North Korean Hackers Trojanized a Korean Card Game in China to Spy on Defectors—the Backdoor Only Records the Microphone Between 7 and 10 P.M.

On May 5, 2026, ESET researchers disclosed a multi platform supply chain attack attributed to ScarCruft, the North Korea aligned threat group also tracked as APT37 and Reaper. The target was not a defense contractor or a government ministry. It was a small Korean language gaming platform called sqgame, built specifically for the ethnic Korean population in northeast China and most heavily used in the Yanbian Korean Autonomous Prefecture along the North Korean border. The platform's update channel was quietly hijacked. For roughly 18 months it has been pushing trojanized versions of its card and board games out to anyone who installed an update.

ESET first observed the operation in October 2024 and traced seven malware builds across Windows and Android through June 2025. The company contacted sqgame in December 2025 and received no response. Public disclosure waited until the May 5, 2026 report. By that point the Windows update package had stopped serving the malicious payload, but the trojanized Android APKs were still live in the platform's app store.

The targets are not theoretical. Yanbian is the closest thing the world has to a Korean diaspora hub on Chinese soil, and it is the first stop for many North Koreans who escape across the river. Spying on the Yanbian gaming community means spying on a population that includes defectors, the families that helped them, and the underground networks that move sensitive information back into North Korea. ScarCruft's choice of platform is not coincidental.

Who Lives in Yanbian and Why It Matters

The Yanbian Korean Autonomous Prefecture is in Jilin province, in the northeast corner of China, directly across the Tumen and Yalu rivers from North Korea. The population is about 40 percent ethnic Korean, with the highest concentration of Korean language schools, churches, and businesses outside the Korean peninsula. For the past three decades it has also been the primary land route for North Koreans who escape the regime. North Korean refugees who reach Yanbian rely on Korean speaking residents and underground networks to obtain shelter, false documents, and onward travel routes through China to Southeast Asia and eventually South Korea.

The region is therefore strategically valuable to North Korean intelligence. Phones and laptops in Yanbian regularly sit in the hands of people the Pyongyang regime would very much like to identify. They include defectors who left family behind, journalists and activists who interview them, religious workers who shelter them, and the occasional Chinese citizen who has been talking to South Korean intelligence services. A surveillance program run on commodity Yanbian devices is, in effect, a tap on one of the most tightly held communities in modern East Asian politics.

Compromising a popular Korean language gaming platform is the cleanest way to land malware on those devices. People who would never install a piece of unknown software will install a card game everybody else in their building plays. The supply chain compromise turns the gaming platform into a delivery tool that does not need to convince any individual user to do anything wrong.

What the Malware Does

ESET's analysis identifies two parallel malware families running through the same supply chain. On Windows, the trojanized installer drops a RokRAT downloader that pulls in BirdCall, a C++ implant that ESET has linked to ScarCruft since 2021. BirdCall handles shellcode injection, virtual machine detection, and analysis tool checks before activating its full feature set. The Windows variant is most useful to ScarCruft when it lands on the laptop of an activist, journalist, or NGO worker.

The Android variant is more comprehensive and probably more interesting to the operators because it gets onto more phones. ESET tracks it as zhuagou. A zhuagou infected Android device offers the operator:

• Full contacts and call log harvest, plus the SMS database.
• External storage enumeration, with file sweeps targeting Microsoft Office formats (.doc, .docx, .xls, .xlsx, .ppt, .pptx), Hancom Office files (.hwp, the Korean equivalent of Word), text files, PDFs, images (.jpg), audio (.m4a), and PKCS12 certificate stores (.p12).
• Screen capture via Android's startForeground API, which is the standard mechanism legitimate screen recording apps use.
• Microphone recording, restricted by the malware to a 7 to 10 p.m. local time window. The window is an operational choice. It captures family conversations, dinner table discussions, and after work calls without burning battery during the day.
• Encrypted command channel using a magic value of 0x2A7B4C33 to decrypt instructions from the C2 server.

The targeting of .hwp files is an attribution detail. Hancom Office is the dominant office suite on the Korean peninsula, and .hwp documents are common in South Korean government and military environments. Including .hwp in the file sweep telegraphs that the operators expect at least some of their victims to be holding documents from inside the South Korean public sector. ScarCruft has been collecting documents off South Korean defense and academic targets for years. The Yanbian campaign extends that collection effort into the diaspora.

The 7 to 10 P.M. Window

The microphone recording schedule is unusually deliberate, and it reveals how the operators think about their targets' daily routines. Yanbian is on Beijing time, the same time zone as North Korea. Between 7 and 10 p.m., people are home, families are having dinner, evening prayers and small group meetings are starting, and longer phone conversations happen. Recording outside that window would mostly capture commuting noise and workplace ambient sound. Recording inside it picks up the conversations the operators actually care about.

The constraint also extends battery life and reduces detection risk. A phone that is constantly recording produces noticeable battery drain and shows up in Android battery dashboards. Three hours a day is invisible.

From a tradecraft perspective, the 7 to 10 p.m. window is the same kind of operational tuning Pegasus and Predator deployments have shown over the years. Predator was used to hack an Angolan journalist's phone the day before World Press Freedom Day. Apple announced spyware notifications for users in 100 countries. The market for sophisticated commercial spyware is well documented. ScarCruft's Yanbian operation is the state aligned cousin: same operational mindset, run in house by a regime that does not need to pay a vendor.

