# **Advisory** ## **BADBAZAAR and MOONSHINE: ** **Spyware targeting Uyghur, ** **Taiwanese and Tibetan groups ** **and civil society actors** **9 April 2025** © **Crown Copyright 2025** ----- #### BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors **The NCSC and partners publish new information and** **mitigation measures for those at high risk from two spyware** **variants.** ##### **Summar y** With support from the UK [Cyber League,](https://www.ncsc.gov.uk/information/cyber-league) this advisory has been jointly produced by the National Cyber Security Centre (NCSC UK) and international partners: **>** **The Australian Cyber Security Centre, part of the Australian Signals** **Directorate** **>** **The Canadian Centre for Cyber Security, part of the Communications** **Security Establishment** **>** **The German Federal Intelligence Service** **>** **The German Federal Office for the Protection of the Constitution** **>** **The New Zealand National Cyber Security Centre, part of the Government** **Communications Security Bureau** **>** **The United States Federal Bureau of Investigation** **>** **The United States National Security Agency** Its purpose is to raise awareness about the growing threat that malicious cyber actors pose to individuals connected to topics including Taiwan, Tibet, Xinjiang Uyghur Autonomous Region, democracy movements and the Falun Gong. This advisory includes two case studies detailing techniques used by malicious cyber actors using spyware known as BADBAZAAR and MOONSHINE to target data on mobile devices including smartphones that could be of interest to the Chinese state. It also signposts to guidance to help individuals protect themselves, their devices and their data. Alongside this advisory, the NCSC has published [full technical detail with separate](https://www.ncsc.gov.uk/news/advisory-badbazaar-moonshine-technical-analysis-mitigations) . [guidance](https://www.ncsc.gov.uk/news/advisory-badbazaar-moonshine-technical-analysis-mitigations) Page **2** of **30** ----- ##### **Who is at risk? ** The authoring agencies and industry partners have observed BADBAZAAR and MOONSHINE specifically targeting individuals connected to topics considered by the Chinese state to be a threat to their domestic authority, ambitions and global reputation. Those most at risk include, but are not limited to, anyone connected to: **>** **Taiwanese independence** **>** **Tibetan rights** **>** **Uyghur Muslims and other ethnic minorities in or from China’s Xinjiang** **Uyghur Autonomous Region** **>** **democracy advocacy (including Hong Kong)** **>** **the Falun Gong spiritual movement** This includes non-governmental organisations (NGOs), journalists, businesses and individuals who advocate for, identify with, or otherwise represent these groups. The indiscriminate way this spyware is spread online also means there is a risk that infections could spread beyond intended victims. This advisory aims to help those at risk respond effectively to the specific threat from BADBAZAAR and MOONSHINE spyware. The suggested mitigations complement broader cyber security advice and should not be considered in isolation. By following the guidance referenced in this advisory, users can reduce the risk of infection of their mobile devices and data. Page **3** of **30** ----- ##### **The threat ** MOONSHINE and BADBAZAAR are examples of trojans; they have malicious functions hidden inside an otherwise functioning app that can be downloaded from app stores or online file-sharing services. These apps are designed to trick a user into downloading and installing them on a device. Once an app is installed, it uses vulnerabilities on the device to perform unauthorised functions, or it may rely on a user granting app permissions to access and download information from the device, including: **>** **location data including real time tracking** **>** **access to microphone and camera** **>** **messages, photos and other files stored on the device** **>** **device information and more** The actors then exploit the legitimate interests of at-risk groups, to identify and infect as many victims as possible, and gain access to their data. One way they do this is by designing apps they know will appeal to their victims, such as apps which support their native languages, or contain