{ "id": "fd6a1116-1638-4bf5-abcf-adcf6cde5bd6", "created_at": "2026-04-06T00:20:52.218382Z", "updated_at": "2026-04-10T03:37:54.269978Z", "deleted_at": null, "sha1_hash": "1d5643affceb9846711799a75208ceeb0462adf4", "title": "Lookout Discovers Surveillance Campaigns Targeting Uyghurs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4179707, "plain_text": "Lookout Discovers Surveillance Campaigns Targeting Uyghurs\r\nBy Lookout\r\nPublished: 2024-01-22 · Archived: 2026-04-05 19:49:14 UTC\r\nSummary\r\nThe BadBazaar malware family is tied to Chinese hacking group APT15.\r\nIn January 2024, Lookout published an in-depth analysis of the iOS variant of BadBazaar.\r\nPreviously, Lookout researchers uncovered the Android version in November 2022.\r\nBadBazaar, alongside MOONSHINE spyware, have been known to target Tibetan and Uyghur minorities\r\nwithin China. There is evidence that it could have been used internationally as well.\r\nLookout Mobile Endpoint Security customers are protected\r\nContact us if you have been targeted or would like to consult with our research team on mobile threats.\r\nWhat is BadBazaar surveillanceware?\r\nBadBazaar is a family of mobile surveillanceware that is attributed to Chinese-backed hacking group APT15 also\r\nknown as VIXEN PANDA and NICKEL. With their extensive data collection capabilities, the spyware is\r\nprimarily used by Chinese authorities to track “pre-criminal” activities within the Tibetan and Uyghur\r\ncommunities that are considered indicative of religious extremism or separatism.\r\nLookout Threat Intelligence Lab researchers uncovered the Android version in November 2022, with evidence of\r\nit targeting both Uyghur minorities in the Chinese province of Xinjiang as well as Muslim populations in general\r\naround China and abroad, including countries like Turkey and Afghanistan. There was evidence of the spyware\r\nbeing submitted to the Google Play store but never made available for download. It shared infrastructure with\r\nanother Uyghur-targeting tooling that Lookout discovered in 2020.\r\nThe iOS version of BadBazaar, which has a more limited set of capabilities compared to its Android counterpart,\r\nwas publicized by Lookout researchers in January 2024. Evidence suggests that it was primarily targeted at the\r\nTibetan community within China. The app was published to the Apple App Store in December 2021 but was\r\nsubsequently taken down at an unknown date.\r\nThe iOS variant of BadBazaar (January 2024)\r\nIn September 2023, Volexity reported activity that was seemingly related to BadBazaar. In their analysis, they\r\nsuspected that an iOS variant had emerged and published to the Apple App Store as TibetOne, an app with content\r\nrelated to Tibetan interests which doesn’t mimic an existing, legitimate app. \r\nLookout researchers were able to acquire and analyze the sample mentioned in Volexity’s reporting. Based on in-depth analysis of the command and control (C2) domain names, IP addresses, and delivery infrastructure, we were\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 1 of 22\n\nable to confirm it as an iOS variant of BadBazaar and attributed with high confidence to the Chinese hacking\r\ngroup APT15. This is the same threat actor behind the Android version that Lookout originally discovered in\r\nNovember 2022 (see section below). \r\nAt the time of this updated write-up, the iOS variant seemed to have more limited capabilities compared to the\r\nAndroid variant. There is evidence that the app could still be in development as some of its functionalities don’t\r\nseem to do anything malicious.\r\nBadBazaar iOS is masqueraded as an app called TibetOne that does not mimic an already existing\r\napp.\r\nHow it’s deployed\r\nMasqueraded as TibetOne, the iOS variant of BadBazaar is a cultural portal app built to appeal to Tibetan culture.\r\nThe app  functions essentially as a user interface for the website tibetone[.]org with content related to Tibetan\r\ninterests. The website itself does not seem to have any malicious functions, but it does have connections to the C2\r\ninfrastructure of both the iOS and Android versions of BadBazaar. This makes us think that the website could be\r\nrun by the threat actor to create legitimacy with the ultimate goal of luring victims.