{ "id": "9acb52ac-b7a1-4521-b113-8f3adc10700f", "created_at": "2026-04-06T00:13:20.749683Z", "updated_at": "2026-04-10T03:30:33.061212Z", "deleted_at": null, "sha1_hash": "25b78029279010c0acb9d6ed8cf1e69d28cbbda7", "title": "Lookout Discovers New Chinese Surveillance Tool Used by Public Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1485994, "plain_text": "Lookout Discovers New Chinese Surveillance Tool Used by Public\r\nSecurity\r\nBy Lookout\r\nPublished: 2024-12-11 · Archived: 2026-04-05 17:00:26 UTC\r\nResearchers at the Lookout Threat Lab have discovered a surveillance family, dubbed EagleMsgSpy, used by law\r\nenforcement in China to collect extensive information from mobile devices. Lookout has acquired several variants\r\nof the Android-targeted tool; internal documents obtained from open directories on attacker infrastructure also\r\nallude to the existence of an iOS component that has not yet been uncovered.\r\nEagleMsgSpy\r\nThe surveillance family has been operational since at least 2017, and appears to require physical access to the\r\ndevice to initiate surveillance operations. An installer component, which would presumably be operated by law-enforcement officers who gained access to the unlocked device, is responsible for delivering a headless\r\nsurveillance module that remains on the device and collects extensive sensitive data. We believe that this is the\r\nonly distribution mechanism and neither the installer nor the payload have been observed on Google Play or other\r\napp stores.\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 1 of 12\n\nAt launch, the installer presents the user with multiple options for installing, initiating and granting\r\nadditional permissions to the surveillance module. \r\nThis installer app also suggests that this surveillance tool is likely used by multiple customers of the software\r\nvendor, since it requires the user to input a “channel”, which, according to documentation Lookout researchers\r\nwere able to access, corresponds to an “account”.\r\nLookout researchers have observed an evolution in the sophistication of the use of obfuscation and storage of\r\nencrypted keys over time. This indicates that this surveillanceware is an actively maintained product whose\r\ncreators make continuous efforts to protect it from discovery and analysis.\r\nThe surveillance payload collects an extensive amount of data about the victim device:\r\nNotification Listener and Accessibility Services monitor device use and intercept incoming messages\r\nCollects all messages from QQ, Telegram, Viber, WhatsApp and WeChat\r\nInitiates screen recording of the device through the Media Projection service\r\nCaptures screenshots\r\nCaptures audio recordings of the device while in use\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 2 of 12\n\nCollects call logs\r\nCollects device contacts\r\nCollects SMS messages\r\nCompiles a list of installed applications on the device\r\nRetrieves GPS coordinates\r\nDetails wifi and network connections\r\nCompiles a list of files in external storage\r\nCollects bookmarks from the device browser\r\nAfter data is collected, it is stored in a staging area in a hidden directory of the file system of the device for\r\neventual exfiltration. The data files are then compressed and password protected before being sent to the\r\ncommand-and-control (C2) server.\r\nEagleMsgSpy C2 servers host an administrative panel requiring user authentication, with landing pages that read\r\n“维稳研判系统” (“Stability Maintenance Judgment System”). This administrative panel is implemented using the\r\nAngularJS framework, with appropriately configured routing and authentication preventing unauthorized access to\r\nthe extensive admin API. However, Lookout researchers were able to access large parts of the panel’s source code.\r\nThe source code revealed multiple functions that distinguish between device platforms (Android vs. iOS). This\r\nimplies the existence of an iOS version of this surveillance tool though Lookout researchers have not been able to\r\nlocate it to date. \r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 3 of 12\n\nA function, getListIOS(), from /assets/js/controller/device/im.js is called separately for devices\r\nidentified with the iOS platform.\r\nLookout researchers were also able to uncover two documents that direct the user to two help files: one titled\r\n“EAGLE 系统用户说明书” (Eagle System User Manual) for using the “Eagle” admin panel, and one for\r\ninstalling and configuring the “MM” EagleMsgSpy surveillance client.