content specific to locations such as Tibetan regions of China or Xinjiang. The case studies in this advisory provide some examples of this, including the TibetOne and Uyghur Quran apps. The actors are active in online forums where there is a user base of their intended victims, which maximises their chance to infect victims. They have been observed deliberately sharing spyware in Tibet-related Telegram channels and Reddit forums. The case studies in this advisory also give examples of these methods. Malicious apps are often shared as standalone files, such as APK files on Android, which users are required to download and install. The actors try to make their spyware appear more legitimate by uploading it to official app stores such as the Google Play Store and the Apple App Store or by adding malicious code to previously benign apps, although official stores have security features and vetting processes which make this tactic less successful. This makes apps from official stores safer, but as demonstrated in the case studies and the NCSC’s [App Store](https://www.ncsc.gov.uk/files/Threat-report-on-application-stores-web-v2.pdf) [Threat Report,](https://www.ncsc.gov.uk/files/Threat-report-on-application-stores-web-v2.pdf) these processes are not perfect. Page **4** of **30** ----- Following these four tips can help protect you from the threats outlined in this advisory. For more detailed advice, see the mitigations section. Page **5** of **30** ----- ##### **Case studies ** These two case studies illustrate how MOONSHINE and BADBAZAAR work, and how malicious cyber actors are targeting those most at risk. ###### Case study one: MOONSHINE MOONSHINE is an Android spyware reported in 2019 by [Citizen Lab](https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/) as targeting Tibetan groups. MOONSHINE masquerades as a legitimate app to lure victims into installing it. It has been shared via Telegram channels and links sent via WhatsApp. MOONSHINE has extensive surveillance capabilities, such as: **>** **location data including real time tracking** **>** **live audio and photo capture** **>** **downloading files from device** **>** **retrieving device information** **>** **playing audio on the device** T ‘ **قۇرئان** **ئاۋازلىق.apk** ’, which translates as ‘ **Audio Quran.apk** ’, is an example of how MOONSHINE is used to target Uyghurs. The use of the Uyghur language in the file name, indicating a Quran application, was likely designed to appeal to Uyghur Muslims. Once installed s s s’ s. T s s ss ‘SCOTCH A MIN’ . Page **6** of **30** ----- Once logged in, the actors can access the page shown in the screenshot below. This page would display details of infected devices and the level of access the actor has to infected devices: The malware management panel, showing the data collected, would include: **>** **level of access to device** **>** **SMS messages** **>** **call logs** **>** **location data** **>** **device information** In collaboration with Cyber League, the NCSC has built on industry [reporting from](https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html) [Trend Micro](https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html) to find overlaps between the MOONSHINE exploitation kit and login Page **7** of **30** ----- panels containing 'UPSEC' in the HTML title. Full details are in [the accompanying](https://www.ncsc.gov.uk/news/advisory-badbazaar-moonshine-technical-analysis-mitigations) . [technical advisory](https://www.ncsc.gov.uk/news/advisory-badbazaar-moonshine-technical-analysis-mitigations) According to [Intelligence Online](https://www.intelligenceonline.com/surveillance--interception/2025/01/29/chinese-firm-behind-hacking-operations-against-uyghurs-and-tibetans-unveiled,110368855-evg), UPSEC is a reference to ‘Sichuan Dianke Network Security Technology Co. Ltd’. The authoring agencies have not verified this statement. ###### Case study two: BADBAZAAR BADBAZAAR is a mobile malware with iOS and Android variants that has targeted Uyghurs, Tibetans and Taiwanese individuals. This malware has been spread via social media platforms and official app stores. BADBAZAAR has been used to target Tibetans via the app ‘ **TibetOne** ’, as reported by [Lookout](https://www.lookout.com/threat-intelligence/article/badbazaar-surveillanceware-apt15) and [Volexity](https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/) . **TibetOne** is an iOS app created by the malicious actors, with the capability to access device information and location data. It was uploaded to the Apple App Store in December 2021 but is no longer available. To spread the malware further, the actors also advertised the app in a Telegram ‘ **tibetanphone** ’. Page **8** of **30** ----- TibetOne *Figure 1: TibetOne app page on the Apple App Store. The app has since been removed.