ESET researchers uncovered a multiplatform supply-chain assault by North Korea-aligned APT group ScarCruft, focusing on the Yanbian area in China – residence to ethnic Koreans and a crossing level for North Korean refugees and defectors. Within the assault, in all probability ongoing since late 2024, ScarCruft compromised Home windows and Android elements of a online game platform devoted to Yanbian-themed video games, trojanizing them with a backdoor.
The backdoor, named BirdCall by ESET, was initially identified to focus on Home windows solely; the Android model was found as a part of this supply-chain assault. On this blogpost, we offer an outline of the assault, and the primary public evaluation of the Android backdoor.
Key factors of this blogpost:
- North Korea-aligned APT group ScarCruft compromised a online game platform utilized by ethnic Koreans dwelling within the Yanbian area in China.
- The gaming platform’s Home windows shopper was compromised by means of a malicious replace resulting in the RokRAT backdoor, which deployed the extra subtle BirdCall backdoor.
- Android video games obtainable on the gaming platform have been trojanized to include the Android model of the BirdCall backdoor – a brand new device in ScarCruft’s arsenal.
- The aim of the marketing campaign is espionage, with the backdoor able to accumulating private knowledge and paperwork, taking screenshots, and making voice recordings.
Scarcruft profile
ScarCruft, also referred to as APT37 or Reaper, has been working since at the very least 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, however different Asian international locations have additionally been focused. ScarCruft appears to be primarily in authorities and army organizations, and corporations in varied industries linked to the pursuits of North Korea. The group additionally targets North Korean defectors, with the most recent such exercise introduced on this blogpost.
BirdCall backdoor
Home windows model
BirdCall is a Home windows backdoor written in C++ that we found in 2021 and attributed to ScarCruft as a part of the ESET Menace Intelligence reporting.
The backdoor has a variety of spying capabilities, together with taking screenshots, logging keystrokes and clipboard content material, stealing credentials and recordsdata, and executing shell instructions. For C&C functions, the backdoor makes use of official cloud storage companies, comparable to Dropbox or pCloud, or compromised web sites. BirdCall is normally deployed in a multistage loading chain, beginning with a Ruby or Python script, and containing elements encrypted utilizing a computer-specific key. The preliminary model of BirdCall was publicly described by South Korean distributors in 2021 as a sophisticated model of RokRAT (S2W, AhnLab).
Android model
The Android model of BirdCall, found within the assault that we describe on this blogpost, implements a subset of the instructions and capabilities of the Home windows backdoor – it collects contacts, SMS messages, name logs, paperwork, media recordsdata, and personal keys. It might probably additionally take screenshots and file surrounding audio.
Based mostly on our analysis, Android BirdCall was actively developed over a span of a number of months. We recognized seven variations, starting from model 1.0 (created roughly in October 2024) to model 2.0 (created roughly in June 2025).
Discovery
Our investigation began with a suspicious APK file discovered on VirusTotal. Upon preliminary evaluation, we decided that the APK is malicious and accommodates a backdoor.
Curiously, the APK turned out to be a trojanized card recreation referred to as 延边红十 (machine translation: Yanbian Purple Ten), which we traced to its official web site, https://www.sqgame[.]web. sqgame is a gaming platform tailor-made for the folks of Yanbian and hosts conventional Yanbian video games for Home windows, Android, and iOS. The gamers can compete in card and board video games (see Determine 1) with mates or be part of organized tournaments.
Surprisingly, the APK obtainable for obtain on the official web site is identical because the APK we initially discovered on VirusTotal. Furthermore, a second Android recreation (新画图, machine translation: New Drawing) obtainable for obtain from sqgame was additionally trojanized with the identical backdoor. Additional evaluation revealed that the backdoor is an Android port of the ScarCruft group’s BirdCall backdoor.
The Home windows desktop shopper hyperlink on the sqgame web site results in a few-years-old installer that seems to be clear. It does obtain updates as soon as put in, however we didn’t establish any malicious code there throughout our evaluation.