\r\nThe app was published to the App Store in December 2021 but was subsequently removed at an unknown date. \r\nOne of the ways BadBazaar was distributed was via social messaging app Telegram. TibetOne related promotional\r\nmessages were published to a Tibetan Telegram channel named “tibetanphone” with over 625 subscribers.\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 2 of 22\n\nTibetOne promotional messages were published to a Tibetan Telegram channel named\r\n“tibetanphone” that had over 625 subscribers.\r\nTechnical analysis\r\nData Collection and Exfiltration\r\nWhile the iOS variant of BadBazaar has relatively limited capabilities versus its Android counterpart, it still has\r\nthe ability to exfiltrate personal data from the victim’s device including: \r\nDevice name\r\nDevice type\r\nLocal ip\r\nOS version\r\nUDID\r\nLocation\r\nThe app also requests add-only access to the user's photo library, which is used to download images to the local\r\nphoto library. While this permission doesn’t appear to be used for anything nefarious in the malware’s current\r\nstate, it seems that the developers may have plans to exploit this function in future iterations.\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 3 of 22\n\nThe collected data is sent to https://tryhrwserf[.]com:4432/api/iosvalues with an HTTP POST request. \r\nBadBazaar iOS exfiltrates basic device information from the victim device.\r\nOne of the main ways BadBazaar iOS collects data is by abusing the location permissions it acquired to show the\r\ncurrent weather based on the device’s location. It utilizes OpenWeatherMap web API, a legitimate third-party\r\nweather information provider, to get the current weather data with the unique API key\r\n“64ffc9b16a9884436fa2ef3bf5248075”. \r\nTibetOne app requests location permissions to show the local weather information but also\r\nexfiltrates the location to the C2.\r\nBadBazaar iOS uses this location data and compiles the following information about its target: local IP address,\r\nlatitude, longitude, location name, and UDID. This information is then sent to\r\nhttps://tryhrwserf[.]com:4432/api/ioslogin. \r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 4 of 22\n\nFor C2 communications, BadBazaar iOS uses SSL pinning with the embedded certificate file “WIN-I6VBN8MR92A.cer” (SHA1 FP:55191348eb763dc853a719c0f3defdbe354127db) from the assets folder.\r\nLocation data is sent to BadBazaar iOS’s C2 with a POST request.\r\nThe app also requests add-only access to the user's photo library, which is used to download images to the local\r\nphoto library. This permission can’t be used to access already existing photos.\r\nThe app requests add-only access to the photo library but doesn’t abuse it in a malicious way.\r\nInfrastructure\r\nThe C2 domain for the iOS variant, which is tryhrwserf[.]com, still resolves to an IP address\r\n(148[.]251[.]87[.]197). However, the C2 backend responds with an error page to the client requests — indicating\r\nthat this particular C2 is down. Despite that, we were still able to learn that the C2 servers for Android and iOS\r\nvariants share many similarities. They are both hosted on Windows servers and the web application runs on\r\nASP.NET. There are usually two or three ports open on the servers, one is for the C2 API (4432 or 4332) and the\r\nother (56931) is for RDP connections.\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 5 of 22\n\nC2 for the BadBazaar Android variant leaks API endpoints by unsecured API help page.\r\nTibetOne’s C2 domain is connected to a wide network of infrastructure related to BadBazaar based on shared IP\r\naddresses and whois data. One of the BadBazaar Android C2 addresses reported in the Volexity report,\r\nsignalplus[.]org, has an unsecured API help page (https://signalplus[.]org:4332/Help) which reveals different API\r\nendpoints. However none of the endpoints leak any data about the victims. \r\nIt’s interesting to note that another C2 in the Volexity report, flygram[.]org, was leaking API endpoints. This C2\r\nhad iOS related API endpoints named “api/IosUploadFile” which indicates there might be a new and improved\r\nversion of the BadBazaar iOS variant that can exfiltrate files from victim devices.