* *Figure 2: TibetOne as shared in Telegram channels.* Page **9** of **30** ----- To add legitimacy to the app, the actors also developed a website called ‘ **tibetone[.]org** ’, which described itself s ‘ *bring[ing] rich and high-quality works to* *people who love Tibetan culture and make reading a new way of life* ’. *Figure 3: Homepage of 'tibetone[.]org'.* *This image has been edited to make relevant sections clearer.* This website had a page for articles which allowed users to leave comments. A comment left by email address ' **choekyi.wangmo@ignitetibet.net** ', is believed to be controlled by the malicious actor and is likely to impersonate ‘ **Choekyi** **Wangmo** ’ who the [Tibetan Centre of Human Rights and Democra](https://tchrd.org/cases-of-torture-in-drapchi-prison/) c y lists as a pro Tibet protestor. This is likely to be another attempt to give the impression that the app genuinely advocates for Tibetan independence. Page **10** of **30** ----- *Figure 4: 'tibetone[.]org' page showing comments from users believed to be controlled by the malicious* *actor.* *This image has been edited to make relevant sections clearer.* ‘ **TenzinNima** ’ is another username that has added comments on this site. [Volexity](https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/) [has reported](https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/) that this username is also used on Reddit to advertise the Telegram ‘ **Tibetanmaptalk** ’. It includes a link to download a malicious sample of ‘ **AlpineQuest** ’, a navigation app available on Android devices. The download link provided is for a third-party file-sharing service called Mega. Page **11** of **30** ----- *Figure 5: Reddit post advertising malicious application by account believed to be malicious actor controlled.* Volexity also notes s s ‘ **KimeOmar** ’ post has also been observed sharing malicious apps on another sub-Reddit forum. This could indicate that the malicious actors use multiple social media profiles to make their posts appear legitimate. Page **12** of **30** ----- ##### **Assessment ** BADBAZAAR and MOONSHINE use several social engineering methods to specifically target Uyghur, Tibetan and Taiwanese communities, namely: the trojanisation of apps of interest to these communities, such as a Uyghur language Quran app, is almost certainly tailored to the target victim base the adding of these trojanised apps to official app stores highly likely lends a sense of legitimacy, and the sharing in group chats is highly likely intended to exploit trusted relationships within these communities BADBAZAAR and MOONSHINE collect data which would almost certainly be of value to the Chinese state. Although BADBAZAAR and MOONSHINE have been [observed](https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/) targeting Uyghur, Tibetan and Taiwanese individuals, there are [other](https://arstechnica.com/information-technology/2014/10/year-of-the-rat-chinas-malware-war-on-activists-goes-mobile/) malwares that target other minority groups in China. Citizens from the co-sealing nations, in China and abroad, who are perceived to be supporting causes that threaten regime stability, are almost certainly under threat from mobile malware such as BADBAZAAR and MOONSHINE. The capability to capture location, audio and photo data almost certainly provides the opportunity to inform future surveillance and harassment operations by providing real- ’s activity. Page **13** of **30** ----- Page **14** of **30** ----- Page **15** of **30** ----- Page **16** of **30** ----- ##### **NCSC Glossar** **y** **>** **Android** Google's mobile operating system, used by several smartphone and tablet manufacturers. **>** **App** An application, or app, is a software package that users can install or are pre installed on a device