Detailed Analysis of BirdCall Malware: Masquerading as Zangi Messenger

2026-07-13 S2W

https://s2w.medium.com/detailed-analysis-of-birdcall-malware-marsqurading-as-zangi-messenger-b80db8f5c320

Thumbnail for Detailed Analysis of BirdCall Malware: Masquerading as Zangi Messenger

S2W attributes BirdCall to the North Korea-backed ScarCruft group and analyzes an Android spyware sample created by repackaging the legitimate Zangi messenger application. BirdCall uses separate Zoho WorkDrive accounts for command delivery and exfiltration, collecting device details, contacts, call logs, SMS messages, directory listings, and selected files. It protects stolen data with custom packet and filename formats, zlib compression, AES-256-CBC encryption, XOR obfuscation, and RSA-2048 protection of dynamically generated master keys. Dormant code for messenger keylogging, screenshots, and microphone recording suggests the modular malware could gain additional capabilities or appear in other variants.

Related Actors

Related Reports

« Back