BirdCall
Intelligence Profile
According to ESET Research, BirdCall is a Windows backdoor written in C++ that provides a wide range of spying capabilities, including taking screenshots, logging keystrokes and clipboard content, stealing credentials and files, and executing shell commands. It is typically deployed in a multistage loading chain with a downloader that fetches and executes shellcode, at times loaded by a RokRAT payload, and then replaces a trojanized library with a clean version to hinder analysis. For C2, BirdCall uses legitimate cloud storage services or compromised websites to enable bidirectional communication and data exfiltration.
Threat Analysis
BirdCall is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.