Supply Chain Alert: ScarCruft Uses Gaming Platform for BirdCall Deployment
Has anyone else parsed the latest report on ScarCruft (APT37)? They've reportedly compromised a video game platform in a supply chain espionage attack to push the BirdCall backdoor. What stands out to me is the expansion from purely Windows operations to a cross-platform approach, now hitting both Windows and Android users—specifically targeting ethnic Koreans in China.
Since this is a supply chain attack involving trojanized components, traditional allow-listing might fail if the parent process is a trusted game executable. The group likely leverages DLL side-loading or masquerades updates to deliver the payload.
For immediate triage in a Windows environment, I recommend auditing the game installation directories for unsigned binaries or unexpected child processes. Here’s a quick PowerShell snippet to flag suspicious files in a hypothetical game folder:
$targetPath = "C:\Program Files\GamingClient"
Get-ChildItem -Path $targetPath -Recurse -Include *.dll,*.exe | ForEach-Object {
$sig = Get-AuthenticodeSignature $_.FullName
if ($sig.Status -ne 'Valid') {
Write-Host "Unsigned/Invalid Signature: $($_.FullName)" -ForegroundColor Red
}
}
Given the Android vector, mobile EDR telemetry is going to be crucial here. Are you all seeing an increase in mobile devices being targeted as initial access vectors in your sectors?
Supply chain attacks are becoming the norm for APTs. In our SOC, we've implemented a Sigma rule to monitor for specific unsigned binaries loading from known game directories, but the challenge is the noise from legitimate game updates. The move to target Android is a smart pivot by ScarCruft—MTPs usually have less visibility into mobile traffic than desktop endpoints. I'd suggest checking DNS logs for anomalies tied to the mobile devices running this specific platform.
From a pentester's perspective, gaming platforms are notoriously soft targets because they demand high privileges and frequent updates, often without strict code signing checks. The use of BirdCall suggests they are prioritizing persistence over stealthy C2 initially. If you can't block the software entirely, network segmentation is key. Force the gaming traffic through a dedicated proxy and inspect the SSL traffic for the payload droppers.
We just blocked this specific platform on our corporate network after reading the initial IOCs. It's tough because we have some devs who use it for testing, but the risk of cross-platform infection via a trusted installer is too high. Has anyone managed to extract the specific hash values for the trojanized Android APK yet? Our MDM vendor is asking for specific indicators to push a block policy.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access