“delivered the rokrat backdoor, which then installed birdcall, a more capable c + + implant eset first attributed to scarcruft in 2021. after execution, the trojanized mono. dll is swapped back to a clean copy fetched from another compromised korean site, erasing the visible artif…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
78%
“. m. local time. command - and - control traffic runs over https to zoho workdrive accounts ; eset observed twelve such accounts, all registered with zohomail addresses. the implant also supports pcloud and yandex disk in code, neither of which was active during the investigation…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
52%
“north korean hackers trojanize gaming platform to spy on ethnic koreans in china north korean hackers trojanize gaming platform to spy on ethnic koreans in china a gaming platform built for ethnic koreans in china has been serving backdoored windows and android software to its us…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
35%
“is a port of the windows birdcall backdoor and implements a subset of its commands. eset identified seven builds, ranging from version 1. 0 in october 2024 to version 2. 0 in june 2025. version 2. 0 adds code obfuscation. the backdoor collects contacts, call logs, sms messages, a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.001Malware
31%
“north korean hackers trojanize gaming platform to spy on ethnic koreans in china north korean hackers trojanize gaming platform to spy on ethnic koreans in china a gaming platform built for ethnic koreans in china has been serving backdoored windows and android software to its us…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
A gaming platform built for ethnic Koreans in China has been serving backdoored Windows and Android software to its users since late 2024. The platform, sqgame[.]net, hosts traditional card and board games for a community that sits along the North Korean border and includes many refugees and defectors. ESET researchers tied the operation to ScarCruft, a North Korea-aligned espionage group also tracked as APT37 and Reaper, which has been active since at least 2012. How … More →