A North Korea-aligned espionage group has compromised a regional gaming platform serving ethnic Koreans in China. The Windows and Android software hosted on the site was trojanized with a previously undocumented mobile backdoor. According to new analysis from ESET researchers, the supply-chain operation has likely been running since late 2024, targeting users of sqgame[.]net, a site dedicated to traditional Yanbian-themed card and board games. Yanbian Korean Autonomous Prefecture is a district which borders North Korea and acts as a known crossing point for refugees and defectors. ESET assessed that the activity was aimed at gathering intelligence on individuals of interest to the Pyongyang regime. ESET attributed the campaign to ScarCruft, also known as APT37, Reaper and Ricochet Chollima, an espionage group active since at least 2012 and historically focused on South Korean government, military and defector-related targets. The investigation began with a suspicious APK uploaded to VirusTotal, which the researchers traced to a card game called Yanbian Red Ten distributed directly from the sqgame website. A second Android title hosted on the same platform, New Drawing, was also found to carry the same malicious code. On Windows, telemetry showed that an update package for the desktop client had served a trojanized mono.dll library since at least November 2024. The patched library acted as a downloader, performing anti-analysis checks before fetching shellcode containing the RokRAT backdoor, which was then used to deploy the more sophisticated BirdCall implant. The iOS game on the same site was untouched, which ESET said likely reflected the difficulty of evading Apple's review process. Read more on ScarCruft activity: North Korea's APT37 Expands Toolkit to Breach Air-Gapped Networks BirdCall was first identified by ESET as a Windows backdoor in 2021. The Android port, internally named zhuagou, implemented a subset of its predecessor's capabilities and saw active development across seven versions between October 2024 and June 2025.