BeijingBirdCall backdoor rode inside Chinese-made card games.
Cybersecurity firm ESET linked BirdCall to North Korea’s APT37 hacking group, embedded in developer Sqgame’s Android apps targeting ethnic Koreans inside China.
Sqgame’s distribution channels and total infection count have not been disclosed.
Sources: The Record
WHO APT37 ACTUALLY IS
APT37 — also called ScarCruft, Reaper, or Group123 — is attributed to North Korea's Ministry of State Security, distinct from the Lazarus Group run by the Reconnaissance General Bureau. Lazarus chases hard currency through crypto theft; APT37 chases people through espionage.
WHY ETHNIC KOREANS IN CHINA
Roughly 1.7 million ethnic Koreans live in China, concentrated in the Yanbian Korean Autonomous Prefecture along the Tumen River — the porous border most North Korean defectors cross first. Surveilling this diaspora means surveilling the defection pipeline, the smuggling routes, and the families left behind who fund both.
THE SUPPLY-CHAIN VECTOR
BirdCall did not exploit a zero-day. It rode inside legitimate-looking card games published through a real developer account, Sqgame, distributed via channels ethnic Korean users already trusted. This is the standard APT37 pattern — compromise the watering hole, let the target install the malware themselves.
WHY ANDROID, WHY CHINA
Google Play does not operate in mainland China. Android users sideload from a fragmented ecosystem of third-party stores — Tencent's MyApp, Huawei AppGallery, Xiaomi GetApps — each with its own review standards. A malicious app that would be flagged on Play can live for months on a regional Chinese store with a Korean-language interface.
THE TRADECRAFT EVOLUTION
APT37 was first publicly named in 2017 and was then a Flash-exploit shop targeting South Korean think tanks. The pivot to Android, to Chinese app stores, to diaspora targets reflects where the surveillance gap actually is — defectors and their networks operate on phones, in China, beyond Seoul's reach.
WHO HUNTS WHOM
ESET, the Slovak firm that flagged BirdCall, sits alongside Kaspersky, Mandiant, and Citizen Lab in a small pool of researchers who track state-sponsored mobile malware against diasporas and dissidents. Attribution to a North Korean unit from a European lab — using samples pulled from Chinese app stores — is itself a small geopolitical artifact.