A rigged game: ScarCruft compromises gaming platform in a supply-chain attack

2026-05-05 • ESET •

https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/

#Scarcruft #BirdCall

Thumbnail for A rigged game: ScarCruft compromises gaming platform in a supply-chain attack

ScarCruft compromised a Yanbian-focused gaming platform in a supply-chain attack aimed at ethnic Koreans in China's Yanbian region, an area linked to North Korean refugees and defectors. The Windows client was affected through a malicious update that led to RokRAT and then the more capable BirdCall backdoor. Android games on the same platform were trojanized with an Android port of BirdCall, which ESET describes as a newly public ScarCruft tool. The campaign's espionage capabilities included collecting personal data, documents, contacts, SMS messages, call logs, media files, and private keys, as well as screenshots and audio recordings.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	cndsoft.co.kr	2026-05-05	2026-05-05
IPv4	222.231.2.41	2026-05-05	2026-05-05
DOMAIN	sejonghaeun.com	2026-05-05	2026-05-05
IPv4	222.231.2.23	2026-05-05	2026-05-05
DOMAIN	swr.co.kr	2026-05-05	2026-05-05
DOMAIN	colorncopy.co.kr	2026-05-05	2026-05-05
IPv4	222.231.2.20	2026-05-05	2026-05-05
DOMAIN	www.lawwell.co.kr	2026-05-05	2026-05-05
IPv4	221.143.43.214	2026-05-05	2026-05-05
DOMAIN	inodea.com	2026-05-05	2026-05-05
DOMAIN	1980food.co.kr	2026-05-05	2026-05-05
DOMAIN	sqgame.com.cn	2026-05-05	2026-05-05
IPv4	39.106.249.68	2026-05-05	2026-05-05
IPv4	114.108.128.157	2026-05-05	2026-05-05
IPv4	211.239.117.117	2025-04-13	2026-05-05

Related Actors

Scarcruft

Kaspersky

First seen: Jun 2016

Last seen: May 2026

Related Reports

2026-05-28 • 70% Match

ESET APT Activity Report Q4 2025–Q1 2026

ESET

#DreamJob #Andariel #Scarcruft #DangerousPassword #DeceptiveDevelopment #T1513 #Rook

Shares tag: Scarcruft • Same author: ESET • Published within a month

2026-02-06 • 50% Match

Scarcruft’s ROKRAT Malware: Recent Changes

S2W

#Scarcruft #RokRAT

Shares tag: Scarcruft

2024-11-08 • 50% Match

ESET APT Activity Report Q2 2024–Q3 2024

ESET

#Trend #Kimsuky #Scarcruft #CitrineSleet #Lazarus #T1566.002 #T1566.001 #T1190 #T1189 #T1091 #T1212 #T1659

Shares tag: Scarcruft • Same author: ESET

2024-05-15 • 50% Match

ESET APT Activity Report Q4 2023–Q1 2024

ESET

#Trend #Andariel #Kimsuky #Scarcruft #Konni #WebLogTea

Shares tag: Scarcruft • Same author: ESET

2023-05-09 • 50% Match

ESET APT Activity Report Q4 2022–Q1 2023

ESET

#Trend #Andariel #Kimsuky #Scarcruft #T1027

Shares tag: Scarcruft • Same author: ESET

2022-11-30 • 50% Match

Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin

ESET

#Scarcruft #Dolphin #T1102.002 #T1082 #T1119 #T1567.002 #T1005 #T1113 #T1020 #T1071.001 #T1083 #T1056.001 #T1059.006 #T1059.007 #T1027 #T1555.003 #T1124 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1203 #T1189 #T1016 #T1074.001 #T1106 #T1025 #T1055.002 #T1010 #T1033 #T1560.002 #T1016.001

Shares tag: Scarcruft • Same author: ESET

« Back