Investigating additional in ESET telemetry, we recognized a trojanized mono.dll library, originating from an replace package deal for the desktop shopper. ESET telemetry reveals that this replace package deal had been malicious since at the very least November 2024, for an unknown interval. On the time of writing, this replace package deal was now not malicious.
We additionally checked the iOS recreation obtainable on the sqgame web site and didn’t discover any malicious code. We predict that ScarCruft skipped this platform, for the reason that trojanization and supply of the app could be way more troublesome in comparison with different platforms, presumably operating into Apple’s evaluate course of.
Victimology
For the reason that web site compromised on this assault is devoted to the folks of Yanbian and their conventional video games, we infer that the first targets are ethnic Koreans dwelling in Yanbian. Yanbian Korean Autonomous Prefecture is a area in China that borders North Korea and is residence to the most important ethnic Korean neighborhood outdoors Korea.
On this context, we imagine that it’s possible that the assault was geared toward accumulating info on people based mostly in (or originating from) the Yanbian area and deemed of curiosity to the North Korean regime – most certainly refugees or defectors.
Assault overview
Android
Two of the Android video games obtainable on the sqgame web site have been discovered to be trojanized to include the BirdCall backdoor. The obtain web page obtainable at https://www.sqgame[.]web/video games/gamedownload.aspx is proven in Determine 2, with obtain buttons for the 2 trojanized video games highlighted in crimson. The third obtainable Android recreation was clear on the time of our evaluation.
We discovered proof that the victims downloaded the trojanized video games by way of an internet browser on their gadgets and doubtless put in them deliberately. We’ve got not discovered another APK areas. We additionally haven’t discovered the malicious APKs on the official Google Play retailer.
We have been unable to find out when the web site was first compromised and the supply-chain assault began. Nonetheless, based mostly on our evaluation of the deployed malware, we estimate that it occurred in late 2024.
Desk 1 reveals the internet hosting URLs of the 2 trojanized APK recordsdata, together with the hashes of recordsdata served on the time of discovery. On the time of writing of this blogpost, the malicious recordsdata have been nonetheless up on the sqgame web site. We notified sqgame of the compromise in December 2025, however haven’t acquired a response.
Desk 1. Malicious samples
| Time of discovery | URL | SHA‑1 | Description |
| 2025-10 | http://sqgame.com |
03E3ECE9F48CF4104AAF |
Trojanized recreation with the BirdCall |
| 2025-10 | http://sqgame.com |
FC0C691DB7E2D2BD3B0B |
Trojanized recreation with the BirdCall |
Home windows
Whereas the Home windows desktop shopper obtainable on the sqgame web site didn’t include malicious code once we analyzed it, we later recognized a trojanized mono.dll library, originating from an replace package deal of the desktop shopper hosted on the URL http://xiazai.sqgame.com[.]cn/courting/20240429.zip. ESET telemetry reveals that this replace package deal had been malicious since at the very least November 2024, for an unknown interval – however on the time of writing, this replace package deal was now not malicious.
ScarCruft took a clear mono library and patched it with additional code and knowledge, containing a downloader. The downloader first checks operating processes for evaluation instruments and digital machine environments and doesn’t proceed if any are discovered. In any other case, it appears for the method of the sqgame shopper and constructs a path to the mono library in its set up folder.
Subsequent, it downloads and executes shellcode, which contained the RokRAT backdoor on the time of discovery. Lastly, the downloader terminates the shopper course of and downloads the unique clear model of the mono library, changing the trojanized one within the put in shopper folder. Each the payload and clear mono library are downloaded from official South Korean web sites that have been compromised for this objective – a typical TTP of ScarCruft.
In keeping with our telemetry, the RokRAT backdoor was subsequently used to obtain and set up the BirdCall backdoor on the victimized machines.
