BirdCall
BirdCall is a backdoor malware family attributed by ESET to the North Korea-aligned espionage group ScarCruft, also tracked as APT37, Reaper, and Ricochet Chollima. It was previously known as a Windows backdoor and was later observed in an Android variant during a supply-chain compromise of the sqgame gaming platform serving ethnic Koreans in China’s Yanbian region. ESET assessed the campaign as likely active since late 2024 and likely focused on espionage against ethnic Koreans in Yanbian, including North Korean refugees or defectors and other persons of interest to the North Korean regime.
In this campaign, two Android game APKs hosted on sqgame were trojanized to deliver BirdCall, while the Windows client was compromised through a malicious update chain. ESET stated the attackers likely compromised sqgame’s web server and repackaged legitimate Android APKs rather than obtaining source code. Victims downloaded the Android apps directly from the website via browser sideloading rather than through Google Play. On Windows, a trojanized mono.dll in an update package acted as a downloader, checked for analysis tools and virtual environments, fetched shellcode from compromised South Korean websites, installed RokRAT, and RokRAT then deployed BirdCall.
The Windows BirdCall backdoor is described as supporting screenshot capture, keystroke logging, clipboard theft, credential theft, file theft, shell command execution, and broader data gathering. The Android BirdCall variant functions as spyware/backdoor malware and implements a subset of the Windows capabilities. Reported Android capabilities include collecting contacts, SMS messages, call logs, media files, documents, private keys, directory listings from shared storage, and device/network metadata such as brand, model, OS, kernel, rooted status, IMEI, IP address, MAC address, RAM details, permissions, and geolocation. It can take screenshots, exfiltrate files with extensions including .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12, and record ambient audio via the microphone; some samples recorded between 7 PM and 10 PM local time. One report also states the Android variant played a silent MP3 in a loop to avoid process suspension.
For command and control, BirdCall is designed to blend traffic with normal network activity and supports cloud services including pCloud, Yandex Disk, and Zoho WorkDrive; ESET observed Zoho WorkDrive used in this campaign, including hardcoded credentials and 12 separate WorkDrive instances/accounts. The Android variant can store a local JSON configuration and download an encrypted configuration hidden in a JPG image. Reported malicious Android samples included trojanized sqybhs.apk and ybht.apk, with SHA-1 values 01A33066FBC6253304C92760916329ABD50C3191, 03E3ECE9F48CF4104AAFC535790CA2FB3C6B26CF, 2B81F78EC4C3F8D6CF8F677D141C5D13C35333AF, 59A9B9D47AE36411B277544F25AD2CC955D8DD2C, 7356D7868C81499FB4E720F7C9530E5763B4C1D0, and FC0C691DB7E2D2BD3B0B4C1E24D18DF72168B7D9. A Windows BirdCall sample publicly referenced by ESET had SHA-1 B06110E0FEB7592872E380B7E3B8F77D80DD1108. Related infrastructure and payload URLs in the reporting included lawwell.co.kr, cndsoft.co.kr, colorncopy.co.kr, sejonghaeun.com, swr.co.kr, 1980food.co.kr, and inodea.com paths hosting JPG files used in the operation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Previous article Next article North Korean hackers targeted ethnic Koreans in China with Android ‘BirdCall’ malware
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniquesScarCruft compromised South Korean websites to host payloads and configurations. ScarCruft compromised the sqgame website to perform a supply-chain attack.
ScarCruft created Zoho WorkDrive accounts and used their cloud storage drives for C&C purposes.
ScarCruft developed the Android version of the BirdCall backdoor.
ScarCruft uploaded trojanized games to the compromised sqgame website.
Initial Access
3 techniques"victims typically downloaded the compromised games through a web browser on their devices and installed them directly, without going through the Google Play store."
"We were unable to determine when the website was first compromised and the supply-chain attack started," Jurčacko said... the initial file downloaded from the Sqgame website by victims was not malicious. It became malicious due to a subsequent update package delivered by the platform that had been compromised since at least November 2024.
evidence has emerged that an update package of the Windows desktop client delivered a trojanized DLL since at least November 2024 and for an unspecified period.
Execution
3 techniques"Researchers at cybersecurity firm ESET attributed the campaign to APT37 and said the hackers used a backdoor attached to a suite of card games from a company called Sqgame."
Persistence
1 techniqueStealth
6 techniquesAfter dropping the payload, it replaces itself with a clean copy to erase evidence.
The trojanized mono library is replaced with a clean one.
BirdCall decrypts strings and loading chain components.
BirdCall’s loading chain has components encrypted with a computer-specific key.
Defense Impairment
1 techniqueCredential Access
3 techniques"Through BirdCall, APT37 is able to collect contact information, SMS texts, call logs, media files and private keys."
BirdCall can obtain saved passwords from browsers and other software.
Discovery
4 techniquesBirdCall can scan a range of IPs and ports with an HTTP GET request.
It connects to cloud storage using hardcoded credentials and uploads data including RAM, IMEI, IP and MAC address, and geolocation.
The downloader in the trojanized mono library checks for analysis tools and virtual machine environments.
The Android variant of BirdCall has the following capabilities: Extracts IP geolocation information
Collection
7 techniques"Through BirdCall, APT37 is able to collect contact information, SMS texts, call logs, media files and private keys... It also searches any shared external storage devices for specific file types."
"The backdoor, named BirdCall by the researchers, allowed APT37 to take screenshots..."
BirdCall can periodically collect files with certain extensions from local and removable drives.
"The malware hands attackers a host of information about the device on its first run and ‘can record audio via the microphone and eavesdrop on the surroundings of the compromised device.’"
Command and Control
3 techniquesThe malware blends command and control traffic with normal traffic, with the ability to use pCloud, Yandex Disk and Zoho WorkDrive as C2 servers, although the hackers apparently decided to only use Zoho WorkDrive.
The malware blends command and control traffic with normal traffic, with the ability to use pCloud, Yandex Disk and Zoho WorkDrive as C2 servers, although the hackers apparently decided to only use Zoho WorkDrive.
Exfiltration
3 techniquesBirdCall periodically exfiltrates collected data.
Communication runs over HTTPS through Zoho WorkDrive accounts, and researchers found 12 separate drives used in the campaign.
BirdCall exfiltrates data to cloud storage services.
IOCs tracked for this family
42 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The content only references BirdCall by name as Android malware in a related article link; no further behavioral details are provided.
A backdoor used in a supply-chain attack against the sqgame gaming platform. On Android it runs from trojanized APKs, silently collects contacts, call logs, SMS, storage listings, device and network identifiers, geolocation, screenshots, audio, and selected file types, then uploads data via HTTPS to Zoho WorkDrive. On Windows it is installed after RokRAT is delivered through a malicious update.
A multi-platform backdoor used by ScarCruft in a supply chain espionage campaign. It targets Windows and Android, supports surveillance and data theft, and uses legitimate cloud services such as Dropbox, pCloud, Yandex Disk, and Zoho WorkDrive for C2. The Android variant can collect contacts, SMS messages, call logs, media, documents, screenshots, and ambient audio.
BirdCall is a malware family associated with ScarCruft/APT37. The Windows version can record keystrokes, take screenshots, steal clipboard data, exfiltrate files, and execute commands. The newly documented Android variant is delivered via trojanized APKs and can collect device and network information, contacts, call logs, SMS, screenshots, audio recordings, and exfiltrate files.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.