\r\nBadBazaar iOS may be an ongoing development\r\nThe discovery of this iOS variant of BadBazaar indicates that the developers are continuing to iterate on the\r\nmalware. While the sample we investigated had relatively light functionality versus its Android counterpart, there\r\nare two indications of possible continued development. \r\nThe first indicator is the previously mentioned capability for the malware to access the photo library of the victim\r\ndevice. The second is that a C2 in the Volexity report, flygram[.]org, was leaking API endpoints. Together, they\r\nshow that the developer could be working on ways to directly exfiltrate data and files from the victim’s device and\r\nupload them to that location on the C2 server. \r\nLookout researchers will continue to track the iOS variant of BadBazaar to see if it re-emerges in the future with\r\nadditional functionality that would put it in the same class of advanced surveillanceware as its Android\r\ncounterpart. We will update this threat entry as more information emerges.\r\n---------\r\nOriginal BadBazaar Android variant (November 2022)\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 6 of 22\n\nIn late 2021, Lookout researchers encountered a tweet from Twitter handle @MalwareHunterTeam referencing an\r\nEnglish-Uyghur dictionary app that had been flagged by VirusTotal contributors as malware tied to Bahamut, a\r\nthreat actor primarily active in the Middle East. While analyzing this sample, it became clear that this malware\r\nwas instead connected to surveillance campaigns targeting Uyghurs and other Turkic ethnic minorities in China\r\nand abroad. Overlapping infrastructure and TTPs indicate these campaigns are connected to APT15, a Chinese-backed hacking group that’s also known as VIXEN PANDA and NICKEL. We named this malware family\r\nBadBazaar in response to an early variant that posed as a third-party app store titled “APK Bazar.” Bazar is a\r\nlesser known spelling of Bazaar.\r\nIcons of apps that BadBazaar impersonates to conduct its surveillance.\r\nLookout has since acquired 111 unique samples of the BadBazaar surveillanceware dating back to late 2018. Over\r\n70% of these apps were found in Uyghur-language communication channels within the second half of 2022. \r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 7 of 22\n\nOver 100 BadBazaar samples have been found on multiple Uyghur-language social media\r\nplatforms and communication channels.\r\nThe malware primarily masquerades as a variety of Android apps, such as battery managers, video players, radio\r\napps, messaging apps, dictionaries, and religious apps. We also found instances of apps pretending to be a benign\r\nthird-party app store for Uyghurs. \r\nThe campaign appears to primarily target Uyghurs in China. However, we found evidence of broader targeting of\r\nMuslims and Uyghurs outside of Xinjiang. Specifically, several of the samples we analyzed masqueraded as\r\nmapping apps for other countries with significant Muslim populations, like Turkey or Afghanistan. We also found\r\nthat a small subset of apps were submitted to the Google Play store, indicating that the threat actor was interested\r\nin targeting Android device users outside of China, if possible. To the best of our knowledge the apps described in\r\nthis article were never distributed through Google Play.\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 8 of 22\n\nWhile Lookout only observed BadBazaar masquerading as Android apps, we did find a benign app\r\non the Apple App Store that communicates with a C2 used by a corresponding Android BadBazaar\r\nsample to collect basic iPhone information. This app has an identical name of “Uyghur Lughat”\r\nand icon to the BadBazaar variant.\r\nWhile Lookout only observed BadBazaar masquerading as Android apps, we did find a benign app on the Apple\r\nApp Store that communicates with a command and control (C2) server used by a corresponding Android\r\nBadBazaar sample to collect basic iPhone device information. This iOS app, with an identical name of “Uyghur\r\nLughat'' and icon, did not contain the same surveillance capabilities, but sends the device’s Unique Device\r\nIdentifier (UDID), the device name and system version to the C2. Since BadBazaar variants often acquire their\r\nsurveillance capabilities by downloading updates from their C2, it is possible the threat actor is hoping to later\r\nupdate the iOS sample with similar surveillance functionality.\r\nThe iOS Uyghur Lughat app collects and sends a minimal amount of data to the C2 server that the\r\nAndroid BadBazaar with data exfiltration capability uses.\r\nCapabilities\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 9 of 22\n\nBadBazaar appears to have been developed following an iterative process. Early variants bundled a payload,\r\nupdate.jar, within the Android APK file and loaded it once the app had been launched. Later, this process was\r\nupdated to produce samples with limited surveillance capabilities within the APK itself. The malware instead\r\nrelies on the app’s ability to update itself through a call to its C2 server. \r\nSome BadBazaar apps would query their C2 server for a new version and the C2 would provide a\r\nURL for the new APK.\r\nIn its most recent iteration, however, BadBazaar acquires its payload exclusively by downloading a file from the\r\nC2 server at port 20121 and storing it in the app’s cache directory.\r\nBadBazaar payload is read from the server into a file named “update.jar”.\r\nThe Android surveillance tool is capable of collecting extensive device data. While some variants don’t have\r\nsubstantial surveillance capabilities, many collect the following details:\r\nLocation (latitude and longitude)\r\nList of installed packages\r\nCall logs and geocoded location associated with the call\r\nContacts information\r\nInstalled Android apps\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 10 of 22\n\nSMS information\r\nExtensive device information, including the model, language, IMEI, IMSI, ICCID (SIM serial number),\r\nphone number, timezone, and centralized registry of the user's online accounts\r\nWi-Fi info (connected or not, and if connected, the IP, SSID, BSSID, MAC, netmask, gateway, DNS1,\r\nDNS2)\r\nRecord phone calls\r\nTake pictures\r\nData and database files from the trojanized app’s SharedPreferences directory\r\nRetrieve a list of files on the device that end in .ppt, .pptx, .docx, .xls, .xlsx, .doc, or .pdf\r\nFolders of interest as specified dynamically from the C2 server, including images from the camera and\r\nscreenshots, Telegram, Whatsapp, GBWhatsapp, TalkBox, Zello attachments, logs, and chat history \r\nInfrastructure\r\nBadBazaar threat actors use SSL pinning in an attempt to prevent “adversary-in-the-middle” attacks. An SSL\r\ncertificate file is stored in the resources directory of the APK and is used to verify the identity of the client\r\ncommunicating with the threat actor’s infrastructure. Earlier variants of the malware gave the SSL certificate a\r\nCommon Name (CN) that is identical to the Windows hostname of its corresponding server, with names of\r\ncertificate files related to the package name of the app.\r\nPackage name Certificate file name Hostname\r\ncom.anyway.share.appstore appstore.cer WIN-EU0VLBL7TUJ\r\ncom.utility.uyghurdictionary dict_client.cer WIN-50QO3EIRQVP\r\ncom.uygur.apkstore appstore.cer WIN-EU0VLBL7TUJ\r\norg.freetelegram.messenger telemon_client.cer WMSvc-WIN-50QO3EIRQVP\r\nThe most recently encountered samples of BadBazaar all use the same SSL certificate with the SHA1 thumbprint:\r\n“87a3d3f9bb6c78a5e71cfdf9975ca6a083dd5ebc” the filename “myserver.cer” and a common name “MyServer.”\r\nThe most recent variants of BadBazaar use the same SSL certificate details, including a common\r\nname and filename.\r\nThe C2 server domains use a three-letter subdomain that appears to correspond to the app title, for example:\r\n“afg.collinformations[.]com” for the app Radio Afghanistan.\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 11 of 22\n\nOne of the C2 domains, “actuallys[.]com,” is connected to a registrar email,\r\n“WANGMINGHUA6@GMAIL.COM.” This email address is associated with other malware campaigns. In 2015,\r\nPalo Alto Networks published a report on Cmstar Downloader, where actors had used this email address to\r\nregister over a half dozen C2 domains and later changed the email registration. Palo Alto Networks researchers\r\nbelieve “this registrant email is likely a re-seller, and/or someone who initially sets up infrastructure for particular\r\nAPT threat actors.” The domains this email has registered in the past aligns with campaigns targeting Russia and\r\nEastern Asia, and have also shown a connection to Lurid and Enfal malware, which have been used by multiple\r\nChinese threat actors such as PittyTiger, APT15, and APT27.\r\nDoubleAgent Connection\r\nIn previous reporting on Uyghur surveillanceware in 2020, Lookout detailed a family known as DoubleAgent.