What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·3 min read

By Lyrie Threat Intelligence·5/10/2026

The Game of Thrones: ScarCruft's BirdCall Espionage Campaign Targets Ethnic Korean Communities

TL;DR

North Korean state-sponsored APT group ScarCruft (APT37) compromised a legitimate gaming platform called Yanbian Red Ten to distribute the BirdCall backdoor across Windows and Android devices, targeting the Yanbian region's ethnic Korean community. The malware offers full surveillance capabilities including audio recording, keylogging, credential theft, and remote command execution.

What Happened

ESET researchers discovered that the Yanbian Red Ten gaming platform—a legitimate service offering traditional card and table games for the Yanbian region in northeastern China—was compromised to distribute trojanized versions of its Windows and Android clients. The attack was attributed to ScarCruft (also known as APT37 or Reaper), a North Korean-aligned cyber espionage group active since at least 2012.

The compromise occurred as early as late 2024, according to ESET's analysis. The Windows version of the gaming client was infected with two backdoors distributed via malicious update packages. Two Android versions of the games available on the platform's official website were trojanized to include the BirdCall backdoor.

The trojanized applications were distributed directly from the compromised website—no malicious APKs appeared in Google Play—indicating victims likely downloaded and installed them intentionally, unaware of the backdoor payload.

Technical Details

Attack Vector

The attack leveraged supply-chain trust: victims downloaded what appeared to be legitimate gaming software from official channels, trusting the platform's reputation. The Windows compromise was achieved through a malicious software update, a technique that maximizes installed base reach.

BirdCall Capabilities (Android)

ESET identified seven active versions of BirdCall for Android (v1.0 in October 2024 through v2.0 in June 2025), indicating sustained development and refinement:

Data Exfiltration: Contacts, SMS messages, call logs, documents, multimedia files, SSH/GPG private keys
Surveillance: Screenshot capture, ambient audio recording, keystroke logging, clipboard monitoring
Credential Theft: Harvesting authentication credentials and sensitive files
Remote Execution: Command-line execution on compromised devices
C&C Communications: Uses legitimate cloud storage services (Dropbox, pCloud) and compromised websites to evade detection

Geographic Targeting

The malware's focus on the Yanbian region is strategically significant. Yanbian is home to a substantial ethnic Korean population and serves as a known transit point for North Korean refugees and defectors. This targeting aligns with ScarCruft's historical operational focus on intelligence gathering against South Korea and diaspora communities.

Lyrie Assessment

This campaign exemplifies the convergence of three critical threat vectors Lyrie.ai defenders must monitor:

1. Nation-state infrastructure persistence: ScarCruft's multi-platform trojanized distribution demonstrates how state actors are diversifying beyond traditional phishing campaigns. The 6+ month development cycle (Oct 2024–Jun 2025) suggests patient, well-resourced operators building a sustainable intelligence infrastructure.

2. Supply-chain trust exploitation at the endpoint: The gaming platform vector demonstrates a low-friction attack surface. Rather than compromising popular global apps, adversaries are targeting regional trust anchors—local applications with deep cultural relevance. Security teams focused only on Fortune 500 software vendors will miss these campaigns entirely.

3. Multi-OS unified backdoor development: BirdCall's parallel Windows and Android development signals a shift in APT tradecraft. CISOs should expect similar cross-platform malware families from peer-level adversaries. Single-OS defenses are insufficient; behavioral baselines must span device types.

For Lyrie's audience: This campaign reinforces that autonomous defenders must understand cultural and linguistic attack surfaces. BirdCall wouldn't trigger alerts based on C&C domain reputation (it uses cloud services) or file hash signatures (seven versions, likely fingerprint-evading). Detection requires behavioral anomaly detection: unusual outbound cloud API access, unexpected audio recording permissions, or clipboard theft patterns on devices with minimal previous credential access.

Recommended Actions

Endpoint teams: Deploy behavioral detection rules flagging simultaneous screenshot capture + audio recording + keystroke logging on Windows/Android endpoints. This triplet is rare in legitimate software.
Threat hunting: Audit corporate device usage in high-risk regions. Check for gaming applications on corporate-managed devices, particularly region-specific gaming apps without mainstream distribution.
Supply-chain validation: Implement checksums and code-signing verification for software updates from regional/niche vendors. The gaming platform vector succeeds precisely because vendors outside the enterprise sphere often lack security infrastructure.
Identity teams: Monitor for simultaneous private key access + credential exfiltration in forensics; BirdCall explicitly targets SSH/GPG keys, signaling interest in lateral movement or persistence across trust boundaries.