Resources
  • Research
  • Threat Intelligence Reports
BirdCall: ScarCruft Malware Masquerading as Zangi Messenger
2026.07.14

✅ Report Title: BirdCall, ScarCruft Malware Masquerading as Zangi Messenger


✅ Executive Summary:


S2W recently identified and analyzed additional samples of the 'BirdCall' malicious app developed by the North Korea-backed ScarCruft group, also known as APT 37. ESET had previously disclosed that BirdCall targeted China's Yabian region and specific groups.



📌 What is the BirdCall malware?


- Another malicious app identified is the BirdCall malware, which masquerades as the Zangi messenger app.


- It has been confirmed that the attacker repackaged the legitimate app to alter its entry point.



📌 Key Characteristic


- The BirdCall malware app uses dual Zoho WorkDrive accounts (cmdCloud and dataCloud) as C2 channels.


- It steals information about infected devices and collected sensitive data, and supports a total of eight types of remote commands, enabling it to control devices, steal files, and re-collect data.


- The stolen data is structured according to a sophisticated packet format defined within the malware and is encrypted and obfuscated using AES-256-CBC + zlib multi-layer encryption.


- Additionally, when uploaded to Zoho WorkDrive, filenames are obfuscated through Base-26 encoding and packed into an 11-base structure.




🧑‍💻 Author: S2W TALON


👉 Read the full report: https://bit.ly/4vppNU9


*The full report is available upon request or with a subscription to the S2W platform.



List