BirdCall Spyware Capabilities **BirdCall** is a known malware family associated with **ScarCruft** since 2021. The Windows version is capable of keylogging, screen capturing, clipboard theft, file exfiltration, and command execution. The Android variant of **BirdCall**, discovered by **ESET**, possesses a range of intrusive capabilities: <div> <figure>  <figcaption> **Trojanized version (right) vs clean APK (left)**<br> *Source: ESET* </figcaption> </figure> </div> * Extracts IP geolocation information * Collects contact list, call log, and SMS messages * Collects device OS, kernel, rooted status, IMEI number, MAC address, IP address, and network info * Sends to C2 information about battery temperature, RAM, storage, cloud configuration, backdoor version, and file extensions of interest (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12) * Periodically takes screenshots * Records audio via the microphone from 7 pm to 10 pm local time * Plays a silent MP3 in a loop to prevent the suspension of its process * Exfiltrates files from a specified directory According to **ESET’s** analysis, the Android version of **BirdCall** is not as feature-rich as its Windows counterpart. Missing capabilities include shell command execution, traffic proxying, targeting data from browsers and messenger apps, file deletion, dropping, and process killing. On Windows systems, the infection chain involves a trojanized DLL (**mono.dll**) that downloads and executes **RokRAT**, which then deploys the Windows version of **BirdCall**. **ScarCruft** is known for its diverse malware arsenal, including **THUMBSBD** (targeting air-gapped systems), **KoSpy** (Android spyware), **M2RAT** (used in espionage), and **Dolphin** (mobile backdoor). To mitigate the risk of infection, users should download software exclusively from official marketplaces and trusted publisher sites.