Android BirdCall evaluation
On this part, we offer a technical evaluation of the Android BirdCall backdoor – an Android port of the eponymous Home windows backdoor written in C++. Internally, the backdoor is called zhuagou, which may be translated (from Chinese language) as “catching canines”.
Trojanized Android video games
Android BirdCall is distributed by way of trojanized Android video games. Within the assault described on this blogpost, we imagine that ScarCruft didn’t achieve entry to the sport’s supply code, solely to the sqgame web site or net server, and as a substitute took the unique recreation APKs and recompiled or repackaged them with malicious code added.
Within the trojanized APKs, the AndroidManifest.xml entry level exercise is modified and factors to the added malicious code – which, after beginning the backdoor, executes the unique entry exercise of the sport.
Within the analyzed samples, the modified entry level exercise was both com.instance.zhuagou.SplashScreen or com.mob.util.MobSs (within the newest pattern). The modifications to AndroidManifest.xml additionally embrace new exercise and repair definitions for the backdoor, in addition to further permissions required for its operation. A comparability of packages within the authentic recreation and its trojanized model is proven in Determine 3.
For the reason that Android BirdCall backdoor is part of a trojanized Android app put in on the system, it doesn’t robotically begin after set up or a tool reboot; as a substitute, it depends on consumer execution.
Configuration
Android BirdCall accommodates a default configuration, which is initialized on the primary run. The configuration makes use of JSON format and is continued in a file. Subsequent runs load the present configuration file, and the configuration may be modified by way of backdoor instructions. An instance of a formatted configuration is proven in Determine 4.
{
"bi": "E823D451D636D0A0",
"skey": "A8FE823D451D636D0A0366C0629EF5C3##@(()(#@",
"si": "20251105141404",
"rft": 20000,
"fst": true,
"kill": false,
"log": true,
"ctm": 10000,
"scr": false,
"rec": false,
"cmd": 0,
"knowledge": 1,
"bd_version": 37,
"extentions": ".jpg;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.txt;.hwp;.pdf;.m4a;.p12;",
"cloud": [
{
"ct": 9,
"idx": 28,
"cid": "1000.2IGB56IS1FHQ1V332R[redacted]",
"cst": "fa7ec5c8b050[redacted]",
"rt": "1000.a7fc479e[redacted]",
"at": "empty",
"fid": "8mwe5bbc0a2759839401f813968808a2f36a6",
"dm": "",
"use": 0
},
[redacted]
]
}Determine 4. Android BirdCall configuration instance
The bd_version configuration entry encodes the model of the backdoor, saved as MAJOR << 5 | MINOR, so worth 37 is the same as model 1.5.
The continued configuration file is saved within the knowledge listing of the app and has a device-specific path. Moreover, throughout the configuration initialization, the default configuration of cloud storage drives hardcoded within the pattern may be overridden by an exterior supply. If obtainable, the backdoor downloads a JPG picture that accommodates an encrypted cloud configuration embedded in its overlay. The picture is normally hosted on a compromised South Korean web site.
C&C communication
Android BirdCall makes use of cloud storage drives for C&C communication, just like the Home windows model. Within the analyzed samples, three cloud suppliers are supported: pCloud, Yandex Disk, and Zoho WorkDrive, though solely Zoho WorkDrive is used. The backdoor communicates by way of HTTPS, sending requests to API endpoints of the respective supplier utilizing the okhttp3 library.
Throughout our analysis, we noticed 12 Zoho WorkDrive drives utilized by the Android BirdCall backdoor for C&C functions. Particulars of the related accounts are proven in Desk 2.
