TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

ESET WeLiveSecurity

A rigged game: ScarCruft compromises gaming platform in a supply-chain attack

1 day ago · Read original ↗

ATT&CK techniques detected

11 predictions
T1113Screen Capture
98%
“the device ’ s primary shared external storage, and user data consisting of contact list, call log, and sms messages. the backdoor periodically checks in with the c & c and uploads basic information, which consists of : - identifier values from configuration and current time, - b…”
T1195.002Compromise Software Supply Chain
92%
“malicious apks on the official google play store. we were unable to determine when the website was first compromised and the supply - chain attack started. however, based on our analysis of the deployed malware, we estimate that it happened in late 2024. table 1 shows the hosting…”
T1195.002Compromise Software Supply Chain
88%
“backdoor. further analysis revealed that the backdoor is an android port of the scarcruft group ’ s birdcall backdoor. the windows desktop client link on the sqgame website leads to a few - years - old installer that appears to be clean. it does download updates once installed, b…”
T1204.002Malicious File
69%
“a technical analysis of the android birdcall backdoor – an android port of the eponymous windows backdoor written in c + +. internally, the backdoor is named zhuagou, which can be translated ( from chinese ) as “ catching dogs ”. trojanized android games android birdcall is distr…”
T1056.001Keylogging
61%
“##door can record audio via the microphone and eavesdrop on the surroundings of the compromised device. strangely, even if the recording is enabled ( rec flag ), it is limited to a three - hour time period in the evening, from 7 pm to 10 pm local time. the backdoor periodically s…”
T1204.002Malicious File
60%
“activity and service definitions for the backdoor, as well as additional permissions required for its operation. a comparison of packages in the original game and its trojanized version is shown in figure 3. since the android birdcall backdoor is a part of a trojanized android ap…”
T1195.002Compromise Software Supply Chain
60%
“for an unknown period – but at the time of writing, this update package was no longer malicious. scarcruft took a clean mono library and patched it with extra code and data, containing a downloader. the downloader first checks running processes for analysis tools and virtual mach…”
T1056.001Keylogging
57%
“. the backdoor has a wide range of spying capabilities, including taking screenshots, logging keystrokes and clipboard content, stealing credentials and files, and executing shell commands. for c & c purposes, the backdoor utilizes legitimate cloud storage services, such as dropb…”
T1056.001Keylogging
32%
“the device ’ s primary shared external storage, and user data consisting of contact list, call log, and sms messages. the backdoor periodically checks in with the c & c and uploads basic information, which consists of : - identifier values from configuration and current time, - b…”
T1020Automated Exfiltration
30%
“##door can record audio via the microphone and eavesdrop on the surroundings of the compromised device. strangely, even if the recording is enabled ( rec flag ), it is limited to a three - hour time period in the evening, from 7 pm to 10 pm local time. the backdoor periodically s…”
T1204.002Malicious File
30%
“identified seven versions, ranging from version 1. 0 ( created approximately in october 2024 ) to version 2. 0 ( created approximately in june 2025 ). discovery our investigation started with a suspicious apk file found on virustotal. upon initial analysis, we determined that the…”

Summary

ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games