Full Report
In a new campaign detected in March 2025, senior members of the World Uyghur Congress (WUC) living in exile have been targeted by a Windows-based malware that's capable of conducting surveillance. The spear-phishing campaign involved the use of a trojanized version of a legitimate open-source word processing and spell check tool called UyghurEdit++ developed to support the use of the Uyghur
Analysis Summary
# Incident Report: Targeted Malware Deployment via Trojanized Uyghur Language Software
## Executive Summary
A highly targeted spear-phishing campaign was detected in March 2025, aimed at senior members of the World Uyghur Congress (WUC) in exile. Attackers used a trojanized version of the legitimate UyghurEdit++ tool, distributed via compromised Google Drive links in emails impersonating trusted contacts, to deploy Windows-based surveillance malware. While the malware itself was not technologically advanced, its highly customized delivery indicates a sophisticated, state-sponsored actor likely engaging in digital transnational repression.
## Incident Details
- **Discovery Date:** March 5, 2025 (Date targets received Google security alerts about government-backed attacks).
- **Incident Date:** Activity related to this campaign began as early as May 2024; confirmed deployment occurred around March 2025.
- **Affected Organization:** Senior members of the World Uyghur Congress (WUC).
- **Sector:** Political/Advocacy Organization (targeting diaspora).
- **Geography:** Targets are leaders living in exile (specific locations not detailed, but the campaign is international).
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning as early as May 2024, with confirmed alerts in March 2025.
- **Vector:** Spear-phishing via email, impersonating a trusted contact at a partner organization.
- **Details:** Emails contained Google Drive links that, when clicked, downloaded a password-protected RAR archive. This archive contained the poisoned software.
### Lateral Movement
- Not explicitly detailed, but the malware's capability to run external commands suggests potential for further system interaction after initial compromise.
### Data Exfiltration/Impact
- **Data Exfiltration:** The compromised Windows system was profiled, and the information was sent to an external server (`tengri.ooguy[.]com`). The goal of the overall surveillance is to monitor activities, control ties to the homeland, and suppress information flow regarding human rights in the region.
- **Impact:** Surveillance capabilities established on target machines.
### Detection & Response
- **Detection:** Alerts received from Google warning targets that their accounts were under government-backed attack (sent around March 5, 2025).
- **Response Actions:** Details on specific organizational response are not provided, but the investigation was conducted by Citizen Lab.
## Attack Methodology
- **Initial Access:** Spear-phishing leading to the execution of trojanized software.
- **Persistence:** Capability to download additional malicious plugins and run external commands against those components.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** The use of a trojanized, legitimate, specialized tool (UyghurEdit++)—developed for the target community—serves as a primary evasion mechanism, leveraging trust.
- **Credential Access:** Not specified.
- **Discovery:** The deployed malware profiled the compromised Windows system.
- **Lateral Movement:** Not specified.
- **Collection:** System profiling occurred.
- **Exfiltration:** Data was sent to the command-and-control server `tengri.ooguy[.]com`.
- **Impact:** Digital surveillance and monitoring of targeted WUC leaders.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** System profiling data collected, details on the volume/type not specified beyond system information.
- **Operational:** Potential compromise of communications and activities of WUC leadership.
- **Reputational:** Negative impact stemming from the high-profile, state-sponsored targeting of human rights advocates.
## Indicators of Compromise
- **Network Indicators (Defanged):** `tengri.ooguy[.]com` (C2)
- **File Indicators:** Trojanized version of $\text{UyghurEdit}++$ distributed within a password-protected RAR archive.
- **Behavioral Indicators:** Receiving Google notifications regarding government-backed attacks; installation of software from an unexpected, password-protected archive received via email.
## Response Actions
- **Containment:** Not explicitly detailed, but likely isolating compromised endpoints and revoking access credentials associated with the targeted accounts based on Google's alerts.
- **Eradication:** Removing the deployed $\text{UyghurEdit}++$ malware and associated plugins.
- **Recovery:** Securing affected Google accounts and systems, and alerting the broader community about the specific threat vector.
## Lessons Learned
- **Key Takeaways:** Threat actors are highly adept at socio-technical manipulation (spear-phishing) by customizing lures (using specialized/desired software like $\text{UyghurEdit}++$) to bypass initial user skepticism. The activity spanned a long period (activity starting May 2024, detected March 2025).
- **What could have been done better:** Improved user training on identifying sophisticated impersonation emails, and faster response/patching once the activity window was identified.
## Recommendations
- Implement robust email gateway scanning capable of identifying malicious files within password-protected archives delivered via trusted links.
- Mandate Multi-Factor Authentication (MFA) on all Google workspaces, especially given the pattern of government-backed attack warnings.
- Conduct specialized security awareness training focused on social engineering and the specific threat vectors targeting diaspora organizations.
- Validate the authenticity of software sourced from external links, even if the utility appears legitimate or useful to the community.