Desk 2. Android BirdCall Zoho WorkDrive accounts
| client_id | display_name | |
| 1000.AJUEYDUIQQ5G |
tomasalfred37 | tomasalfred37@zohomail[.]com |
| 1000.INXKBHQ3698C |
kalimaxim279 | kalimaxim279@zohomail[.]com |
| 1000.FYRJ46E75TUY |
Smith Bentley | smithbentley0617@zohomail[.]com |
| 1000.8QU6D2LJZ3RC |
Mic haelLarrow19 | michaellarrow19@zohomail[.]com |
| 1000.NT1QEE7V73IH |
dsf sdf | amandakurth94@zohomail[.]com |
| 1000.SKXUYYKYL06F |
dsf sdf | rexmedina89@zohomail[.]com |
| 1000.7BMBOS8GV1ZR |
dsf dsf | alishaross751@zohomail[.]com |
| 1000.V0J0QN7SJ2N7 |
sdf sdf | jamesdeeds385@zohomail[.]com |
| 1000.2IGB56IS1FHQ |
asdf sdaf | joyceluke505@zohomail[.]com |
| 1000.W4V2XMB83C6V |
dfsd sdf | marjoriemiller280@zohomail[.]com |
| 1000.LIUBF67S89H0 |
Invoice Jackson | teresadaniels200@zohomail[.]com |
| 1000.8BLOFSFU4WOF |
Zoe Jack | michaelgiesen62@zohomail[.]com |
Capabilities
Android BirdCall options an replace mechanism: a more moderen model may be loaded from an replace file, which is anticipated to be within the type of an APK within the app knowledge listing, and its obtain is triggered by way of the command MP_SEND_FILE.
After the elective replace process, the unique recreation exercise is began, so as to not elevate suspicion. Then the backdoor checks and waits for an web connection, earlier than continuing to its principal operation.
Knowledge assortment
On the primary run, the backdoor collects a full listing itemizing of the system’s major shared exterior storage, and consumer knowledge consisting of contact listing, name log, and SMS messages.
The backdoor periodically checks in with the C&C and uploads fundamental info, which consists of:
- identifier values from configuration and present time,
- battery temperature, RAM and storage info, cloud configuration, backdoor model, and file extensions of curiosity,
- IP geolocation info from https://ipinfo[.]io/json, and
- on the primary run, further details about the system, community, and the applying is included:
○ model, mannequin, OS, kernel, and rooted standing,
○ IMEI quantity, IP tackle, MAC tackle, and community kind, and
○ utility package deal and permissions.
The backdoor can periodically take screenshots (scr flag). In some variations, we noticed the strategy of taking part in a silent MP3 file in a loop whereas taking screenshots, which is used to forestall the trojanized app from being suspended whereas operating within the background.
In a few of the variations, the backdoor can file audio by way of the microphone and snoop on the environment of the compromised system. Surprisingly, even when the recording is enabled (rec flag), it’s restricted to a three-hour time interval within the night, from 7 pm to 10 pm native time.
The backdoor periodically searches the shared exterior storage for recordsdata with extensions of curiosity (extentions) and phases them for exfiltration. Within the samples we analyzed, exfiltration was geared toward media recordsdata, paperwork, and personal keys: .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12.
Instructions
Android BirdCall periodically checks the cloud storage drive for instructions issued for the sufferer. Decrypted instructions begin with the magic DWORD 0x2A7B4C33, and this worth matches the Home windows model of BirdCall. The instructions have zero or extra parameters, relying on their kind. Desk 3 reveals an outline of the supported instructions with their descriptions for each platforms.
The Android model of the backdoor implements solely a subset of instructions obtainable within the Home windows model.
