ScarCruft turns a gaming platform into a spy channel

A regional game hub was quietly turned into an espionage tool. The ScarCruft group slipped Windows and Android backdoors into a trusted platform, then blended command and control traffic into everyday cloud services.

This is not a one-off installer swap. It is a playbook that exploits niche communities, cross platform code reuse, and the safety halo of popular SaaS.

Why a regional gaming platform became a perfect delivery channel

ScarCruft targeted a platform dedicated to Yanbian themed games, counting on two properties defenders often overlook. First, regional platforms cultivate high trust within a tight community, which reduces skepticism of website downloads and update prompts. Second, these ecosystems commonly offer multi platform clients outside major app stores, which normalizes sideloading on Android and in app updaters on Windows. That combination created a supply chain with few formal checks.

• Windows client updates: a legitimate library was patched to include a downloader that executed shellcode, delivered a familiar RokRAT backdoor, then staged the more capable BirdCall backdoor. To reduce dwell time of obvious artifacts, the trojanized library replaced itself with a clean copy after launch.
• Android games: original APKs were repackaged with a BirdCall component. The manifest entry point was changed to invoke malicious code first, then the real game activity so the experience looked normal.
• Cloud as C2: commands and exfiltrated data moved through mainstream cloud storage APIs, with operator credentials embedded in configuration or fetched from an image hosted on a compromised site.

Example: a player downloads a card game from the platform’s official page. The game runs fine, but it also registers extra permissions for call logs and storage scanning. The backdoor then checks a cloud drive every few minutes, copies recent photos and documents with targeted extensions, and sends them over HTTPS alongside innocuous app traffic.

BirdCall on two fronts, the same operator logic

Windows tradecraft

• Loader chain: a patched mono library executed a small downloader that avoided analysis tools and virtual machines before pulling shellcode. RokRAT acted as the first foothold, then deployed BirdCall for longer term collection.
• Blending in: payloads and even clean replacement files were staged on compromised legitimate websites, which looked like normal browsing or software retrieval.
• Scope: screenshots, keylogging, clipboard theft, credential harvesting, shell command execution, and scheduled collection of files of interest.

Android port

• Capabilities: contacts, SMS, call logs, screenshots, ambient audio, and systematic search of shared storage for documents, images, and private keys. Some versions looped a silent audio file to keep a foreground service alive while the screen was off.
• Control plane: cloud storage drives, notably through Zoho WorkDrive APIs, with configuration persisted on device and optionally refreshed from an image overlay fetched from a compromised site.
• Stealth choices: on command, the backdoor can disable itself while the game continues to work, which reduces user driven remediation.

Non obvious contribution: treat this as a gray cloud C2 pattern, where operators hide in widely allowed domains and OAuth flows, not in bulletproof hosting. This pattern works when egress allows direct access to consumer SaaS and when inspection does not parse API semantics. It fails if outbound SaaS is brokered through a cloud access security solution that enforces tenant allowlists and flags unknown client IDs or unusual file API usage frequency.

Targeting logic and what it implies

The compromised platform serves the Yanbian community, which includes many ethnic Koreans and a known transit path for refugees and defectors. That audience concentrates people of interest for North Korea aligned espionage, and it does so behind the cover of a benign pastime. The platform itself is not the prize, its users are. A game client offers persistent execution, file system reach, and microphone access without triggering the social defenses that a lure document or fake messenger app would.

Consider a small cross border broker who uses the same Android phone for personal games and coordinating travel arrangements. The trojanized game enumerates shared storage, finds a scanned passport image and an itinerary spreadsheet, then uploads both during off peak evening hours. A content filter sees HTTPS to a well known cloud domain and allows it, because that domain is also used by legitimate collaboration in the region.

A representative incident timeline across Windows and Android

Context: A midsize nonprofit supports diaspora clients. Staff laptops run Windows with an auto updated game client used for cultural outreach. Personal Android phones are allowed for work messaging, with basic mobile device management but sideloading is not blocked.

Trigger, T+0: An employee installs the official game from the regional platform and updates the Windows client. On Android, a volunteer downloads the same game APK from the website because there is no listing in the major app store.

Cascade, T+4h: The patched Windows library executes a downloader, which detects no sandbox artifacts, retrieves shellcode from a compromised website, and spawns RokRAT in memory. RokRAT then places BirdCall. EDR misses the sequence because the trojanized library is promptly replaced with a clean one and the network destination is a legitimate site. On Android, the game requests access to calls, SMS, and storage. The backdoor starts a foreground service by playing a silent audio loop, then periodically screenshots and scans shared storage for files with targeted extensions.