\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 4 of 12\n\nAn introduction page summarizes the EagleMsgSpy client’s capabilities and use cases. \r\nThe introduction to the “EAGLE 系统用户说明书” manual calls the EagleMsgSpy surveillanceware “手机临侦”\r\n(“Mobile Phone Temporary Investigation”) and describes it as a “comprehensive mobile phone judicial monitoring\r\nproduct” that can obtain “real-time mobile phone information of suspects through network control without the\r\nsuspect’s knowledge, monitor all mobile phone activities of criminals and summarize them”. \r\nThe document further describes various methods for acquiring the surveillance client and installing it to the\r\ndevice: through a QR code or through a physical device that is able to install the client when connected to USB.\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 5 of 12\n\nThe Eagle system manual describes this view as the \"Contact Geographical Distribution\" graph,\r\nand explains in the documentation that it “shows the geographical distribution of contacts in the\r\nphone's address book, text messages, and call records.”\r\nThe Eagle System User Manual also documents many of the views available to administrators through the Eagle\r\nweb panel. These include distribution graphs and heatmaps for geographical data tied to a target device’s contacts,\r\na “Top 10” list of most frequently contacted individuals, as well as numerous views dedicated to reviewing data\r\ncollected from a compromised device. The administrator is also able to trigger real-time photo collection from a\r\ndevice, real-time screenshot collection, block incoming and outgoing calls and SMS messages to specific phone\r\nnumbers, and initiate real-time audio recording from the device.\r\nThe admin panel allows users to trigger real-time audio recordings on the device, as demonstrated\r\nin this screenshot from the manual.\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 6 of 12\n\nAttributing EagleMsgSpy\r\nThe IP address of one of the C2 servers encountered during the investigation had previously been pointed to by\r\nseveral subdomains associated with a private Chinese technology company, Wuhan Chinasoft Token Information\r\nTechnology Co., Ltd. (武汉中软通证信息技术有限公司). The root domain, tzsafe[.]com, was encountered in\r\npromotional materials found during an OSINT investigation into this Wuhan-based technology company. The\r\nstring tzsafe also appears in all known versions of the MM surveillance module as part of a password used for\r\nencryption.\r\nA screenshot of the GPS analysis panel shows 2 sets of GPS coordinates for locations near the 武汉\r\n中软通证信息技术有限公司 office.\r\nIn the aforementioned EagleMsgSpy admin user manual, a screenshot displaying locations of target devices\r\n(presumably test devices) shows two sets of coordinates, located ~1.5 km from the registered official business\r\naddress of Wuhan Chinasoft Token Information Technology Co., Ltd.\r\nBusiness registration documents for the company list an opening date of July 14th, 2016 and a staff size of less\r\nthan 50 personnel. Its listed “English company name” is Wuhan Zhongruan Tongzheng Information Technology\r\nCo., Ltd with a registered address at the Wuhan East Lake New Technology Development Zone (武汉市东湖新技\r\n术开发区). In the promotional documents obtained by Lookout, the company refers to themselves as “Wuhan\r\nZRTZ Information Technology Co, Ltd.” with the ZRTZ presumably referring to the acronym for the Pinyin\r\n“zhōngruǎn tōng zhèng” (中软通证).\r\nBased on this infrastructure overlap, open-source intelligence and references within the source code to part of the\r\ncompany’s commercial domain, Lookout researchers assess with high confidence that EagleMsgSpy was\r\ndeveloped (and continues to be maintained) by Wuhan Chinasoft Token Information Technology Co., Ltd.\r\nConnections to Public Security Bureaus\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 7 of 12\n\nInfrastructure overlap between EagleMsgSpy C2s and domains used by public security bureaus (公安局) in\r\nmainland China indicate that the surveillance tool was likely used by several throughout the region. Public\r\nsecurity bureaus are government offices that essentially act as local police stations, responsible for social order\r\nand local policing.\r\nPublic security bureaus in mainland China identified with ties to EagleMsgSpy infrastructure.\r\nAn early EagleMsgSpy variant from 2017 specifies a hardcoded C2 address that was the resolving IP for two\r\nChinese government websites during the time in which this EagleMsgSpy variant was packaged. The domains,\r\nzfga.gov[.]cn and ytga.gov[.]cn are used for the public-facing websites of the Yantai Public Security Bureau and\r\nits associated branches. The domain zfga.gov[.]cn refers to the Zhifu Branch of Yantai Public Security Bureau (烟\r\n台市公安局芝罘分局 ) while ytga.gov[.]cn refers to the main Yantai Public Security Bureau (烟台市公安局 ).\r\nEarlier domains resolving to this IP, gyga.gov[.]cn and ykga.gov[.]cn were used by the Gui Yang Public Security\r\nBureau (贵阳市公安局 ) and Yantai Development Zone Public Security Bureau (烟台开发区公安局) websites.