Desk 3. BirdCall backdoor instructions
| Kind | Title | Android description | Home windows description |
| 0x48 | MP_SET_FILESEARCH_EXTENTION | Units file extensions of curiosity within the configuration. | |
| 0x49 | MP_SET_THREADS | Toggles screenshot taking and voice recording. | Contains further capabilities comparable to clipboard stealing and keylogging. |
| 0x4A | MP_SET_CLOUD | Units cloud API credentials within the configuration. | |
| 0x4B | MP_SET_REGISTER_FILE_CONTROL | N/A | Modifies filter used throughout file search. |
| 0x4C | MP_SET_MODE | Toggles assortment of the backdoor execution logs. | Toggles varied collection-related flags. |
| 0x4D | MP_ACTION_KILLME | Disables the backdoor. The unique recreation continues working. | Uninstalls the backdoor and exits. |
| 0x4E | MP_ACTION_KILLPROCESS | N/A | Makes use of the taskkill utility to kill a course of. |
| 0x4F | MP_ACTION_FILE_OR_DIRECTORY | Helps add of a specified file or listing. | Helps a number of file and listing operations: delete, rename, open, and add. |
| 0x50 | MP_ACTION_DOWNLOAD_COMMAND | N/A | Downloads and executes instructions from a URL or cloud drive. |
| 0x51 | MP_ACTION_RESET_WORKDIRECTORIES | N/A | Can delete working directories utilized by the backdoor. |
| 0x52 | MP_ACTION_EXECUTE_SIMPLE_COMMAND | N/A | Can restart the backdoor and execute a command by way of cmd.exe. |
| 0x53 | MP_ACTIONS_MORE | N/A | Can carry out three operations: · Delete continued configuration. · Allow macros in Phrase (Microsoft and Hancom Workplace). · Restart the backdoor. |
| 0x54 | MP_ACTION_SHELL | N/A | Begins shell (based mostly on WCMD). |
| 0x55 | MP_ACTION_WEBSCAN | N/A | Performs HTTP scan of specified hosts/ports. |
| 0x56 | MP_GET_DATA | Can receive: · contacts, name logs, and SMS messages, · full listing itemizing of the first shared exterior storage, and · fundamental info. |
Can receive: · backdoor configuration and varied system info, · credentials from browsers and different software program, · recordsdata from IM apps – KakaoTalk, WeChat, and Sign, · digital camera pictures, and · listing itemizing. |
| 0x57 | MP_GET_TREES | Retrieves listing itemizing. | |
| 0x59 | MP_SEND_FILE | Helps backdoor updating. | Helps dropping of a file to a specified location, dropping and execution of further executables, and updating of the backdoor. |
| 0x5A | MP_SEND_SHELL | N/A | Executes shell instructions. |
| 0x5C | MP_SET_PROXY | N/A | Connects to a specified |
A dump containing the Home windows model of BirdCall that carefully resembles the one we noticed on this assault and options all of the instructions listed above may be discovered on VirusTotal with SHA‑1 B06110E0FEB7592872E380B7E3B8F77D80DD1108. The pattern was uploaded from China on July 15th, 2024.
Conclusion
We’ve got uncovered a multiplatform supply-chain assault focusing on the Yanbian area by means of a compromised online game platform. Analyzing the trojanized Android video games on the platform, we found a brand new device in ScarCruft’s arsenal – an Android model of the group’s BirdCall backdoor. The Android backdoor has seen lively improvement, and gives surveillance capabilities, comparable to assortment of private knowledge and paperwork, taking screenshots, and making voice recordings.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis provides personal APT intelligence studies and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.
IoCs
A complete listing of indicators of compromise (IoCs) and samples may be present in our GitHub repository.
