{
	"id": "3814952c-7824-44d1-b4aa-9301038458f1",
	"created_at": "2026-04-06T00:13:07.354496Z",
	"updated_at": "2026-04-10T03:35:27.535593Z",
	"deleted_at": null,
	"sha1_hash": "4903844aea0bc10a66fdea7569a348d1b5a1c230",
	"title": "Taking Action Against Hackers in China",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 103949,
	"plain_text": "Taking Action Against Hackers in China\r\nPublished: 2021-03-24 · Archived: 2026-04-05 14:01:22 UTC\r\nFacebook threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber\r\nespionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups. As part of\r\nthese efforts, our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to\r\nprotect their accounts, sharing our findings publicly and continuing to improve the security of our products.\r\nToday, we’re sharing actions we took against a group of hackers in China known in the security industry as Earth Empusa or\r\nEvil Eye — to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s\r\naccounts across the internet. They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang\r\nin China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries. This\r\ngroup used various cyber espionage tactics to identify its targets and infect their devices with malware to enable\r\nsurveillance.\r\nThis activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. On our\r\nplatform, this cyber espionage campaign manifested primarily in sending links to malicious websites rather than direct\r\nsharing of the malware itself. We saw this activity slow down at various times, likely in response to our and other\r\ncompanies’ actions to disrupt their activity.\r\nWe identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:\r\nSelective targeting and exploit protection: This group took steps to conceal their activity and protect malicious\r\ntools by only infecting people with iOS malware when they passed certain technical checks, including IP address,\r\noperating system, browser and country and language settings.\r\nCompromising and impersonating news websites: This group set up malicious websites that used look-alike\r\ndomains for popular Uyghur and Turkish news sites. They also appeared to have compromised legitimate websites\r\nfrequently visited by their targets as part of watering hole attacks. A watering hole attack is when hackers infect\r\nwebsites frequently visited by intended targets to compromise their devices. Some of these web pages contained\r\nmalicious javascript code that resembled previously reported exploits, which installed iOS malware known as\r\nINSOMNIA on people’s devices once they were compromised.\r\nSocial engineering: This group used fake accounts on Facebook to create fictitious personas posing as journalists,\r\nstudents, human rights advocates or members of the Uyghur community to build trust with people they targeted and\r\ntrick them into clicking on malicious links.\r\nUsing fake third party app stores: We found websites set up by this group that mimic third-party Android app\r\nstores where they published Uyghur-themed applications, including a keyboard app, prayer app, and dictionary app.\r\nThese apps were trojanized (contained malware that misled people of its true intent) with two Android malware\r\nstrains — ActionSpy or PluginPhantom.\r\nOutsourcing malware development: We’ve observed this group use several distinct Android malware families.\r\nSpecifically, our investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh)\r\nand Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies, are the developers behind some of the\r\nAndroid tooling deployed by this group. Our assessment of one of them benefited from research by FireEye, a\r\ncybersecurity company. These China-based firms are likely part of a sprawling network of vendors, with varying\r\ndegrees of operational security.\r\nIndustry tracking: Our industry peers have been tracking parts of this activity as being driven by a single threat\r\nactor broadly known as Earth Empusa, or Evil Eye, or PoisonCarp. Our investigation confirmed that the activity we\r\nare disrupting today closely aligns with the first two — Earth Empusa or Evil Eye. While PoisonCarp shares some\r\nTTPs including targeting and use of some of the same vendor-developed malware, our on-platform analysis suggests\r\nthat it is a separate cluster of activity.