Cascade, T+48h: Both devices start posting basic host information and geolocation data via cloud APIs. The proxy team allows the connections because the domains are in a global allowlist for collaboration tools. The nonprofit notices unusual after hours microphone access in mobile telemetry but dismisses it as a media app quirk.

Response, T+72h: Suspicious OAuth client activity against a cloud storage provider is finally triaged. Threat hunting correlates a short lived process spike around the game client with DLL loads from its directory and memory only shellcode execution.

Lesson: A popular SaaS domain is not a sufficient trust boundary. The failed control was the blanket allowlist for well known clouds, which acted as a bypass for command and control. The other blind spot was mobile sideloading, where an official looking regional site substituted for app store vetting.

Detecting BirdCall without hard indicators

Windows hunting cues

• Transient library tampering: look for signed or expected DLLs in an app folder that appear, load once, then revert. Correlate process termination and immediate library replacement.
• Memory first backdoor: stack forensics that show shellcode with no backing file after an updater runs. This works when memory scanning is enabled and the EDR records module provenance. It fails if memory capture is disabled or policy excludes the client process.
• Legitimate domain staging: bursts of downloads from small business sites in regions aligned to the threat actor’s history, shortly followed by connections to mainstream cloud storage APIs.

Android hunting cues

• Manifest anomalies: game packages with entry activities named outside the developer namespace, plus newly added services and permissions for call logs, SMS, contacts, and external storage.
• Foreground keep alive: a game process that plays a silent audio file while the screen is off. Some mobile management platforms can flag continuous media sessions with zero volume.
• Cloud API rhythm: periodic HTTPS calls to cloud storage API endpoints from a game package, alongside uploads of small JSON blobs and medium sized archives.
• On disk config: JSON configuration files in the app data directory with keys like bd_version, scr, rec, and a misspelled extentions field. Search carefully, the exact file path is device specific.

Actionable tip: deploy egress rules that allow known SaaS domains only for sanctioned tenant IDs and OAuth clients. This reduces the gray cloud C2 channel. This works when your organization has a clear inventory of approved tenants. It fails if partners require ad hoc access to many external tenants without brokering.

What to change in environments that serve diaspora users

• Constrain SaaS by tenant, not just by domain. Enforce allowlists for cloud storage tenant IDs and unknown OAuth clients. Monitor for short lived drives and repeated API calls from non productivity apps.
• Strengthen updater trust: require update packages to be signed by a pinned certificate and verify library integrity at load time. A measured boot or application control policy that validates DLL hashes at runtime can expose the patch then replace trick.
• Mobile guardrails: block installation from unknown sources on managed Android, or, if that is impractical for community apps, require a local approval flow and run reputation checks on manifests and permissions.
• Network heuristics: alert on periodic screenshot artifacts or microphone access in non media apps after hours. Validate that a foreground service has a user visible reason to exist.
• Backdoor neutralization: if BirdCall is suspected, use mobile tooling to enumerate app private storage and remove the game entirely. On Windows, quarantine the client directory, then perform a memory sweep for injected modules.

What not to do

Avoid broad allowlisting of popular cloud domains as a permanent egress exception, because operators treat those as covert channels. The mechanism of failure is simple, the control collapses the decision from tenant and API semantics to DNS only, so any attacker with valid cloud credentials looks like a sanctioned user. If outbound collaboration must remain open, pair domain allowlisting with API level inspection and tenant scoping.

A lens for future cases, communityware as a supply chain

Non obvious contribution: label this class of operations as communityware compromise. The pattern is a tightly knit user base, strong social trust in a regional platform, clients distributed outside high friction marketplaces, and a ready made set of permissions that look normal for entertainment apps. Gray cloud C2 completes the camouflage.

• Falsifiable claim: similar operations will continue to prefer off store Android distribution plus in app updaters on Windows, because that bypasses marketplace review and patch cadence. We would revise this if we see a pivot to primary app stores as the initial vector.
• Operational prediction: the scheduled evening recording window and silent audio keep alive will recur, since they align with typical user behavior and power saving rules. This expectation fails if mobile operating systems tighten background execution heuristics for media sessions in non media apps.
• Defensive bet: tenant scoped SaaS egress and manifest reputation scoring for regional apps should materially reduce exposure. This works when defenders control both endpoints and gateways. It underperforms in fully bring your own device settings without brokered network paths.

Practical example: before adopting a regional game for community outreach, route its Windows updater through a sandbox that enforces certificate pinning and hashes every loaded DLL. On Android, require installation through a managed private store mirror that verifies manifests, permissions, and update URLs before approval.