\r\nResearchers discovered shared infrastructure between samples from DoubleAgent and BadBazaar, indicating they\r\nmay be managed by the same actor. A BadBazaar sample titled “Batter Master” connects to the C2\r\n“bat.androidupdated[.]net:5556,” while a DoubleAgent sample “Disk photo recovery” connects to the C2\r\n“apps.androidupdated[.]net.” Both C2 domains resolved to “65.21.92[.]67” during the same time frame.\r\nMapping out GPS coordinates listed in the management panel shows a close clustering centering\r\naround Tang chang’an Wall Site Park. One of these is located in an area labeled Xi’an Tianhe\r\nDefense Technology, a large defense contractor in China. \r\nIn that same research, Lookout researchers connected infrastructure used by another surveillanceware family,\r\nGoldenEagle, to the Chinese defense contractor Xi’an Tianhe Defense Technology Co., Ltd, through GPS\r\ncoordinates of test devices acquired from insecure C2 administrator panels. Another Chinese technology company,\r\nXi'an Astronomical Point Network Technology Co., Ltd. was listed as a registrant for two domains used by\r\nGoldenEagle surveillanceware. A subset of GoldenEagle samples were found to communicate with a C2 server\r\nknown to be associated with DoubleAgent activity. \r\nMOONSHINE\r\nIn 2019, Citizen Lab reported an Android exploit targeting Tibetan activist groups members using spear phishing\r\nmessages through WhatsApp. This exploit, and the associated surveillance tool that was installed on compromised\r\ndevices, was dubbed MOONSHINE and attributed to the APT group, POISON CARP. \r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 12 of 22\n\nThe exploit followed a multi-stage installation process where the initial link sent to a targeted victim downloaded\r\nan executable that installed subsequent modules, named Whisky, Bourbon, and Scotch, to overwrite legitimate\r\nnative libraries in popular apps like Facebook and WeChat. These modules allowed the attacker to maintain\r\npersistence by establishing communications with a C2 server through web sockets and initiate surveillance\r\ncapabilities on the exploited device. \r\nEarly Campaigns\r\nShortly after Citizen Lab’s disclosure, Lookout researchers discovered app-based Android surveillance tooling,\r\nwhich was acquired in early 2019, that did not exploit the device. Instead they used a slightly modified version of\r\n“libbourbon.so” to extract and run the “scotch.jar” payload responsible for performing surveillance activities. The\r\nnames of both the native library file and the payload were identical to MOONSHINE, and many of the same\r\nindicators of compromise could be found in both implementations.\r\nMany of these early variants requested extensive permissions and appeared to be under development. However,\r\nsome requiring fewer permissions introduced characteristics of the “Whisky” stage to the Scotch module,\r\nattempting to overwrite the same native library files in popular messaging apps like Facebook, QQ, or WeChat.\r\nMOONSHINE examples Lookout examined looked to replace native library files from popular\r\nmessaging apps.\r\n2022 Uyghur-targeting Campaigns\r\nSince July 2022, Lookout researchers have discovered more than 50 unique samples of MOONSHINE that differ\r\nfrom the earlier variants. The rate at which new samples are deployed indicates these campaigns are ongoing. The\r\nmajority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram,\r\nor trojanized versions of Muslim cultural apps, Uyghur-language tools, or prayer apps.\r\nA subset of app icons used by recent samples of the MOONSHINE surveillance tool, which\r\nillustrates the different types of app it masquerades as.\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 13 of 22\n\nOur MOONSHINE samples were acquired from multiple Uyghur-language communication channels, some\r\nboasting hundreds of members. Many of the apps shared within these channels were posted in response to requests\r\nfor app suggestions, such as Android apps that provided offline map access. \r\nOccasionally, users would share an app with no context, but many attempted to legitimize their post with\r\ncomments like, “This is the application I use,” or, “I have an app [that is] very convenient to use in Turkey. I don't\r\nknow about other countries; try it.”