Threat Research

Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware – The Citizen Lab

iocOne
Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware – The Citizen Lab

A spearphishing campaign in March 2025 targeted members of the World Uyghur Congress (WUC) living in exile, delivering a trojanized malware disguised as an Uyghur language text editor. Aligning with Chinese government interests, the campaign exemplifies ongoing digital transnational repression against the Uyghur diaspora. The attackers utilized social engineering tactics to install malware on victims’ systems, underscoring the threats to human rights advocates and the need for vigilance against such attacks. Affected: Uyghur diaspora, World Uyghur Congress

Keypoints :

  • WUC members were targeted by a spearphishing campaign in March 2025.
  • Malware was delivered through a trojanized Uyghur language text editor.
  • Attackers likely linked to the Chinese government aimed to surveil and control Uyghur exiles.
  • Past incidents of digital transnational repression have targeted Uyghurs, Tibetans, and Hong Kong exiles.
  • Google alerted WUC members about government-backed attacks, prompting an investigation.
  • Phishing emails impersonated trusted contacts and led to malware downloads that enable remote access.
  • Campaign demonstrated a pattern of using culturally relevant software to target marginalized communities.
  • Digital transnational repression tactics include physical threats and harassment of Uyghurs and their families.
  • Cybersecurity measures are suggested for vulnerable communities to mitigate risks of digital attacks.

MITRE Techniques :

  • Phishing (T1566) – The attackers used spearphishing emails impersonating trusted contacts to lure targets into downloading malware.
  • Command and Control (T1071) – The malware communicated with command-and-control servers through hardcoded domains specified in the code.
  • Remote Access Tools (T1219) – The malware allowed remote operators to access victims’ systems and execute commands, enabling further malicious activities.
  • Exploitation for Client Execution (T1203) – The trojanized software exploited the system when the allegedly legitimate application was executed by victims.

Indicator of Compromise :

  • [Domain] tengri[.]ooguy[.]com
  • [Domain] anar[.]gleeze[.]com
  • [IP Address] 149.28.146.29
  • [IP Address] 139.180.130.141
  • [Hash] d6874907d0e558cba614313c60b84c912b10ca3c539661a3885daaadb1cb2b2b

Full Story: https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint