Malik Haidar brings a wealth of experience in tracking nation-state actors who blend technical sophistication with psychological precision. Having spent years securing multinational infrastructure, he understands that cybersecurity is not just about code; it is about the geopolitical motives that drive threat actors to target specific communities. Today, we sit down with Malik to discuss the intricate supply-chain attack on a regional gaming platform that serves as a bridge between cultures and a hunting ground for intelligence.
Our discussion explores the calculated selection of the Yanbian region as a focal point for espionage and the technical execution of multi-platform malware targeting both Windows and Android users. Malik breaks down the evolution of the BirdCall backdoor into its mobile counterpart, zhuagou, and explains the tactical advantages of leveraging legitimate cloud services for command-and-control operations. Finally, we address the systemic risks posed by compromised regional software providers and the future of ethnically targeted cyber campaigns.
Given the strategic location of the Yanbian region near the North Korean border, why would threat actors choose a niche gaming platform for espionage? What specific intelligence value do these demographics hold, and how does this reflect a shift in regional cyber-targeting strategies?
The Yanbian region is a critical intelligence intersection because it serves as a primary crossing point for refugees and defectors who possess firsthand knowledge of the Pyongyang regime. By targeting a platform like sqgame[.]net, which hosts traditional games like Yanbian Red Ten, attackers are fishing in a very specific pond where their high-value targets congregate for leisure. This is not just about general data theft; it is about identifying and monitoring individuals of interest in a space where they feel safe and culturally connected. Moving away from high-profile government servers to a niche card-game site since late 2024 shows a shift toward “living off the land” in the cultural sense—intercepting the target through their daily habits rather than their professional roles.
How do attackers manage the logistical challenge of trojanizing both Windows DLL libraries and Android APKs simultaneously? Could you walk us through the technical hurdles of modifying legitimate game activities while ensuring the backdoor, such as the zhuagou variant, remains undetected by standard security scans?
Achieving a multi-platform compromise requires a high level of coordination, as seen with the simultaneous targeting of Windows update packages and Android APKs. For the Windows side, the operators didn’t just write new software; they patched a legitimate mono.dll library to serve as a downloader, which then pulled in the RokRAT backdoor to eventually deploy the sophisticated BirdCall implant. On Android, the process was equally surgical: instead of needing the source code, they recompiled legitimate APKs like “New Drawing” and modified the AndroidManifest.xml file. This redirection allowed them to launch the malicious entry point first, ensuring the zhuagou backdoor was active before the user even saw the game’s start screen. By wrapping the malware inside a functional game, they create a sensory distraction for the user while the malicious code executes anti-analysis checks to dodge automated scanners.
Using cloud storage providers like Zoho or Yandex for command-and-control traffic is becoming more common. Why is this method so effective for evading detection, and what are the implications of malware that specifically limits its audio recording to a precise three-hour evening window?
Leveraging trusted cloud services like Zoho WorkDrive—where researchers identified 12 separate malicious accounts—is a masterclass in stealth because the traffic blends in with legitimate business activity. Most security tools are configured to trust reputable domains like Zoho or Yandex, making it incredibly difficult to flag a connection as malicious without deep packet inspection. The specific restriction of audio recording to a window between 7 pm and 10 pm local time is a chillingly logical tactical choice. This is the “golden hour” for intelligence gathering, as it’s when users are likely home from work, engaging in private conversations, or making calls that they wouldn’t perform in a public or professional setting. By limiting the capture window, the attackers also reduce the amount of data they need to exfiltrate, making their footprint smaller and less likely to trigger alerts for unusual data usage.
When a regional gaming site fails to respond to breach notifications and continues to host malicious files, what are the next steps for the security community? How can individual users protect themselves when the primary distribution point for their cultural or regional software remains compromised?
It is deeply frustrating when a site like sqgame[.]net ignores a December 2025 notification and continues to distribute infected files, leaving its community vulnerable. In these cases, the security community must pivot to “herd immunity” strategies, such as blacklisting the known malicious domains and hashes at the ISP or endpoint protection level. For users who rely on these niche cultural tools, the best defense is to treat any direct-download APK or desktop update with extreme skepticism, especially those that request broad permissions like SMS and contact access. Since the iOS versions remained clean due to the difficulty of evading Apple’s review process, it highlights the importance of using managed app stores rather than side-loading software from unverified regional sites. Users should also look for signs of unusual behavior, such as a game requesting to record audio or access private keys, which are clear red flags for a hidden payload.
What is your forecast for the evolution of supply-chain attacks targeting specific ethnic or regional groups?
I anticipate that we will see a surge in “hyper-localized” supply-chain attacks where the software being compromised is not a global enterprise tool, but a specific piece of cultural or linguistic software. We have already seen seven different versions of the zhuagou backdoor developed between October 2024 and June 2025, which proves that these actors are invested in long-term refinement of their regional tools. Attackers are realizing that the “soft underbelly” of global security lies in these niche platforms that lack the massive security budgets of Silicon Valley giants but hold the keys to sensitive demographics. This means the next wave of espionage will likely involve compromising everything from local news apps to community-specific financial tools, turning a user’s cultural identity into a vector for their own surveillance.
