{
	"id": "8fe2b04f-1d57-4771-9227-d993b997da38",
	"created_at": "2026-04-06T01:32:25.07338Z",
	"updated_at": "2026-04-10T13:13:04.241164Z",
	"deleted_at": null,
	"sha1_hash": "9907e7f2836f1c68194e986346a9b33aabcae7dc",
	"title": "Minority report: Fake human rights documents and websites used in cyberattacks targeting Uyghurs, a Turkic ...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55176,
	"plain_text": "Minority report: Fake human rights documents and websites used\r\nin cyberattacks targeting Uyghurs, a Turkic ...\r\nBy gmcdouga\r\nPublished: 2021-05-27 · Archived: 2026-04-06 01:04:58 UTC\r\nHighlights\r\nCheck Point Research (CPR), in collaboration with Kaspersky’s Global Research \u0026 Analysis Team\r\n(GReAT), have been tracking an ongoing attack targeting a small minority group of Uyghur individuals in\r\nXinjiang and Pakistan\r\nAttackers use fake United Nations (UN) documents and human rights websites to spread malware that has\r\nthe ability to exfiltrate information and take control of victims’ PCs\r\nThe Uyghurs are a Turkic ethnic group, culturally affiliated with Central and East Asia, and considered one\r\nof China’s 55 officially recognized ethnic minorities\r\nBackground\r\nIn the past year, Check Point Research (CPR), in collaboration with Kaspersky’s Global Research \u0026 Analysis\r\nTeam (GReAT), have been tracking an ongoing attack targeting a small group of Uyghur individuals located in\r\nXinjiang, China and Pakistan.\r\nMalicious actors disguised their attacks in the following ways:\r\nThey created documents that appear to be from the UN, using real UN information to ensure these looked\r\nauthentic.\r\nSet up websites for non-existent organizations claiming to fund charity groups\r\nThis blog details the investigation of the decoy methods this group used.\r\nFake UN documents as a tool for initial infections\r\nThe researchers’ investigations began with a malicious document found on the free malware scanning service\r\nVirusTotal named “UgyhurApplicationList.docx” which carried the logo of the United Nations Human Rights\r\nCouncil (UNHRC), and contained content from a UN general assembly discussing human rights violations that\r\nmade the document seem genuine.\r\nhttps://blog.checkpoint.com/security/minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uyghurs-a-turkic-ethnic-minority-in-china/\r\nPage 1 of 5\n\nAfter the user opens the document by clicking on “enable editing”, a malicious external template containing a\r\nmacro code is downloaded, and this macro code proceeds to decode an embedded backdoor. After the backdoor is\r\ndecoded, it is then named “OfficeUpdate.exe” and saved under the %TEMP% directory.\r\nIn the two “OfficeUpdate.exe” examples the researchers located, the payload was a shellcode loader that utilizes\r\nbasic evasion and anti-debugging techniques by using functions such as sleep and QueryPerformanceCounter.\r\nDelivery Websites – Impersonating the UN’s Commission for Human Rights\r\nThe domain observed in the malicious document (officemodel[.]org) led to the same IP address as unohcr[.]org – a\r\ndomain impersonating the Office of the High Commissioner for Human Rights (OHCHR).\r\nInvestigating this method of fake domains and websites revealed a tactic of distributing malware through fake\r\nwebsites that host malicious executables targeting Windows users.\r\nAnother IP address that unohcr[.]org led to was a domain named tcahf[.]org, which hosted a website claiming to\r\nrepresent the Turkic Culture and Heritage Foundation (TCAHF).\r\nTCAHF claims to be a private organization that funds and supports groups working for Turkic culture and human\r\nrights, when in fact it is a made up entity, with most of its website’s content having been copied from the\r\nlegitimate “opensocietyfoundations.org”.\r\nhttps://blog.checkpoint.com/security/minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uyghurs-a-turkic-ethnic-minority-in-china/\r\nPage 2 of 5\n\nFigure 2: Fake website (top) compared to the legitimate one (bottom)\r\nThe malicious functionality of the TCAHF website is well disguised and will only appear when the victim\r\nattempts to apply for a grant (see the added “Application” menu button in Fig. 5). The website then claims it must\r\nmake sure that the operating system of the victim’s PC is safe before they enter sensitive information for the\r\ntransaction, and asks them to download a program to scan their PC environment. The website offers two download\r\noptions, one for MacOS and one for Windows, but when the team analyzed the website, only the download for\r\nWindows was available, while the MacOS version link served an empty file.