\r\nFurthermore, an SSL certificate used by three C2s hardcoded in EagleMsgSpy variants was also used by an IP\r\naddress that was the former resolving IP for the Dengfeng Public Security Bureau (登封市公安局) website.\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 8 of 12\n\nA document announcing the Shilou County Public Security Bureau’s request for the development of\r\na Stability Maintenance Judgement System.\r\nCFPs for government contracts in China are often available publicly and Lookout researchers were able to locate\r\nmultiple bidding contracts for similar systems with identical generic names to the panels used at EagleMsgSpy C2\r\nservers from other security bureaus were encountered. This suggests that EagleMsgSpy is just one of many\r\ncontracted mobile surveillance tools used by law enforcement throughout mainland China.\r\nConnections to other Chinese Surveillanceware Apps\r\nInfrastructure sharing SSL certificates with EagleMsgSpy C2 servers was also used by known Chinese\r\nsurveillance tools in earlier campaigns. The IP address 202.107.80[.]34 was used by 15 PluginPhantom samples\r\nfrom early 2017 to late 2020. PluginPhantom has been used in campaigns by Chinese APTs.\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 9 of 12\n\nA sample of CarbonSteal - a surveillance tool discovered by Lookout and attributed to Chinese APTs - was\r\nobserved communicating with another IP tied to the EagleMsgSpy SSL certificate, 119.36.193[.]210. This sample,\r\ncreated in July 2016, masquerades as a system application called “AutoUpdate”. \r\nIn a 2020 threat advisory, Lookout researchers detailed CarbonSteal activity in campaigns targeting minorities in\r\nChina, including Uyghurs and Tibetans. Significant overlap in signing certificates, infrastructure and code was\r\nobserved between CarbonSteal and other known Chinese surveillance, including Silkbean, HenBox, DarthPusher,\r\nDoubleAgent and PluginPhantom.\r\nConclusion\r\nEagleMsgSpy is a lawful intercept surveillance tool developed by Wuhan Chinasoft Token Information\r\nTechnology Co., Ltd. (武汉中软通证信息技术有限公司) used by public security bureaus in mainland China.\r\nThe malware is placed on victim devices and configured through access to the unlocked victim device. Once\r\ninstalled, the headless payload runs in the background, hiding its activities from the user of the device and collects\r\nextensive data from the user. Public CFPs for similar systems indicate that this surveillance tool or analogous\r\nsystems are in use by many public security bureaus in China.\r\nIndicators of Compromise\r\nSHA1\r\ndab40467824ff3960476d924ada91997ddfce0b0\r\nfef7ad2b74db3e42909c04816c66c61c61b7a8c4\r\nddc729ecf21dd74e51e1a2f5c8b1d2d06ed4a559\r\nf092dfab5b1fbff38361077f87805403318badfa\r\nd4e943ba47f762194bcf3c07be25a9f6ea5a36b0\r\ncea796beb252d1ab7db01d8a0103f7cca5d0955d\r\n5208039ef9efb317cc2ed7085ca98386ec31b0b4\r\n5d935d5ab7b7c6b301a4c79807c33e0bee23e3ff\r\n5e282b0395093c478c36eda9b4ee50c92d8cf6eb\r\nec580142c0dff25b43f8525f9078dd3d6a99361c\r\n87d925a95d584e4c46545579b01713f6d74eee00\r\n880c46bf7e65e3f9a081f42582af1f072e22cf1a\r\n0b1d3d87a453f63129e73b2a32d95ef3eea94b4e\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 10 of 12\n\n8ee651a90c36a98b2ab240efb64c597c21fb6f1e\r\nf0f3e8f01a17c7d5be440dfa7ef7e5ac1f068fe5\r\n9557eebe4ee2dc602750365e722002d9f686b7fb\r\n29bbb04c0180e78bd6bad49719ce92ae17081a3b\r\n01003f047caa05873ee420e29ee54d6cc8203ca6\r\n64aca40e982836b72f156fb66b6383a0634d12cc\r\ne6b270be7a6c3cca16ae7268f3a93c74c14b0510\r\ncaa93aa37353cab26a30e291c41fe579d3304e1a\r\nd6d706b23caefb2822914e294452ada77710eff3\r\n4dfcc0b99f81b66c56059a72d4e149bc5d728b87\r\n81c572580d09231fbdc3cf4fedb2aa07be3b7769\r\n59987ceadbd899314ffcf77958faf3b35aa064cd\r\n89642d092adaea7ad1e5ae77dea97bbdef5839d1\r\n6d043b4d7bc513cc6d3e308a84ed8b63e3bab4f6\r\nIP\r\n61.136.71[.]171\r\n149.28.21[.]203\r\n47.112.137[.]199\r\n59.48.241[.]214\r\n61.163.69[.]238\r\n59.48.241[.]22\r\n220.168.203[.]197\r\n218.200.20[.]254\r\n202.107.80[.]34\r\n124.163.212[.]149\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 11 of 12\n\n119.36.193[.]210\r\n101.201.213[.]210\r\n111.21.6[.]126\r\nDomain\r\nxkong.tzsafe[.]com\r\nwww.tzsafe[.]com\r\nqzapp.tzsafe[.]com\r\nkong.tzsafe[.]com\r\ni.tzsafe[.]com\r\ngit.tzsafe[.]com\r\nes.ngrok.tzsafe[.]com\r\nefence.demo.tzsafe[.]com\r\neagle.zrtsafe[.]com\r\neagle.tzsafe.tk\r\neagle.tzsafe[.]com\r\neagle.demo.tzsafe[.]com\r\nbug.tzsafe[.]com\r\nSource: https://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nhttps://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware" ], "report_names": [ "eaglemsgspy-chinese-android-surveillanceware" ], "threat_actors": [ { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25b78029279010c0acb9d6ed8cf1e69d28cbbda7.pdf", "text": "https://archive.orkl.eu/25b78029279010c0acb9d6ed8cf1e69d28cbbda7.txt", "img": "https://archive.orkl.eu/25b78029279010c0acb9d6ed8cf1e69d28cbbda7.jpg" } }