\r\nTelegram users publicly accuse certain channels or accounts of spreading malicious content. We\r\nbelieve that some of the malware mentioned may be \r\nTelegram channels occasionally discuss surveillance apps that may have been shared through the channel as well\r\nas other Uyghur-language accounts that have been accused of being “controlled by Chinese state surveillance\r\noperators.” More commonly, though, users seem willing to download apps shared by others within the channel.\r\nCapabilities\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 14 of 22\n\nThe source code for these new trojanized apps is nearly identical to that of the legitimate app they pretend to be,\r\nwith the exception that it loads a native library, “libout.so.” This native library functions similarly to the\r\n“libbourbon.so” library in the 2020 sample of MOONSHINE. It extracts and loads the “scotch.jar” surveillance\r\npayload to a directory named “app_sikhywis_ca55200e” and acquires C2 details for retrieving secondary modules.\r\nC2 operations are performed via websocket at a domain and port acquired by decrypting an XOR-encrypted series\r\nof bytes using a key derived from the last 4 bytes of the “libout.so” file. \r\nMOONSHINE’s native library decrypts and extracts the scotch app and loads it through a\r\nDexClassLoader.\r\nThe app-based MOONSHINE acquires the secondary modules, “bourbon.jar” and “icecube.jar,” mentioned in the\r\nCitizen Lab report. Newer variants developed in late 2022 introduce additional modules, “cpcom.jar” and\r\n“salt.jar.” All surveillance capabilities are implemented within these five modules.\r\nMOONSHINE introduced two new modules in late 2022: cpcom.jar and salt.jar, which are\r\ndownloaded to the same directory, app_sikhywis_ca55200e, as was previously encountered in\r\nearlier variants.\r\nThe specified C2 infrastructure is encrypted and stored in a SharedPreferences XML file named, “8B14B755-\r\nC161-4804-A62B-8776315E07CD.xml.” Additional infrastructure may be specified by the C2 and added to this\r\nfile for use by the malware after it has been initialized. A decryption method called “deserialize” Base64 decodes\r\nthe configuration string and uses a hard coded AES encryption key to decrypt the resulting value. The decrypted\r\nvalue is a GZIP formatted string, which is unzipped to return a JSON array that is used by the malware client. \r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 15 of 22\n\nThe obfuscated JSON string used by MOONSHINE is retrieved from the SharedPreferences file and\r\ndecrypted to retrieve the MOONSHINE C2 domain and port.\r\nDecrypting the string returns a list of modules to be used by the scotch app, as well as the C2 domain and port for\r\nacquiring these modules and performing C2 operations.\r\nA list of MOONSHINE’s modules with their creation dates and the specified C2 websocket is stored\r\nin an encrypted XML file in the app’s SharedPreferences directory.\r\nOnce the malware client has acquired the C2 infrastructure, it initiates a web socket and establishes a connection\r\nwith the C2. The malware client collects and sends extensive details about the device, including network activity,\r\nwhether the device is rooted and the user’s IP address. \r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 16 of 22\n\nMOONSHINE collects a significant amount of information from the compromised device and\r\nexfiltrates it to the C2 during the websocket setup.\r\nTwo parameters, “whisky_id” and “score,” are also transmitted to the C2 during the client’s initial connection. The\r\n“whisky_id” value is a unique identifier for the device based on device information and its SD card. The “score”\r\nparameter is a numerical representation of how vulnerable the device is to surveillance. A point value is assigned\r\nfor each permission granted to the malware client. \r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 17 of 22\n\nThe scotch app calculates a vulnerability “score” for the device targeted by MOONSHINE based\r\non which permissions are accessible or granted to the malware.