\r\nhttps://blog.checkpoint.com/security/minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uyghurs-a-turkic-ethnic-minority-in-china/\r\nPage 3 of 5\n\nFigure 3: Links to download a fake security scanner\r\nUyghur minority as a target\r\nBased on the nature of the malicious websites and the decoy content used in the delivery document, the\r\nresearchers assessed that this campaign is intended to target the Uyghur minority or the organizations supporting\r\nthem. The Uyghurs are a Turkic ethnic group, culturally affiliated with Central and East Asia, and considered one\r\nof China’s 55 officially recognized ethnic minorities.\r\nThe research team’s telemetry supports this assessment, as it has identified a handful of victims in Pakistan and\r\nChina. In both cases, the victims were located in regions mostly populated by the Uyghur minority.\r\nAttribution\r\nAlthough the researchers were unable to find code or infrastructure similarities to a known threat group, they\r\nattribute this activity, with low to medium confidence, to a Chinese-speaking threat actor. When examining the\r\nmalicious macros in the delivery document, the research team noticed that some excerpts of the code were\r\nidentical to VBA code that have appeared in multiple Chinese forums, and might have been copied from there\r\ndirectly.\r\nhttps://blog.checkpoint.com/security/minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uyghurs-a-turkic-ethnic-minority-in-china/\r\nPage 4 of 5\n\nFigure 4: Similar macro code in Chinese forum\r\nImpact of attacks and conclusion\r\nWhile most of the activity described above happened in 2020, it appears the attackers behind this campaign are\r\nstill active, and working with newly registered domains. The findings of this research indicate these attacks are\r\nongoing, and new infrastructure is being created for what looks like future attacks.\r\nMost recently, one of the domains appeared to be impersonating the Turkic Ministry of the Interior, but this and\r\nanother domain redirected to the website of a Malaysian government body called the “Terengganu Islamic\r\nFoundation”. This suggests that they are pursuing additional targets in countries such as Malaysia and Turkey.\r\nHowever, the malicious group might still be developing those resources, since researchers have yet to find any\r\nmalicious artifacts associated with those domains.\r\nThe malicious executables created by the attackers exfiltrate basic information about the infected system but can\r\nalso download a second-stage payload, or in the case of the documents, fetch additional commands from the\r\ncommand and control server. This means that the researchers have not yet seen all the capabilities of this malware,\r\nor the full course of action taken by the attackers following a successful infection.\r\nThe motivation behind these cyberattacks seem to indicate a campaign of espionage, with the end game of the\r\noperation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community.\r\nThe attacks are designed to fingerprint infected devices, including all of its running programs. CPR and Kaspersky\r\nGReAT researchers will continue investigating this issue and report any new relevant findings.\r\nSource: https://blog.checkpoint.com/security/minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uygh\r\nurs-a-turkic-ethnic-minority-in-china/\r\nhttps://blog.checkpoint.com/security/minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uyghurs-a-turkic-ethnic-minority-in-china/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/security/minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uyghurs-a-turkic-ethnic-minority-in-china/"
	],
	"report_names": [
		"minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uyghurs-a-turkic-ethnic-minority-in-china"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439145,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9907e7f2836f1c68194e986346a9b33aabcae7dc.pdf",
		"text": "https://archive.orkl.eu/9907e7f2836f1c68194e986346a9b33aabcae7dc.txt",
		"img": "https://archive.orkl.eu/9907e7f2836f1c68194e986346a9b33aabcae7dc.jpg"
	}
}