{
	"id": "346e1591-d443-45e7-bb27-630eb963e907",
	"created_at": "2026-04-06T00:16:12.860453Z",
	"updated_at": "2026-04-10T13:11:34.238943Z",
	"deleted_at": null,
	"sha1_hash": "275a42b48bb27fe1b95a83471300b54981f21f13",
	"title": "Poison Carp, Evil Eye - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67103,
	"plain_text": "Poison Carp, Evil Eye - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 22:53:12 UTC\r\nHome \u003e List all groups \u003e Poison Carp, Evil Eye\r\n APT group: Poison Carp, Evil Eye\r\nNames\r\nPoison Carp (Citizen Lab)\r\nEvil Eye (Volexity)\r\nEarth Empusa (Trend Micro)\r\nRed Dev 16 (PWC)\r\nEvilBamboo (Volexity)\r\nSentinel Taurus (Palo Alto)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription (Citizen Lab)\r\n• Between November 2018 and May 2019, senior members of Tibetan groups\r\nreceived malicious links in individually tailored WhatsApp text exchanges with\r\noperators posing as NGO workers, journalists, and other fake personas. The links led\r\nto code designed to exploit web browser vulnerabilities to install spyware on iOS\r\nand Android devices, and in some cases to OAuth phishing pages. This campaign\r\nwas carried out by what appears to be a single operator that we call POISON CARP.\r\n• We observed POISON CARP employing a total of eight Android browser exploits\r\nand one Android spyware kit, as well as one iOS exploit chain and iOS spyware.\r\nNone of the exploits that we observed were zero days. POISON CARP overlaps with\r\ntwo recently reported campaigns against the Uyghur community. The iOS exploit\r\nand spyware we observed was used in watering hole attacks reported by Google\r\nProject Zero, and a website used to serve exploits by POISON CARP was also\r\nobserved in a campaign called “Evil Eye” reported by Volexity. The Android\r\nmalware used in the campaign is a fully featured spyware kit that has not been\r\npreviously documented.\r\n• POISON CARP appears to have used Android browser exploits from a variety of\r\nsources. In one case, POISON CARP used a working exploit publicly released by\r\nExodus Intelligence for a Google Chrome bug that was fixed in source, but whose\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c542e618-93f6-4990-b109-c267835d0762\r\nPage 1 of 3\n\npatch had not yet been distributed to Chrome users. In other cases, POISON CARP\nused lightly modified versions of Chrome exploit code published on the personal\nGitHub pages of a member of Qihoo 360’s Vulcan Team, a member of Tencent’s\nXuanwu Lab, and by a Google Project Zero member on the Chrome Bug Tracker.\n• This campaign is the first documented case of one-click mobile exploits used to\ntarget Tibetan groups, and reflects an escalation in the sophistication of digital\nespionage threats targeting the community.\nObserved\nSectors: Tibetan and Uyghur activists as well as those who are interested in their\ncauses.\nCountries: Australia, Canada, China, Kazakhstan, Syria, Turkey, USA.\nTools used\nActionSpy, BadBazaar, BADSIGNAL, BADSOLAR, Bourbon, IceCube,\nIRONSQUIRREL, MOONSHINE, PoisonCarp, Scotch, Whisky and several exploits\nin iOS, Android and Google Chrome.\nOperations performed\n2018\nDigital Crackdown: Large-Scale Surveillance and Exploitation of\nUyghurs\nJan 2020\nImmediately after the publications from Google and Volexity, the Evil\nEye threat actor went fairly quiet. They removed their malicious code\nfrom compromised websites, command and control (C2) servers were\ntaken down, and various hostnames stopped resolving. This largely\nremained the case until early January 2020, when Volexity observed a\nseries of new activity across multiple previously compromised\nUyghur websites.\nEarly 2020\nWhile tracking Earth Empura, also known as POISON CARP/Evil\nEye, we identified an undocumented Android spyware we have\nnamed ActionSpy.\n2022\nLookout Discovers Long-running Surveillance Campaigns Targeting\nUyghurs\nJun 2023 EvilBamboo Targets Mobile Devices in Multi-year Campaign\n\nmobile-devices-in-multi-year-campaign/\u003e\nCounter operations Mar 2021\nTaking Action Against Hackers in China\nInformation\nLast change to this card: 27 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c542e618-93f6-4990-b109-c267835d0762\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c542e618-93f6-4990-b109-c267835d0762\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c542e618-93f6-4990-b109-c267835d0762"
	],
	"report_names": [
		"showcard.cgi?u=c542e618-93f6-4990-b109-c267835d0762"
	],
	"threat_actors": [
		{
			"id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea",
			"created_at": "2022-10-25T16:07:23.597455Z",
			"updated_at": "2026-04-10T02:00:04.683154Z",
			"deleted_at": null,
			"main_name": "Evil Eye",
			"aliases": [],
			"source_name": "ETDA:Evil Eye",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe",
			"created_at": "2023-01-06T13:46:39.056888Z",
			"updated_at": "2026-04-10T02:00:03.198866Z",
			"deleted_at": null,
			"main_name": "POISON CARP",
			"aliases": [
				"Evil Eye",
				"Red Dev 16",
				"Earth Empusa"
			],
			"source_name": "MISPGALAXY:POISON CARP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574",
			"created_at": "2022-10-25T16:07:24.064197Z",
			"updated_at": "2026-04-10T02:00:04.856578Z",
			"deleted_at": null,
			"main_name": "Poison Carp",
			"aliases": [
				"Earth Empusa",
				"Evil Eye",
				"EvilBamboo",
				"Poison Carp",
				"Red Dev 16",
				"Sentinel Taurus"
			],
			"source_name": "ETDA:Poison Carp",
			"tools": [
				"ActionSpy",
				"AxeSpy",
				"BADSIGNAL",
				"BADSOLAR",
				"BadBazaar",
				"IRONSQUIRREL",
				"IceCube",
				"MOONSHINE",
				"PoisonCarp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434572,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/275a42b48bb27fe1b95a83471300b54981f21f13.pdf",
		"text": "https://archive.orkl.eu/275a42b48bb27fe1b95a83471300b54981f21f13.txt",
		"img": "https://archive.orkl.eu/275a42b48bb27fe1b95a83471300b54981f21f13.jpg"
	}
}