Information
| SHA-1 | Filename | Detection | Description |
| 01A33066FBC6253304C9 |
sqybhs.apk | Android/Spy.Agent.EXM | Trojanized recreation with Android BirdCall model 2.0. |
| 03E3ECE9F48CF4104AAF |
ybht.apk | Android/Spy.Agent.EGE | Trojanized recreation with Android BirdCall model 1.3. |
| 2B81F78EC4C3F8D6CF8F |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized recreation with Android BirdCall model 1.5. |
| 59A9B9D47AE36411B277 |
ybht.apk | Android/Spy.Agent.EGE | Trojanized recreation with Android BirdCall model 1.0. |
| 7356D7868C81499FB4E7 |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized recreation with Android BirdCall model 1.0. |
| FC0C691DB7E2D2BD3B0B |
sqybhs.apk | Android/Spy.Agent.EGE | Trojanized recreation with Android BirdCall model 1.5. |
| 95BDB94F6767A3CCE6D9 |
mono.dll | Win32/TrojanDownloader |
Trojanized mono library. |
| 409C5ACAED587F62F7E2 |
N/A | Win32/TrojanDownloader |
Downloader resulting in the RokRAT backdoor. |
| B06110E0FEB7592872E3 |
N/A | Win64/Agent.EGN | Publicly obtainable dump of Home windows BirdCall backdoor. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| 39.106.249[.]68 | sqgame.com[.]cn | Hangzhou Alibaba Promoting Co.,Ltd. | 2024‑06‑01 | Compromised sqgame web site internet hosting trojanized video games and malicious updates. |
| 211.239.117[.]117 | 1980food.co[.]kr | Hostway IDC | 2025‑03‑07 | Compromised South Korean web site used to host Android BirdCall configuration. |
| 114.108.128[.]157 | inodea[.]com | LG DACOM Company | 2025‑07‑03 | Compromised South Korean web site used to host Android BirdCall configuration. |
| 221.143.43[.]214 | www.lawwell.co[.]kr | SK Broadband Co Ltd | 2024‑11‑04 | Compromised South Korean web site used to host shellcode and clear mono library. |
| 222.231.2[.]20 | colorncopy.co[.]kr swr.co[.]kr |
LG DACOM Company | 2025‑03‑18 | Compromised South Korean web site used to host shellcode. |
| 222.231.2[.]23 | sejonghaeun[.]com | IP Supervisor | 2025‑03‑18 | Compromised South Korean web site used to host clear mono library. |
| 222.231.2[.]41 | cndsoft.co[.]kr | IP Supervisor | 2025‑03‑18 | Compromised South Korean web site used to host shellcode. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 18 of the MITRE ATT&CK Enterprise framework.
| Tactic | ID | Title | Description |
| Useful resource Growth | T1584.004 | Compromise Infrastructure: Server | ScarCruft compromised South Korean web sites to host payloads and configurations. ScarCruft compromised the sqgame web site to carry out a supply-chain assault. |
| T1585.003 | Set up Accounts: Cloud Accounts | ScarCruft created Zoho WorkDrive accounts and used their cloud storage drives for C&C functions. | |
| T1587.001 | Develop Capabilities: Malware | ScarCruft developed the Android model of the BirdCall backdoor. | |
| T1608.001 | Stage Capabilities: Add Malware | ScarCruft uploaded trojanized video games to the compromised sqgame web site. | |
| Preliminary Entry | T1195.002 | Provide Chain Compromise: Compromise Software program Provide Chain | ScarCruft compromised an sqgame replace server to distribute malicious updates. |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | BirdCall can execute shell instructions. |
| Protection Evasion | T1027.013 | Obfuscated Information or Data: Encrypted/Encoded File | BirdCall has encrypted strings and loading chain elements. The trojanized mono library accommodates encrypted shellcode. |
| T1070.004 | Indicator Elimination: File Deletion | The trojanized mono library is changed with a clear one. | |
| T1112 | Modify Registry | BirdCall can modify settings of phrase processors to allow macros. | |
| T1140 | Deobfuscate/Decode Information or Data | BirdCall decrypts strings and loading chain elements. | |
| T1480.001 | Execution Guardrails: Environmental Keying | BirdCall’s loading chain has elements encrypted with a computer-specific key. | |
| T1497 | Virtualization/Sandbox Evasion | The downloader within the trojanized mono library checks for evaluation instruments and digital machine environments. | |
| Credential Entry | T1555 | Credentials from Password Shops | BirdCall can receive saved passwords from browsers and different software program. |
