North Korean APT37 Targets Ethnic Koreans in China with BirdCall Malware

/MEDIUM
Written by SCW Research Research & Analysis
SCW threat-inteldata-breachgovernmentmalware
North Korean APT37 Targets Ethnic Koreans in China with BirdCall Malware

North Korean state-sponsored threat group APT37 (aka ScarCruft or Reaper) is actively targeting ethnic Koreans residing in China. The campaign leverages Android malware dubbed ‘BirdCall’, according to The Record by Recorded Future. This isn’t just about data exfiltration; it’s about specific intelligence collection on a diaspora group, indicating a clear, focused objective.

The attack vector involves a backdoor embedded within a suite of card games developed by a company named Sqgame. This is a classic supply chain compromise, even if it’s via a seemingly innocuous app. Attackers understand that people drop their guard with entertainment software, making it an effective vector for initial access and persistent surveillance.

For defenders, this underscores the need for stringent mobile device security, especially for high-risk individuals or those operating in sensitive regions. The attacker’s calculus here is low-and-slow, relying on social engineering and trust in legitimate-looking applications. Don’t just scan; validate the integrity of all installed applications, even those for leisure.

What This Means For You

  • If your organization has personnel, especially those of Korean descent, operating or residing in China, scrutinize their mobile device activity. Specifically, audit installed Android applications, particularly any card games or entertainment apps from lesser-known developers like Sqgame. This is a targeted espionage campaign; assume compromise if you find suspicious activity related to these apps.

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

APT37 BirdCall Malware - Suspicious Sqgame App Activity

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Written by SCW Research

Take action on this incident
📡 Monitor eset.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on ESET All breaches, IOCs & vendor exposure

Related coverage on ESET

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices

A new Mirai-derived botnet, self-identifying as xlabs_v1, is actively exploiting internet-exposed devices running Android Debug Bridge (ADB), according to The Hacker News. This botnet aims...

threat-intelvulnerabilitymalwaredata-breachthe-hacker-news
/SCW Vulnerability Desk /MEDIUM /⚑ 1 IOC

vm2 Sandbox Bug: Critical RCE Allows Host System Takeover

A critical vulnerability identified in the popular Node.js sandboxing library vm2 allows attackers to escape the sandbox and execute arbitrary code on the host system....

threat-inteldata-breachmalwarevulnerabilitybleepingcomputer
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs

Cisco DoS Flaw Hits Network Controllers, Requires Manual Reboot

Cisco has addressed a critical denial-of-service vulnerability impacting its Crosswork Network Controller and Network Services Orchestrator platforms. BleepingComputer reports that exploitation of this flaw can...

threat-inteldata-breachmalwarevulnerability
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 3 Sigma