to provide extra functionality or content to their device. **>** **Cyber Security** The protection of devices, services and networks - and the information on them from unauthorised access, theft or damage. **>** **Device** Computer-based hardware that physically exists, such as a desktop computer, smartphone or tablet. **>** **iOS** Apple's mobile operating system used on its suite of mobile devices. **>** **Malware** Derived from 'malicious software', malware is any kind of software that can damage computer systems, networks or devices. Includes viruses, ransomware and trojans. **>** **Operating system** The basic software running on computers, tablets and smartphones, required to run additional applications and hardware. **>** **Phishing** Scam emails or text messages that contain links to websites which may contain malware, or may trick users into revealing sensitive information (such as passwords) or transferring money. **>** **Spyware** A type of malware that installs on a device without the user's consent, collecting data and then sending it to a third party. **>** **Social media** Page **17** of **30** ----- Websites and apps, such as Facebook, X and Instagram, that allow people to share and respond to user-generated content (text posts, photos and video). **>** **Smartphone** Modern mobile phones that perform complex functionality including those with Android and iOS operating systems. **>** **Trojan** A type of malware, disguised as legitimate software, that is used to gain unauthorised access to a victim's device. **>** **URL** Uniform Resource Locator. An address on the world wide web such as a domain name (for example www.bbc.co.uk). **>** **Virus** A type of malware that is designed to infect legitimate software programs and replicates across networks when those programs are activated. Page **18** of **30** ----- ##### **Further readin** **g** ###### Guidance from the Australian Cyber Security Centre **>** [Report a cybercrime, incident or vulnerabili](https://www.cyber.gov.au/report-and-recover/report) ty **>** [How to secure your devices](https://www.cyber.gov.au/protect-yourself/securing-your-devices/how-secure-your-devices/secure-your-mobile-phone) **>** [Secure your mobile phone](https://www.cyber.gov.au/protect-yourself/securing-your-devices/how-secure-your-devices/secure-your-mobile-phone) **>** [Phishing](https://www.cyber.gov.au/threats/types-threats/phishing) **>** [Scams](https://www.cyber.gov.au/threats/types-threats/scams) **>** [Secure your social media](https://www.cyber.gov.au/protect-yourself/staying-secure-online/connecting-others-online/secure-your-social-media) **>** [Security tips for social media and messagin](https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/user-education/security-tips-social-media-and-messaging-apps) g ap p s ###### Guidance from the UK NCSC and NPSA **>** [Defending Democracy](https://www.ncsc.gov.uk/collection/defending-democracy) **>** [Social Media: how to use it safely](https://www.ncsc.gov.uk/guidance/social-media-how-to-use-it-safely) **>** [Device Security Guidance for organisations](https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides) inc lu d ing m ob ile **>** [Threat report on application stores.](https://www.ncsc.gov.uk/files/Threat-report-on-application-stores-web-v2.pdf) **>** [Personal safety and security for high](https://www.npsa.gov.uk/personal-safety-and-security-high-risk-individuals) - risk ind iv idu a ls **>** [Phishing: Spot and report scam emails, text](https://www.ncsc.gov.uk/collection/phishing-scams) s, we b s ites a nd c alls ###### Guidance from the US NSA **>** Mobile Device Best Practices ##### **Disclaimer ** Please note that this advisory provides information that is validated at the time of publication. This report draws on information derived from authoring agency and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times. In the UK, this information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [ncscinfoleg@ncsc.gov.uk](mailto:ncscinfoleg@ncsc.gov.uk) All material is UK Crown Copyright © Page **19** of **30** ----- ##### **Annex: MOONSHINE & BADBAZAAR sam les observed ** **p** This table lists the apps used in MOONSHINE and BADBAZAAR campaigns in the past two years. Many of these apps show a clear similarity to established apps. This is likely to be a deliberate actor technique to 'spoof' well-known brands. **It’s important to note, the name of the app, package name, and icon can all** **imitate or match the real application and should therefore not be used** **exclusively to identify if a device is infected.