Targeted Uyghur Activists: A New Windows-Based Malware Campaign Exposed

Listen to this Post

Featured Image
In March 2025, a new malware campaign aimed at senior members of the World Uyghur Congress (WUC) in exile was uncovered. The targeted attack, based on a trojanized version of a legitimate open-source word processing tool, UyghurEdit++, was specifically crafted to spy on Uyghur activists and human rights advocates. This malware, though not advanced in its technical complexity, was highly sophisticated in its delivery method and was designed to effectively reach its target group.

The campaign, which is part of an ongoing pattern of cyberattacks against Uyghur activists, underscores a larger issue of digital transnational repression. The threat actors behind these attacks have shown a deep understanding of the Uyghur community, with a clear aim to control communications and suppress dissent. These findings have raised alarm within the digital rights community, with experts pointing to the potential involvement of state-sponsored entities, possibly linked to the Chinese government.

This investigation by Citizen Lab highlights the ongoing challenges faced by Uyghur activists as they continue their fight for human rights and cultural preservation while dealing with state-backed surveillance efforts. Let’s break down the details of this new campaign and explore its broader implications.

Overview of the Attack: A Sophisticated Spear-Phishing Operation

The spear-phishing attack began in May 2024, with a focus on individuals within the Uyghur exile community. The attackers leveraged a trojanized version of UyghurEdit++, a tool meant to support the use of the Uyghur language. This open-source tool, designed to aid Uyghur-speaking individuals, was hijacked to carry out malicious surveillance activities.

In March 2025, targeted individuals received emails that appeared to come from trusted contacts within partner organizations. The emails contained Google Drive links that, when clicked, initiated the download of a password-protected RAR archive. Inside the archive was the poisoned version of UyghurEdit++, which then executed spyware capable of profiling the compromised system.

The spyware transmitted information back to an external server, “tengri.ooguy[.]com,” and had the ability to download additional malicious plugins and execute commands. The malware was designed to monitor the activities of the target, gathering sensitive information from their Windows systems, and maintain persistent access to the compromised devices.

What Undercode Says:

The recent discovery of this malware campaign underscores a significant escalation in the tactics used for digital repression against the Uyghur community. While the malware itself was not particularly advanced, the precision in targeting and the use of legitimate, trusted software was an intelligent method to infiltrate the activist community.

What stands out most is the careful customization of this attack. By leveraging UyghurEdit++, a tool specifically designed for the Uyghur language community, the attackers were able to ensure that their malware would blend seamlessly into the daily activities of their targets. The use of spear-phishing techniques, which involved mimicking trusted contacts, highlights the personal and highly targeted nature of these attacks.

Moreover, the spyware itself was not simply designed to gather information but also had the capacity to maintain access to compromised systems by downloading additional malicious plugins. This suggests that the attack was not a one-off event but part of a larger campaign designed to monitor, control, and perhaps manipulate the actions of Uyghur activists.

The fact that this campaign was only uncovered after Google sent out notifications warning the targets about potential government-backed attacks shows just how covert these operations can be. While the exact identity of the attackers remains unclear, the methods, including deep knowledge of the Uyghur diaspora and the tailored approach, suggest that the Chinese government or state-sponsored actors could be behind this campaign.

This pattern of surveillance and repression aligns with broader efforts by China to stifle dissent and control narratives surrounding its policies in Xinjiang. The Chinese government has long been accused of attempting to suppress the voices of Uyghur activists both within China and abroad, using a range of digital and physical tactics to exert influence.

The broader implication of this is the growing global concern over the use of technology for political repression. As state-backed actors refine their cyber capabilities, activists and human rights defenders are increasingly at risk of digital surveillance, which can have far-reaching consequences not only on their safety but also on the broader fight for freedom of expression and human rights.

The use of spyware to target specific communities—especially those involved in sensitive political and human rights issues—raises significant questions about the ethics of digital surveillance. In this case, the goal appears to be to control the flow of information and curb any influence that the Uyghur diaspora might have on global perceptions of Chinese policies in Xinjiang.

Fact Checker Results:

  • The findings align with previously reported patterns of Chinese state-sponsored digital repression.
  • The use of UyghurEdit++ as a tool for surveillance was verified by Citizen Lab and linked to the broader Uyghur repression narrative.
  • Ongoing concerns about cyber attacks targeting Uyghur activists remain, with this campaign being the latest in a series of highly targeted attacks.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram