ScarCruft Hacks Gaming Platform, Deploys BirdCall Malware on Android & Windows
The North Korea-aligned state-sponsored hacking group ScarCruft has executed a supply chain espionage attack, compromising a video game platform. According to The Hacker News, the group trojanized platform components with a backdoor dubbed BirdCall, likely targeting ethnic Koreans residing in China.
This incident marks a significant expansion of ScarCruft’s operational scope. While previous iterations of BirdCall primarily focused on Windows users, The Hacker News reports that this supply chain compromise has enabled the deployment of the malware across both Android and Windows environments. This multi-platform capability allows for broader surveillance and data exfiltration.
This attack underscores the persistent threat of supply chain compromises, particularly when state-sponsored actors like ScarCruft are involved. By leveraging a trusted gaming platform, they bypass initial perimeter defenses, delivering sophisticated malware directly to user devices. Defenders must recognize that user trust in third-party software is a major vulnerability.
What This Means For You
- If your organization's users engage with gaming platforms, especially those popular in regions like China, assume they are potential vectors. Mandate strict application whitelisting and enforce mobile device management (MDM) policies. Audit all third-party software for unusual network activity, particularly C2 communications. This is not just about endpoint security; it's about supply chain integrity.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| ScarCruft-BirdCall-May2026 | Supply Chain Attack | Compromised video game platform components |
| ScarCruft-BirdCall-May2026 | Malware | BirdCall backdoor |
| ScarCruft-BirdCall-May2026 | Affected Platform | Android |
| ScarCruft-BirdCall-May2026 | Affected Platform | Windows |
Written by SCW Vulnerability Desk
Related coverage on
Trellix Source Code Access Confirmed by Security Vendor
LΣҒΔ𝕽ΩLL 🇮🇱 reports that Trellix, a major cybersecurity firm, has confirmed unauthorized access to a portion of its source code. The company has engaged forensic...
Exposed AI Services: 1 Million LLM Deployments Found Insecure
The Hacker News reports a critical lapse in AI security, revealing that over one million self-hosted AI services are exposed and vulnerable. This finding underscores...
WhatsApp Patches File Spoofing and URL Scheme Vulnerabilities
SecurityWeek reports that WhatsApp has addressed critical vulnerabilities related to file spoofing and arbitrary URL schemes. These issues were responsibly disclosed to Meta via their...