\r\nWe shared our findings and threat indicators with industry peers so they too can detect and stop this activity. To disrupt this\r\noperation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified\r\npeople who we believe were targeted by this threat actor.\r\nThreat Indicators:\r\nhttps://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/\r\nPage 1 of 4\n\nHashes\r\nMD5 Hash Description Malware Family\r\n10c1f38305792a0f925e8a2cf9482ce3 Keyboard Plugin Phantom\r\n3c0a20f0726032ad816e670971509b2d كەرىم قۇرئان) The Holy Quran) Plugin Phantom\r\n01fe88068e43c2276f7d8bbf54824f0f 系统服务 (System Service) Plugin Phantom\r\nfd8da30dd9e45bd31af79a9652d50ece 地球 (Earth) Plugin Phantom\r\n10748ca7648d26316b4857b6139ca93d AwazlikKitap Plugin Phantom\r\na5199e6f1904f5a532a562fbb9d5abc6 Uighur Keyboard Plugin Phantom\r\n670a389a93b82ccf198dd7789a865096 Ekran Action Spy\r\n9bc5fec740bdb4d93f2da9b2db75dc3f Uyghurs History Action Spy\r\nDomains\r\nDomain Description\r\nmisran[.]org Hosting PluginPhantom malware\r\napkprue[.]info Hosting PluginPhantom malware\r\nHosting PluginPhantom malware\r\nhttps://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/\r\nPage 2 of 4\n\ngotossl[.]ml Hosting ActionSpy malware\r\ngeo2ipapi[.]org Hosting ActionSpy malware\r\nanayurt[.]net Hosting ActionSpy malware\r\npreservtyg[.]com Watering hole with malicious iframe\r\nuhtpuerdfbnm[.]com Watering hole with malicious iframe\r\nuyghurhaber[.]com Watering hole with malicious iframe\r\nnewyorkingsite[.]com Watering hole with malicious iframe\r\nistiqlaihaber[.]com Watering hole with malicious iframe\r\nuyghur-news[.]com Watering hole with malicious iframe\r\nstrunhvgpk[.]com Contained malicious javascript resembling previously reported exploit code which installed\r\nsslportservices[.]com Connected to infrastructure hosting malicious javascript\r\nplaygoog1e[.]com Believed to be used to host Android malware\r\nBelieved to be used to host Android malware\r\nuyghur-soft-market[.]com Believed to be used to host Android malware\r\nicptime[.]com Believed to be used to host Android malware\r\nhttps://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/\r\nPage 3 of 4\n\nSource: https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/\r\nhttps://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/"
	],
	"report_names": [
		"taking-action-against-hackers-in-china"
	],
	"threat_actors": [
		{
			"id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea",
			"created_at": "2022-10-25T16:07:23.597455Z",
			"updated_at": "2026-04-10T02:00:04.683154Z",
			"deleted_at": null,
			"main_name": "Evil Eye",
			"aliases": [],
			"source_name": "ETDA:Evil Eye",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe",
			"created_at": "2023-01-06T13:46:39.056888Z",
			"updated_at": "2026-04-10T02:00:03.198866Z",
			"deleted_at": null,
			"main_name": "POISON CARP",
			"aliases": [
				"Evil Eye",
				"Red Dev 16",
				"Earth Empusa"
			],
			"source_name": "MISPGALAXY:POISON CARP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574",
			"created_at": "2022-10-25T16:07:24.064197Z",
			"updated_at": "2026-04-10T02:00:04.856578Z",
			"deleted_at": null,
			"main_name": "Poison Carp",
			"aliases": [
				"Earth Empusa",
				"Evil Eye",
				"EvilBamboo",
				"Poison Carp",
				"Red Dev 16",
				"Sentinel Taurus"
			],
			"source_name": "ETDA:Poison Carp",
			"tools": [
				"ActionSpy",
				"AxeSpy",
				"BADSIGNAL",
				"BADSOLAR",
				"BadBazaar",
				"IRONSQUIRREL",
				"IceCube",
				"MOONSHINE",
				"PoisonCarp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775792127,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4903844aea0bc10a66fdea7569a348d1b5a1c230.pdf",
		"text": "https://archive.orkl.eu/4903844aea0bc10a66fdea7569a348d1b5a1c230.txt",
		"img": "https://archive.orkl.eu/4903844aea0bc10a66fdea7569a348d1b5a1c230.jpg"
	}
}