North Korean hackers targeted ethnic Koreans in China with a malware disguised as a popular Android mobile game called BirdCall, allowing them to steal personal data from victims.
ScarCruft compromised a video game platform in a supply chain attack, trojanizing its components with a backdoor called BirdCall to target ethnic Koreans residing in China. The attack enabled the threat actors to target both Windows and Android devices, turning it into a multi-platform threat. The campaign targeted sqgame[.]net, a gaming platform used by ethnic Koreans in China, known as a transit point for North Korean defectors. BirdCall has features like screenshot capture, keystroke logging, and data gathering, and relies on legitimate cloud services for command-and-control. The Android variant collects various data and has seen active development.
A North Korean hacking group has targeted a digital gaming platform popular among the Korean ethnic enclave in China, using a sophisticated strategy to infiltrate Android applications. Researchers from Eset discovered that an app on the platform contained a backdoor known as BirdCall, linked to North Korea. The official website for the gaming platform hosted the same suspicious APK file. A second Android file associated with another game on the same site was also found to contain the BirdCall backdoor. This supply-chain attack was attributed to the threat actor ScarCruft (APT37), active in Asia and extending into Europe and the Middle East since late 2024. The hackers likely compromised the web server to recompile original APKs with the backdoor, which can collect sensitive information such as contacts, SMS messages, call logs, documents, media files, and private keys, and can take screenshots and record audio. The malware disguises its command and control traffic among regular internet traffic, primarily using Zoho WorkDrive for operations.
Microsoft has identified an issue affecting the display of security warnings when users open Remote Desktop (.rdp) files across all supported versions of Windows, including Windows 11, Windows 10, and Windows Server. The security warning may not render correctly, making the text difficult to read and buttons misaligned, especially when multiple monitors with different display scaling settings are used. This issue often results in overlapping text or obscured buttons in the warning window. The problem is part of Microsoft's security enhancements introduced with the April 2026 cumulative updates, which aim to mitigate risks associated with malicious RDP connection files. Users receive a one-time educational prompt upon opening an RDP file for the first time, followed by a security dialog that provides information about the file's publisher and resource redirections. RDP files are commonly used in enterprise environments, but their exploitation in phishing campaigns has raised security concerns, particularly by groups like the Russian state-sponsored APT29.
Capcom's game Pragmata was hacked by the group DenuvOwO, which dismantled the Denuvo protection system just two days before its scheduled launch on April 17. A pirated version of the game is now circulating online. This incident follows a significant data leak from Capcom's servers and poses challenges for the gaming community regarding piracy and its impact on sales and future development. Pragmata is Capcom's first original franchise in many years.
Rockstar Games experienced a security breach involving a third-party service, leading to the public release of stolen data after the company declined a ransom demand. The leaked information suggests that PC players contribute only 3% to the weekly bookings of GTA Online, amounting to approximately 4,273, while PlayStation 5 players account for 476,346 in bookings with a weekly active user count of 3,474,021. The weekly active user counts are 894,621 for PC and 3,474,021 for PlayStation 5. This financial disparity may influence Rockstar's release strategies, particularly regarding the anticipated Grand Theft Auto 6.
Rockstar Games is facing a security breach involving the hacking group ShinyHunters, which has issued a ransom demand for sensitive data. A Rockstar spokesperson confirmed that a limited amount of non-material company information was accessed due to a third-party data breach, stating it has no impact on the organization or its players. This incident follows a similar breach in 2022 when a 17-year-old hacker infiltrated Rockstar's systems. ShinyHunters has targeted various high-profile companies in the past, including Microsoft and AT&T. The breach highlights that many security incidents can result from simple human errors rather than sophisticated hacking techniques.
A user claimed to have breached Max but later clarified that no large-scale breach or critical vulnerabilities were found. False claims about data breaches can cause significant reputational damage, as demonstrated by a Russian hacking group that falsely claimed to have accessed Epic Games' data, which was later admitted to be a ruse. Similarly, EuroCar reported that fake breach reports may have been generated by ChatGPT, misleading customers. Russian users are distrustful of the Max app, perceived as buggy and insecure. The Russian Federal Security Service blocked its integration with government services due to encryption concerns. Although the government pressures citizens to adopt Max, many may install it without using it regularly. There is skepticism among Russian citizens regarding the app's security, making them susceptible to damaging rumors. Future claims about Max Messenger data breaches are anticipated. Recommendations for organizations to protect against misinformation include maintaining a good reputation, being transparent if a breach occurs, and investing in digital forensics to counter false claims.
Security researcher Wietze Beukema revealed vulnerabilities in Windows LK shortcut files at the Wild West Hackin' Fest, which could allow attackers to deploy harmful payloads. He identified four undocumented techniques that manipulate these shortcut files, obscuring malicious targets from users. The vulnerabilities exploit inconsistencies in how Windows Explorer handles conflicting target paths, allowing for deceptive file properties. One technique involves using forbidden Windows path characters to create misleading paths, while another manipulates LinkTargetIDList values. The most sophisticated method alters the EnvironmentVariableDataBlock structure to present a false target in the properties window while executing malicious commands in the background.
Microsoft declined to classify the EnvironmentVariableDataBlock issue as a security vulnerability, stating that exploitation requires user interaction and does not breach security boundaries. They emphasized that Windows recognizes shortcut files as potentially dangerous and provides warnings when opening them. However, Beukema noted that users often ignore these warnings. The vulnerabilities share similarities with CVE-2025-9491, which has been exploited by various state-sponsored and cybercrime groups. Microsoft initially did not address CVE-2025-9491 but later modified LNK files to mitigate the vulnerability after it was widely exploited.
A cybersecurity investigation by ReliaQuest has revealed that a Chinese state-linked hacking group, Silver Fox (also known as Void Arachne), is using search engine optimization tactics to create a counterfeit Microsoft Teams download site at "teamscn[.]com." This site targets Chinese-speaking users and employs a typo-squatting strategy. Victims attempting to download the software receive a trojanized installer labeled "Setup.exe," which checks for the presence of antivirus software and executes obfuscated PowerShell commands to modify Windows Defender exclusion lists. The malware also drops a file named "Verifier.exe" and installs a functional version of Microsoft Teams to disguise its activities. The compromised system communicates with the domain "Ntpckj[.]com" to deliver the ValleyRAT payload, allowing remote access for data exfiltration and command execution. Silver Fox is linked to both state-sponsored espionage and financially motivated activities, having previously conducted similar SEO poisoning campaigns. The campaign primarily targets Chinese-speaking personnel in global organizations, particularly those with ties to China, and poses a significant risk to organizations lacking robust security measures. Security teams are advised to enhance logging and monitoring practices to detect suspicious activities.
