ScarCruft Hits Gaming Platform Supply Chain to Drop BirdCall

Any platform lead shipping a native gaming client in the next two quarters needs to internalize one number from this incident: seven versions of an Android backdoor, the earliest dating to October 2024, sat inside a live gaming distribution channel for roughly twenty months before public disclosure. That is the dwell time the industry is now underwriting when it ships APKs from its own infrastructure. The economics of native distribution just got more expensive, and the people who pay for it are not the security team.

The Numbers

The campaign, as The Hacker News reported, was discovered by Slovakian vendor ESET in October 2025 and attributed to ScarCruft, a North Korea-aligned state-sponsored group. The target was sqgame[.]net, a niche gaming portal serving ethnic Koreans in the Yanbian region of China, a corridor bordering North Korea and Russia and a known transit point for defectors crossing the Tumen River. The geopolitical specificity matters because it tells you why a small platform with a narrow audience is worth a multi-platform implant chain.

The technical footprint: two trojanized Android APKs (ybht.apk and sqybhs.apk) served from altered download pages, plus a trojanized Windows DLL pushed through the desktop client's update package since at least November 2024. iOS games on the same platform were left untouched. The Windows update is no longer malicious at time of reporting, but the Android APKs were still live when ESET's Filip Jurčacko spoke to reporters. Read that again: the cleanup is partial, and the operator either does not know or cannot remediate.

BirdCall itself is described as an advanced evolution of RokRAT, whose Windows variants have been in the wild since 2021. The same lineage has spawned CloudMensis on macOS and RambleOn on Android, so this is a malware family with five years of active maintenance behind it. The Windows chain checks for analysis tools and VM environments before downloading shellcode that loads RokRAT, which then fetches BirdCall. Components are encrypted with a computer-specific key and the loader starts from a Ruby or Python script. The Android variant collects contacts, SMS, call logs, media, documents, screenshots, and ambient audio, and beacons to pCloud, Yandex Disk, and Zoho WorkDrive for C2. The Windows variant uses Dropbox and pCloud. None of these are exotic infrastructure choices, which is precisely the point. They blend with legitimate traffic patterns no DLP product is going to flag at an operator with a normal SaaS footprint.

For context: ESET found seven distinct Android versions in the lineage. That is not opportunistic crimeware, that is a product team.

What's Actually New

Two things are genuinely new here, and only one of them is the malware. The interesting shift is that ScarCruft, historically a Windows-centric actor, used a supply chain compromise specifically to bridge into Android. Prior BirdCall versions targeted Windows users. The sqgame[.]net intrusion is what gave them an Android distribution channel, and they only poisoned the APKs, not the iOS builds. That tells you the operator's distribution architecture was the constraint, not the malware authors' capability. They went where the unsigned, side-loaded install flow lived.

This pattern should sound familiar to any iGaming Head of Platform who has wrestled with the Google Play policy minefield around real-money gaming. Operators in jurisdictions where Play Store distribution is restricted or impractical end up running their own APK distribution off their domain, often with custom updater logic that bypasses Play Protect entirely. That is structurally the same delivery pipe ScarCruft just abused. The threat model for a Yanbian-themed games portal and the threat model for a Tier-2 sportsbook pushing APKs to players in restricted markets are closer than most boards realize.

The second new element is the dwell time problem made concrete. The Windows trojanized DLL went live around November 2024 and was caught roughly eleven months later. The Android APKs are still live. If you are running a build pipeline where a single compromised signing key, build agent, or CDN origin can push a poisoned binary to every installed client, you have inherited the same risk surface, and you almost certainly have not run a tabletop exercise on a twenty-month detection window. Most operators I see budget incident response on the assumption of a thirty to ninety day window. The numbers in this campaign do not support that assumption.

What is not new: the C2 choice. Cloud storage abuse for exfiltration has been standard tradecraft for years. Zoho WorkDrive is the only mildly interesting tell because, per ESET, it has become an increasingly common presence across ScarCruft campaigns. If your egress allow-lists include Zoho by default because someone in finance uses it, that is now a recurring blind spot.

What's Priced In for iGaming Operators

The market has priced in the idea that mobile clients are an attack surface. What it has not priced in is the cost of owning your own Android distribution channel as a regulated operator. The MGA and UKGC both impose technical standards on game integrity and player protection, but the supply chain integrity of the client binary itself is treated as an operational hygiene question rather than a licensing one. That gap is going to close, and operators with bespoke APK delivery should expect questions from technical compliance auditors within the next license cycle.

Already priced in: code signing, reproducible builds, SBOM hygiene. Most series-B and above operators have at least the slide deck version of these controls. What is not priced in is third-party risk for white-label platform providers. If you are an operator running on a turnkey platform, your APK is built by your vendor's pipeline, signed with their keys, and pushed from their CDN. Your incident response runbook for a sqgame-style compromise is, in practice, a phone call to your provider's account manager. That is the unit economics nobody wants to put on the slide: the cost of a supply chain breach on a white-label is borne by the licensee, but the controls live with the vendor.

The GC of any licensed operator should be asking their VP Engineering this week one specific question: who has commit access to the repository that builds our mobile client, and who has access to the signing key, and can we produce that list in under an hour. If the answer involves a third party and a support ticket, the regulatory exposure is larger than the technical one. Twenty months of dwell time on a regulator-licensed client would not survive a Section 166 notice.

Contrarian View

The easy read is that this campaign is a wake-up call for every gaming platform. It is not. ScarCruft picked sqgame[.]net because the victim profile was Yanbian-resident ethnic Koreans, a population of intelligence interest to Pyongyang. A licensed iGaming operator in Malta or the UK is not in that targeting set, and the operational cost of a state actor running a multi-platform implant family against a regulated commercial operator for player surveillance is not justified by any plausible return.

The realistic threat to iGaming from this report is not ScarCruft. It is the techniques being copied by financially motivated actors in twelve to eighteen months, repurposed for credential theft and account takeover. Cloud-storage C2 over Dropbox and pCloud, multistage loaders keyed to the victim machine, trojanized updater DLLs: these are not exclusive to North Korean tradecraft, and the moment a ransomware affiliate productizes the playbook against a regional sportsbook's Android client, the conversation changes. Build the threat model for that, not for the APT headline.

Key Takeaways

• Seven versions of the Android BirdCall variant dating to October 2024 indicate a roughly twenty-month dwell window on a live distribution channel, which should reset incident-response planning assumptions for any operator shipping native clients.
• Only the Android APKs and Windows DLL were poisoned; iOS was untouched. Distribution architecture, not platform security, dictated the attack surface, and that has direct implications for operators in markets where Play Store distribution is restricted.
• BirdCall's use of Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive for C2 makes egress detection materially harder for any operator with a normal SaaS footprint. Allow-lists need an audit.
• White-label iGaming licensees inherit their platform vendor's supply chain risk without inheriting the controls. The contractual and regulatory exposure sits with the licensee.
• The real iGaming-relevant threat is not ScarCruft directly, it is the playbook being adapted by financially motivated actors within the next twelve to eighteen months. Teams should be modeling for that lag, not the current headline.

Teams evaluating mobile client distribution strategy should now be asking themselves a sharper question: if our APK pipeline were compromised tomorrow, how long before we knew, and who in the org has both the authority and the access to revoke a signing key before close of business. If that answer requires a meeting, the architecture is the problem.