Full Report
Russian-made spyware BoneSpy and PlainGnome target former Soviet states, while public security bureaus in mainland China use Chinese surveillance tool EagleMsgSpy
Analysis Summary
This summary focuses on the two distinct threat actors and their associated mobile surveillance tools detailed in the provided article: **Gamaredon (Russia)** and the actor behind **EagleMsgSpy (China)**.
# Threat Actor: Gamaredon (Russian FSB-linked APT)
## Attribution & Identity
* **Primary Identification:** Gamaredon (also known as Primitive Bear, Shuckworm).
* **Attribution:** Associated with the Russian Federal Security Service (FSB), attributed by the Security Service of Ukraine (SSU) in 2021.
* **Associated Groups/Tools (Contextual):** The article mentions other known Russian-made spyware families: Monokle (linked to Turla) and Infamous Chisel (used by Sandworm).
## Activity Summary
Gamaredon is historically conducting cyber espionage campaigns targeting desktop devices. The new discovery marks the first time mobile surveillance tools, **BoneSpy** (in use since at least 2021) and **PlainGnome** (first appeared in 2024), have been attributed to this group. Targeting appears to have shifted or expanded following the 2022 invasion of Ukraine, focusing on Central Asian nations.
## Tactics, Techniques & Procedures
* **Persistence/Deployment:** BoneSpy is deployed as a standalone application; PlainGnome acts as a dropper for a surveillance payload.
* **Device Access:** Attempting to gain root access to the device.
* **Evasion:** Utilizes anti-analysis checks.
* **Data Collection:** Broad surveillance capabilities including location tracking, exfiltration of SMS, ambient audio/call recordings, notifications, browser history, contacts, call logs, photos, and cell service provider information.
* **MITRE ATT&CK:** Not explicitly listed, but capabilities align with Mobile ATT&CK techniques for Collection and Defense Evasion.
## Targeting
* **Sectors:** Not explicitly stated, but context suggests espionage/political motives.
* **Geography:** Primarily targeting Russian-speaking individuals in former Soviet countries, specifically **Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan**. (Historically targeted Ukraine via desktop tools).
* **Victims:** Russian-speaking individuals in Central Asia.
## Tools & Infrastructure
* **Malware Families Used:** BoneSpy (derived from DroidWatcher), PlainGnome.
* **Infrastructure (C2, domains, IPs):** PlainGnome shares similar C2 server properties with BoneSpy.
## Implications
The use of mobile spyware by Gamaredon marks an expansion of their cyber espionage against former Soviet states, potentially reflecting deteriorating diplomatic relations between Russia and Central Asian nations post-2022.
## Mitigations
* Monitor for unusual root-gaining attempts on Android devices.
* Implement robust mobile endpoint detection and response capable of detecting known surveillance payloads and anti-analysis behaviors.
***
# Threat Actor: Wuhan Chinasoft Token Information Technology Co., Ltd. (Developer) / Chinese State Agencies (Users)
## Attribution & Identity
* **Primary Identification:** The tool, **EagleMsgSpy**, is assessed with high confidence to be developed by the private sector company **Wuhan Chinasoft Token Information Technology Co., Ltd.** in Mainland China.
* **User Attribution:** Used by "several Chinese public security bureaus" for lawful surveillance.
* **Associated Tools (Infrastructure Link):** IP addresses linked to EagleMsgSpy were previously connected to surveillance tools like **CarbonSteal**. The developer appears linked to at least three other state surveillance tools: GoldenEagle, MFSocket, and PluginPhantom.
## Activity Summary
EagleMsgSpy has been operating since at least 2017 as a "lawful surveillance tool" used by government agencies to extensively collect data from mobile devices within Mainland China. It is placed on victims' devices, often configured via access to the unlocked device, and operates as a headless payload.
## Tactics, Techniques & Procedures
* **Deployment:** Placed on victims’ Android devices, configured through access to the unlocked device.
* **Evasion:** Payload runs in the background, hiding activities from the user.
* **Data Collection:** Collects screenshots, call logs, SMS messages, GPS coordinates, audio recordings, and messages from **QQ, Telegram, Viber, WhatsApp, and WeChat**.
* **Data Handling:** Data is stored in a staging area in a hidden directory, compressed, password-protected, and exfiltrated to the C2 server.
* **Future Capabilities:** Internal documents suggest the potential presence of an undiscovered **iOS component**.
## Targeting
* **Sectors:** State surveillance targeting specific ideological/ethnic communities.
* **Geography:** **Mainland China**.
* **Victims:** Primarily targets groups sometimes referred to as the ‘Five Poison’ communities: **Practitioners of Falun Gong, Uyghurs, Tibetans, Taiwanese people, and Hong Kong pro-democracy advocates.**
## Tools & Infrastructure
* **Malware Families Used:** EagleMsgSpy. (Associated names: GoldenEagle, MFSocket, PluginPhantom, CarbonSteal).
* **Infrastructure (C2, domains, IPs):** Associated with IP addresses previously linked to China-based surveillance tools. One C2 server discovery pointed to root domain `tzsafe[.]com`, linked via promotional material to Wuhan Chinasoft Token Information Technology Co., Ltd.
## Implications
This highlights a prominent trend of private Chinese technology companies developing and deploying sophisticated surveillance tools directly into the hands of domestic state security agencies for monitoring specific vulnerable populations.
## Mitigations
* Focus mobile security efforts on detecting unknown, hidden background payloads on Android devices, paying attention to unusual data staging and compression routines.
* Organizations operating in or with ties to China should scrutinize employee device handling procedures, as configuration requires access to an unlocked device.