\r\nWhile previous variants of the MOONSHINE client attempted to gain persistence and access to extensive\r\npermissions by exploiting other apps by replacing their native libraries, these latest samples neither request\r\nextensive permissions from the user upon installation nor do they attempt to replace the native library files in any\r\nmessaging apps. The “score” parameter appears to be some kind of indicator to allow the threat actor to decide\r\nhow to proceed with the targeted device. \r\nAfter establishing its connection with the C2, the client is able to receive commands from the server to perform a\r\nvariety of functions, depending on the score generated for the device. The malware client is capable of:\r\nCall recording\r\nContact collection\r\nRetrieving files from a location specified by the C2\r\nCollecting device location data\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 18 of 22\n\nExfiltrating SMS messages\r\nCamera capture\r\nMicrophone recording\r\nEstablishing a SOCKS proxy\r\nCollecting WeChat data from Tencent wcdb database files\r\nCommunications are sent over a secure websocket, and additionally encrypted before transmission using a custom\r\nmethod named “serialize()” similar to that of the one used to encrypt the SharedPreferences configuration file.\r\nLookout researchers intercepted communications between the MOONSHINE client and server using\r\nFrida.\r\nIn earlier variants of MOONSHINE, commands were structured as uppercase, underscore-separated descriptions\r\nof the surveillance feature in use: “GET_CALLLOG,” “DEV_INFO,” etc. The latest versions of MOONSHINE\r\nnow use websocket “groups” to classify the kind of surveillance capability being reported or commanded, and a\r\n“command” to further specify the actions being taken with that feature. \r\nFor example, the C2 may request the malware client to perform some function with the compromised device’s\r\ncamera with “list” or “capture”. If the command “list” is received, the client sends a list of all cameras on the\r\ndevice to the C2. If “capture” is received, the malware begins recording with the device camera.\r\nInfrastructure\r\nAll MOONSHINE samples connect to administrator panels similar to those shown in the 2019 Citizen Lab report.\r\nThese panels use domain names hosted by free dynamic DNS services. Unlike early panels, however, all recent\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 19 of 22\n\npanels are named “SCOTCH ADMIN” exclusively.\r\nThe login panels for the C2 infrastructure of MOONSHINE.\r\nWe were able to obtain the number of device IDs stored in the C2 server database, along with the unique\r\nwhisky_id, the number of items exfiltrated from device contacts, call log, location, and SMS, and an alias if one\r\nwas given to the device. A handful of these devices are assigned the alias “test.” Many have not been assigned\r\naliases, while those that do follow one of the following formats: “\\d-real”, “A-\\d”, “t\\d”, “t\\d yyyy-mm-dd”\r\nAt the time of reporting, there are currently 635 devices logged across three “SCOTCH ADMIN” panels with\r\ntimestamps indicating continued surveillance.\r\nAttribution \r\nPrevious reporting on campaigns of POISON CARP, also known as Evil Eye and Earth Empusa, has indicated a\r\nsuspected link between the Chinese government and the threat actor. In their report from March 2021, Facebook\r\nfound specific connections between two Android-targeted POISON CARP malware families, PluginPhantom and\r\nActionSpy, and the Chinese software development companies Beijing Best United Technology Co., Ltd. (Best Lh)\r\nand Dalian 9Rush Technology Co., Ltd. (9Rush).\r\nThe 2022 MOONSHINE samples contain some details within the source code indicating the developers are likely\r\nChinese speaking. These include specific checks for whether the victim device is using a Chinese telecom, and\r\nrelying on the popular Chinese search engine Baidu and a hardcoded Chinese IP address, 223.5.5.5 to check for\r\nnetwork connectivity. Additionally, the server-side API includes documentation and inline comments written in\r\nsimplified Chinese.\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 20 of 22\n\nAPI documentation found on the MOONSHINE C2 servers is written in Simplified Chinese,\r\nindicating the developers are likely Chinese-speaking and based in Mainland China.\r\nWhile Lookout researchers could not connect the malware client or infrastructure to a specific technology\r\ncompany, the malware client is a well-built and full-featured surveillance tool that would have likely required\r\nsubstantial resources. This seems to suggest that some kind of professional development company or collective\r\nwas responsible for its production.