Ethnic Koreans in China Targeted by North Korean Hackers
Ethnic Koreans living in the Yanbian region of China found themselves at the center of a cyber attack orchestrated by a sophisticated North Korean hacking group. The hackers, identified as APT37 by researchers at cybersecurity firm ESET, utilized a strain of malware disguised within a popular Android mobile game.
The malware, known as BirdCall, was attached to a suite of card games provided by a company called Sqgame. This backdoor allowed APT37 to carry out various malicious activities such as taking screenshots, recording calls, and stealing personal data from the victims.
Located on the border with North Korea, the Yanbian region is often referred to as “Third Korea.” ESET researchers believe that the campaign was specifically aimed at refugees or defectors from the North Korean regime.
Initially thought to target only Windows devices, an Android version of the backdoor was later discovered. Through BirdCall, APT37 could gather contact information, SMS texts, call logs, media files, and private keys. ESET uncovered seven versions of the Android backdoor, developed over several months.
According to ESET researcher Filip Jurčacko, victims typically downloaded the compromised games directly from a website onto their devices, bypassing the Google Play store.
APT37, operating since 2012 allegedly within North Korea’s Ministry of State Security, has a history of espionage campaigns targeting South Korea and other Asian countries. The group has previously focused on government or military organizations as well as North Korean defectors.
The Windows version of BirdCall was first identified by South Korean cybersecurity vendor AhnLab in 2021. ESET revealed that the malicious update package delivered by Sqgame’s compromised platform dates back to at least November 2024.
Despite reaching out to Sqgame in December 2025, ESET did not receive a response. The researchers confirmed that the update package is no longer malicious.
The malware, upon installation, provides attackers with detailed information about the compromised device and can even eavesdrop on the surroundings through the microphone. It also scans external storage devices for specific file types.
In a separate incident last year, APT37 was found embedding spyware in apps available on the Google Play store, targeting South Korean academic experts and a North Korea-focused news outlet.