| Discovery | T1046 | Community Service Discovery | BirdCall can scan a spread of IPs and ports with an HTTP GET request. |
| T1082 | System Data Discovery | BirdCall can receive varied system info. | |
| T1083 | File and Listing Discovery | BirdCall can receive details about drives and directories. | |
| Assortment | T1005 | Knowledge from Native System | BirdCall can acquire consumer recordsdata from IM shoppers KakaoTalk, WeChat, and Sign. |
| T1056.001 | Enter Seize: Keylogging | BirdCall can log keystrokes. | |
| T1113 | Display screen Seize | BirdCall can seize screenshots. | |
| T1115 | Clipboard Knowledge | BirdCall can acquire clipboard contents. | |
| T1119 | Automated Assortment | BirdCall can periodically acquire recordsdata with sure extensions from native and detachable drives. | |
| T1125 | Video Seize | BirdCall can seize a webcam picture. | |
| T1560 | Archive Collected Knowledge | BirdCall compresses and encrypts collected knowledge earlier than exfiltration. | |
| Command and Management | T1071.001 | Software Layer Protocol: Internet Protocols | BirdCall makes use of HTTP to speak with cloud storage companies. |
| T1090 | Proxy | BirdCall can act as a proxy. | |
| T1102.002 | Internet Service: Bidirectional Communication | BirdCall communicates with cloud storage companies to obtain instructions and exfiltrate knowledge. | |
| Exfiltration | T1020 | Automated Exfiltration | BirdCall periodically exfiltrates collected knowledge. |
| T1041 | Exfiltration Over C2 Channel | BirdCall exfiltrates knowledge to its C&C server. | |
| T1567.002 | Exfiltration Over Internet Service: Exfiltration to Cloud Storage | BirdCall exfiltrates knowledge to cloud storage companies. |
This desk was constructed utilizing model 18 of the MITRE ATT&CK Cell framework.
| Tactic | ID | Title | Description |
| Preliminary Entry | T1474.003 | Provide Chain Compromise: Compromise Software program Provide Chain | ScarCruft carried out a supply-chain assault, compromising the sqgame web site, to distribute trojanized video games containing the Android BirdCall backdoor. |
| Protection Evasion | T1406 | Obfuscated Information or Data | Model 2.0 of the Android BirdCall backdoor is obfuscated. |
| T1407 | Obtain New Code at Runtime | The Android BirdCall backdoor can obtain and cargo newer variations of itself. | |
| T1541 | Foreground Persistence | Android BirdCall makes use of the startForeground API to take screenshots whereas within the background. | |
| Discovery | T1420 | File and Listing Discovery | Android BirdCall creates a listing itemizing and searches for recordsdata with specified extensions. |
| T1422 | Native Community Configuration Discovery | Android BirdCall obtains the system’s IMEI, IP tackle, and MAC tackle. | |
| T1426 | System Data Discovery | Android BirdCall obtains system info of the compromised system together with model, mannequin, OS model, kernel model, rooted standing, battery temperature, RAM, and storage info. | |
| Assortment | T1532 | Archive Collected Knowledge | Android BirdCall compresses and encrypts collected knowledge. |
| T1429 | Audio Seize | Android BirdCall can file voice utilizing the microphone. | |
| T1430 | Location Monitoring | Android BirdCall obtains approximate system location utilizing the ipinfo[.]io service. | |
| T1513 | Display screen Seize | Android BirdCall can take screenshots. | |
| T1533 | Knowledge from Native System | Android BirdCall collects native recordsdata with the next extensions: .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12. | |
| T1636.002 | Protected Person Knowledge: Name Log | Android BirdCall collects the decision log. | |
| T1636.003 | Protected Person Knowledge: Contact Listing | Android BirdCall collects the contact listing. | |
| T1636.004 | Protected Person Knowledge: SMS Messages | Android BirdCall collects SMS messages. | |
| Command and Management | T1437.001 | Software Layer Protocol: Internet Protocols | Android BirdCall communicates with the C&C cloud storage drive utilizing HTTPS. |
| T1481.002 | Internet Service: Bidirectional Communication | Android BirdCall makes use of a Zoho WorkDrive service cloud storage drive for C&C functions. | |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | Android BirdCall makes use of the C&C channel for knowledge exfiltration. |