\r\nIndicators of Compromise\r\ntryhrwserf[.]com\r\ntibetone[.]org\r\nsignalplus[.]org\r\n148[.]251[.]87[.]197\r\nSHA1 of APKs:\r\n8afe90ebb4666565891fcc33e12fad410996d4d1 ac235440a738938c2218e2608ea229dd3584701b\r\n437f5e0aa400372a6e98de7aca32f6cf916040a0 16125c5ecd29bb1d359fdbbfc127341cafbae6bf\r\n79fb6f43885df2a058a7aa9d60c88db6b44226dd 66b0972bfd0786baa0076575db19b22c56d871ad\r\n047dee43dda8c09c46773d323968886d9af6b49d aa4eede30b2aa975f691b6d002ca047520f2c86f\r\n724f41af93abcc7c7625a8814e43398ccbbddf2c 26b2bf522a6759390a7155250ddb3ee3512bec7a\r\n02977d77c801136da581864152b80a9d6568651e 12097cf566fbc31b94adf2d2a3c25617609faf68\r\n75ffd57282d23326430bc3ad789a7f3f4e643027 f721db78c57993bed75af77e30ba284b314de05c\r\n9a120fce59a51c09d23b5f7274c7c0e22f2747b5 9eafa52a74741bb738c20823d4b78035149ea5e0\r\n6f9203d950ed18da7251aa6c4257921b04852fb5 12202d87b30bb92bf3f52eae6e93308a1829f988\r\n38be047b29b3ac19e74b9943f981b00f87a2e141 f70e6d6240ee8405214d9690c1d9b55c1c7d80c3\r\n9541853c7e85cb1789945e4f9f185247d95c202d 47c070b0244633536b2731062f22a86238b8d649\r\ne825e6f09ff7479d45fc35bbd6e0d662f93e93c7 509cf8ccdd336ede1e8a0dcaafcec3a981c9bf12\r\nfce2190c1bd0d65d26a134980ab339af160b5880 5cefce22565ffb69459fecbeeaea531ce053bd2b  \r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 21 of 22\n\n5b32db300ad7ed54149df3234d7b9782d762c1bd 8790a91c4dd2870734eb1e7d49d2d5c24a41925f\r\n69bb842270dcfe777e50b81faf72962a2456062c a443e448416375fb777b2523f5efd4addabc1ab3\r\n1fe3d295c3525b3acb7498df9b72dc80c6ca08f5 166958184998ad53152634cb6a339310ee22d0d8\r\n8ff73d504bba6fedf923f5f2f9b54fbdd4c53a22 d8f360971d04c3b623f1d7296339e1702142f135\r\ndc692fc09316d9af6e299f15f22e5368ffc32a47 1ed74af5ec4c53e1b1090decf2c5c92907ff83ac\r\nab0248870abf3f2bb750f92e8af3da97b71ca74a 37cad98b7810d8fa205b3ce901a405a575ce2bc3\r\n91bedfd5bd8f7a071c9024890a699fb6566e9ae5 5c04e843f797a08b0754821e17eb773919ec3622\r\nfac660cb450a39cc1d422323aaf654c2bd23415d c57bb036b996d8afdb0c6867b7c65970f69207be\r\n23c2aa2059487f1960e8bdb0c4cfc8808bc6733b 8bd9825c07f4a4e0e7f537b6ea33ddfa4e1fff49\r\nf3ae46ac2465e09b7ff54d55540bd6f0e567759b 8c3051e83d2448046443692e070c81d3ba6b7be0\r\n55db0f43e9a72431b627c3f9752d24b3d2364555 be95c5ef09697412f39a7fa85e13e79a21c87826\r\n1fead5107758b6d284ce908bc221f90e6ac37744 df42714a12957d239bc09b2306063a4728cf403f\r\nf31c0f9cc5b2d31e465d138f928835b5fc9f4daf 3b18385cf280477c3fb603617eb242d39b6cc248\r\neab8863ce4a9c9c4fcc02d4ce170bbe2cd6602fb   4e8e5571d60f029ebc2b2017931f4f70279d2036\r\n13c39737329aa5bb4ed95b38c70b857677949ff3 f0cc8ee3ce1d835a825103672c9fcaf874c3a965\r\n5b76cd64b3463f7209e3771c131b29f247fa0205 c58ff582349fb8406cb98194c44393c000b0eb1d\r\nInfrastructure:\r\nmsgupdate.nsupdate[.]info\r\nkuyrfikuhylkjliuyhiuy.nsupdate[.]info\r\nSource: https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nhttps://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine" ], "report_names": [ "uyghur-surveillance-campaign-badbazaar-moonshine" ], "threat_actors": [ { "id": "1b77c737-ab1f-45e9-ae50-996741d94ab2", "created_at": "2022-10-25T15:50:23.842907Z", "updated_at": "2026-04-10T02:00:05.401907Z", "deleted_at": null, "main_name": "PittyTiger", "aliases": [ "PittyTiger" ], "source_name": "MITRE:PittyTiger", "tools": [ "gh0st RAT", "Lurid", "gsecdump", "PoisonIvy", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea", "created_at": "2022-10-25T16:07:23.597455Z", "updated_at": "2026-04-10T02:00:04.683154Z", "deleted_at": null, "main_name": "Evil Eye", "aliases": [], "source_name": "ETDA:Evil Eye", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c2ef6b18-12c4-4879-a408-be4c9b03eb6e", "created_at": "2022-10-25T16:07:24.055115Z", "updated_at": "2026-04-10T02:00:04.852387Z", "deleted_at": null, "main_name": "PittyTiger", "aliases": [ "G0011", "Operation The Eye of the Tiger", "Pitty Panda", "PittyTiger" ], "source_name": "ETDA:PittyTiger", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Enfal", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Leo RAT", "Lurid", "Mimikatz", "Moudour", "Mydoor", "PCRat", "Paladin", "Paladin RAT", "Pitty", "PittyTiger RAT", "Poison Ivy", "ReRol", "SPIVY", "gsecdump", "pgift", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434852, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d5643affceb9846711799a75208ceeb0462adf4.pdf", "text": "https://archive.orkl.eu/1d5643affceb9846711799a75208ceeb0462adf4.txt", "img": "https://archive.orkl.eu/1d5643affceb9846711799a75208ceeb0462adf4.jpg" } }