What happened
ESET researchers have attributed a supply chain attack on a mobile gaming platform to APT37, a North Korean espionage group operating since 2012 and allegedly housed within North Korea’s Ministry of State Security. The campaign targeted ethnic Koreans living in the Yanbian region of China, a border area with North Korea sometimes called “Third Korea,” with victims likely including refugees and defectors from the North Korean regime.
The attack compromised the update delivery mechanism of Sqgame, a company offering a suite of card games popular in the region. The initial file downloaded from the Sqgame website was not malicious, but a subsequent update package delivered through the compromised platform installed BirdCall, a backdoor that ESET named after identifying it in this campaign. The platform had been compromised since at least November 2024. Victims typically downloaded the games through a web browser and installed them directly outside the Google Play Store. ESET contacted Sqgame in December 2025 but received no response. The update package is no longer malicious.
BirdCall was previously known as a Windows backdoor, first discovered by South Korean vendor AhnLab in 2021. ESET’s analysis uncovered an Android version developed over several months, with seven versions identified. The Android variant collects contact information, SMS texts, call logs, media files, and private keys, can record audio via the microphone to eavesdrop on surroundings, takes screenshots, records calls, and searches external storage for specific file types. APT37 has previously targeted South Korean government and military organizations, North Korean defectors, academic experts, and North Korea-focused media outlets.
Who is affected
Ethnic Koreans in the Yanbian region of China who downloaded and updated Sqgame applications are the confirmed targets, with particular focus on individuals who may be refugees or defectors from North Korea. The broader at-risk population includes any individual or organization that APT37 assesses as holding intelligence value related to North Korean affairs, Korean peninsula diplomacy, or defector networks.
Why CISOs should care
The BirdCall campaign is a textbook supply chain attack against a niche platform with a highly targeted user base. The initial download was clean, establishing trust before a malicious update delivered the payload, a pattern that defeats controls focused on initial installation screening. The Android capability, developed iteratively across seven versions, reflects sustained investment by APT37 in mobile surveillance tools targeting populations that cannot be reached through traditional network intrusion.
For security leaders advising organizations with Korean diaspora communities, defector support networks, or policy and research exposure to Korean peninsula affairs, this campaign is a direct indicator that APT37 is actively expanding its mobile surveillance toolkit and geographic targeting.
3 practical actions
- Enforce managed app store policies on mobile devices used for sensitive work: BirdCall was distributed outside the Google Play Store through direct browser download and sideloading. MDM policies that restrict app installation to approved stores and block sideloading directly mitigate this delivery method on managed and BYOD devices with corporate access.
- Brief high-risk individuals on supply chain attacks delivered through trusted application updates: The Sqgame compromise turned a previously safe application into a surveillance tool through an update. Security awareness guidance for at-risk populations should explicitly cover the risk of malicious updates from legitimate-looking platforms, particularly apps distributed outside official stores.
- Monitor for APT37 indicators published by ESET across endpoint and network telemetry: ESET’s research includes technical indicators associated with BirdCall and the Sqgame supply chain compromise. Integrate these indicators into threat hunting workflows, particularly for organizations operating in sectors or geographies within APT37’s documented targeting scope.
Also in the news today:
-
- DAEMON Tools Trojanized in Supply-Chain Attack to Deploy Backdoor
- FTC to Ban Data Broker Kochava From Selling Americans’ Location Data
- Student Hacked Taiwan High-Speed Rail to Trigger Emergency Brakes
- Instructure Hacker Claims Data Theft From 8,800 Schools and Universities
- Australia Launches Cyber Incident Review Board Modeled on Disbanded US Equivalent
