sqgame
ScarCruft compromised sqgame distributing BirdCall.
ScarCruft (APT37) compromised the sqgame gaming platform's website to distribute trojanized Android APKs and a malicious Windows update package. The campaign, active since late 2024, utilized the BirdCall backdoor and RokRAT downloader to steal personal data and perform surveillance on ethnic Koreans in China.
- Date
- 2024-10-01
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Website compromise
What Was Affected
Package
sqgame
LanguageC++
ComponentGame
Artifact typebinary archive
Domain typeproject download host
Domain
sqgame.com
Compromised Versions
- BirdCall 1.0
- BirdCall 1.3
- BirdCall 1.5
- BirdCall 2.0
Incident Context
- Motive
- Espionage
- Attribution
- Nation-state
- Transitive
- No
- User Impact
- 1000
Evidence
Compromised Artifacts
Current Artifacts and Analysis
- virustotal.com/gui/file/01a33066fbc6253304c92760916329abd50c3191
- virustotal.com/gui/file/03e3ece9f48cf4104aafc535790ca2fb3c6b26cf
- virustotal.com/gui/file/2b81f78ec4c3f8d6cf8f677d141c5d13c35333af
- virustotal.com/gui/file/59a9b9d47ae36411b277544f25ad2cc955d8dd2c
- virustotal.com/gui/file/7356d7868c81499fb4e720f7c9530e5763b4c1d0
- virustotal.com/gui/file/fc0c691db7e2d2bd3b0b4c1e24d18df72168b7d9
- virustotal.com/gui/file/95bdb94f6767a3cce6d92363bbf5bc84b786bdb0
Indicators and Changes
Hashes
sha1:01A33066FBC6253304C92760916329ABD50C3191sha1:03E3ECE9F48CF4104AAFC535790CA2FB3C6B26CFsha1:2B81F78EC4C3F8D6CF8F677D141C5D13C35333AFsha1:59A9B9D47AE36411B277544F25AD2CC955D8DD2Csha1:7356D7868C81499FB4E720F7C9530E5763B4C1D0sha1:FC0C691DB7E2D2BD3B0B4C1E24D18DF72168B7D9sha1:95BDB94F6767A3CCE6D92363BBF5BC84B786BDB0
External References
Source Data
Source record: proprietary/sqgame/meta.yaml