How the Supply Chain Got Compromised

ESET reports that the gaming platform's update endpoint at xiazai.sqgame.com[.]cn was the delivery channel. Anyone running the platform's launcher would receive the trojanized version automatically when the update mechanism fired. The Android side was more direct: the platform's app store served trojanized APKs for at least two specific games, Yanbian Red Ten and New Drawing, plus a generic platform installer. Once installed, the trojanized games functioned as the genuine games would. The user got the actual game and the bundled implant.

ESET observed two main implant versions on Android. Version 1.0 began deploying in October 2024. Version 2.0 arrived in June 2025 with code obfuscation that suggests the operators were responding to or anticipating defender attention. Apple's iOS App Store was unaffected. ESET attributes the iOS gap to Apple's review process, which raised the bar for ScarCruft enough that the operation chose to skip iOS rather than attempt a slower compromise.

Whether the compromise of sqgame's infrastructure was achieved through a direct breach of the platform or through compromise of a third party developer or hosting provider, ESET's report does not say. The company contacted sqgame in December 2025 and received no response. As of public disclosure, the Windows update path had stopped serving the malicious payload. The Android APKs in the platform's app store were still available, meaning the operators continued to land new infections after the disclosure.

Why This Pattern Should Worry Press Freedom Advocates

A surveillance operation aimed at the Yanbian Korean diaspora is structurally identical to surveillance operations aimed at journalists, NGO workers, and political dissidents anywhere else. The only difference is the platform. The pattern is the same: find a piece of software that the target community trusts, compromise its delivery channel, and let the targets install your malware themselves.

For Korean speaking journalists who report on North Korea, this is a direct operational threat. Sources who use the Yanbian gaming platform may have had a phone full of journalist messages and call logs hoovered into Pyongyang's intelligence cycle for the past 18 months. The IFJ's 2026 mapping of journalist surveillance warned that hostile state actors are actively cataloging source networks pulled out of breaches and surveillance feeds, exactly the data zhuagou is collecting.

For North Korean defectors who have built lives in China and South Korea, the leak of contact lists in particular has lethal stakes. North Korea has historically retaliated against the families of defectors who remained behind. A contact graph showing who in Yanbian has been in touch with which defector is exactly the kind of intelligence the Pyongyang regime has been willing to act on.

What the Affected Communities Should Do

For users of the sqgame platform, especially anyone who installed Yanbian Red Ten or New Drawing on Android in the last 18 months:

• Uninstall the app immediately. Removing it does not retroactively recover the data already exfiltrated, but it stops continuing collection.
• Factory reset the device. Some BirdCall variants establish persistence beyond a simple uninstall. A factory reset is the only reliable way to remove unknown additional components.
• Rotate any account that authenticated on the device. If you typed a Gmail or KakaoTalk password into that phone, treat it as compromised and reset.
• Move sensitive communications to Signal or Wire with disappearing messages enabled. Avoid SMS or unencrypted email for any conversation about defector status, source contacts, or family in the DPRK.
• Watch for targeted phishing referencing details only someone with phone level access could know. Operators frequently use the harvest from the first compromise to craft a more convincing second compromise.

For journalists and NGO workers operating in the region, the broader lesson is to assume that any commodity software popular in your subject community is a candidate for supply chain compromise. The threat model has to include "the gaming platform my source uses." The defensive posture has to be: separate devices for sensitive work, no shared apps with the target community on those devices, encrypted messaging end to end.

A Second Tier Spyware Market

For the policy crowd, ScarCruft's Yanbian operation is the same story commercial spyware tells, only with the vendor cut out. Pegasus and Predator are sold by NSO Group and Intellexa to government clients who use them against journalists, activists, and political opposition. ScarCruft is the in house equivalent run by a state with no commercial export restrictions to worry about. The technical capability gap between "buy a license from NSO" and "trojanize the local gaming platform" is closing fast.

That has implications for the regulatory debate around commercial spyware. Bans on the sale of commercial tools, even successful ones, do nothing to slow down state programs that build their own. The Yanbian operation has been running since at least October 2024 with no commercial vendor in the picture. Any framework that aims to limit the harms of mobile surveillance has to address state actors as well as the commercial market, or it just shifts the problem.

The Quiet Persistence Problem

The most uncomfortable detail in ESET's report is the timeline. The Android malicious APKs were still being served to users when the public disclosure landed in early May 2026. ESET notified sqgame in December 2025. There is a five month gap during which a compromised platform continued to ship malware to its users. The economics of these supply chain attacks favor the attacker partly because the disruption pipeline is slow. The compromised vendor does not always respond. There is no central authority that can take down a malicious app store in another country. App stores like the iOS one are the exception, not the rule.

Which is the actual lesson here. The dependency graph that runs through commodity consumer software is enormous, the trust relationships are casual, and the takedown mechanisms are weak. North Korea did not break encryption to get into Yanbian phones. It used the update channel of a card game. The same playbook is available to any state with the time and the engineers, and the targets are anyone who installs popular software in the language of a population the state wants to monitor.