North Korean hackers trojanize gaming platform to spy on ethnic Koreans in China

A gaming platform built for ethnic Koreans in China has been serving backdoored Windows and Android software to its users since late 2024. The platform, sqgame[.]net, hosts traditional card and board games for a community that sits along the North Korean border and includes many refugees and defectors.

ESET researchers tied the operation to ScarCruft, a North Korea-aligned espionage group also tracked as APT37 and Reaper, which has been active since at least 2012.

The Windows installer on sqgame’s site is several years old and clean on its own. The malicious code arrived through an update package hosted at xiazai.sqgame.com[.]cn, where attackers patched a legitimate mono.dll library with a downloader. That downloader checks for analysis tools and virtual machines, locates the sqgame client process, and pulls shellcode from compromised South Korean websites. The shellcode delivered the RokRAT backdoor, which then installed BirdCall, a more capable C++ implant ESET first attributed to ScarCruft in 2021. After execution, the trojanized mono.dll is swapped back to a clean copy fetched from another compromised Korean site, erasing the visible artifact.

Read more at Help Net Security