** As included in the mitigations section, you can send apps on your Android device G ‘I ’ s s your device that were installed from outside the Play Store. |App title|Package name|App icon| |---|---|---| |99 Names of ALLAH|com.Apptriple.Namesofallah.Asmaulhu sna|| |APKPure|com.apkpure.aegon|| |Adobe Acrobat|com.adobe.reader|| |Alpine( وتښپ)|psyberia.pa.full|| |AlpineQuest Off-Road Explorer|psyberia.alpinequest.full|| |AlpineQuest Off-Road Explorer|psyberia.alpinequest.full|| Page **20** of **30** ----- |AlpineQuest Off-Road Explorer (Lite)|psyberia.alpinequest.free|Col3| |---|---|---| |AppLock|com.alpha.applock|| |Arabic Keyboard|com.arabic.keyboard.arabic.language.k eyboard.app|| |Audio Video Cutter|bsoft.com.mp3.cutter.ringtone.video.m aker.trimmer|| |Badam维语输入法|com.ziipin.softkeyboard|| |Buddhist Songs (1)|com.bigkidsapps.buddhistsongs1|| |Calculator|com.android2.calculator3|| |Compass 360 Pro|com.pro.app.compass|| |EN-UG Dictionary Free|ru.vddevelopment.ref.enugen.free|| |Ewlad|ewlat.com.ewlatuyghur|| |FAST|com.netflix.Speedtest|| Page **21** of **30** ----- |FMWhatsApp|com.fmwhatsapp|Col3| |---|---|---| |File Manager +|com.alphainventor.filemanager|| |FlyGram|org.telegram.FlyGram|| |Flygram|org.telegram.FlyGram|| |Free WiFi Pass|com.cl.wifipassword.share|| |GBWhatsApp|com.gbwhatsapp|| |Hefz Quran|com.golap.hefzquran|| |Hijri Calendar|com.ibrahim.hijricalendar|| |InShot|com.camerasideas.instashot|| |KMPlayer|com.kmplayer|| Page **22** of **30** ----- |KineMaster|com.nexstreaming.app.kinemasterfree|Col3| |---|---|---| |MP3 Cutter & Ringtone Maker|ringtone.maker.mp3.cutter.audio|| |Malloc|com.mallocprivacy.antistalkerfree|| |Maps Distance Calculator|com.routemap.mapdownload.gpsroute planner|| |Media Recovery|com.aaa.media.recovery.androidapp|| |Nur.cn|com.nur.reader|| |Nur输入法|com.nur.ime|| |OGWhatsApp|com.gbwhatsapp3|| |PDF Extra|com.mobisystems.mobiscanner|| |PDF Reader|pdf.pdfreader.pdfviewer.pdfeditor|| |PDF Reader|com.gappstudios.autowifi3gdataswitc h.san.basicpdfviewer|| Page **23** of **30** ----- |Photo Editor|com.iudesk.android.photo.editor|Col3| |---|---|---| |Photo Recovery|recover.restore.undelete.photo.video.fil e|| |Photo Studio|com.kvadgroup.photostudio|| |Plus|org.telegram.pluspro|| |Prayer Book|com.arashpayan.prayerbook|| |QuarkVPN|com.speedy.vpn|| |Quran|com.tos.quranuighore|| |QuranKerim|com.ewlat.qurankerim|| |Restore Deleted Pics|com.restore.deleted.pictures.video|| |Signal|org.thoughtcrime.securesms|| |Signal Plus|org.thoughtcrime.securesmsplus|| Page **24** of **30** ----- |SignalPlus|org.thoughtcrime.securesmsplus|Col3| |---|---|---| |Singing Bowl Sounds HD|com.soundjabber.tibetansingingbowls. candletibet.bowlschakrasound|| |Skype|com.skype.raider|| |Snaptube|com.snaptube.premium|| |Snaptube Plus|com.snaptube.gold|| |SwiftKey Keyboard|com.touchtype.swiftkey|| |Tarteel|com.mmmoussa.iqra|| |Telegram|org.zhifeijihj.messenger|| |Telegram|org.telegramfbo.messenger|| |Telegram X|org.thunderdog.challegram|| |Tibetan Divination System MO|net.rhombapp.mo|| Page **25** of **30** ----- |Tibetan Prayer|com.chorig.tibetanprayer|Col3| |---|---|---| |Translator AR-TR|free_translator.artr|| |Truecaller|com.truecaller|| |TubePlus|com.techshop.videocraft|| |Ultrasurf|us.ultrasurf.mobile.ultrasurf|| |Uyghur Keyboard|com.mykeyboard.myphotokeyboard.uy ghurkeyboard|| |Uyghurche Kirguzguch|com.ziipin.softkeyboard|| |Video Converter|com.inverseai.video_converter|| |Video Cutter|com.naing.cutter|| |Video Downloader|downloader.video.download.free|| |Video Maker|com.bstech.slideshow.videomaker|| Page **26** of **30** ----- |Video Player for Android|com.zgz.supervideo|Col3| |---|---|---| |Vieka|com.prime.story.android|| |VivaVideo Lite|com.quvideo.vivavideo.lite|| |VivaVideo PRO|com.quvideo.xiaoying.pro|| |Vmuslim|com.alhiwar|| |Voice Recorder|com.media.bestrecorder.audiorecorder|| |Voxer|com.rebelvox.voxer|| |Weather Forecast|com.graph.weather.forecast.channel|| |WhatsApp|com.whatsapp|| |WhatsApp|com.whatsapp|| |WhatsApp|com.WhatsApp3Plus|| Page **27** of **30** ----- |WhatsApp|com.whatsapp|Col3| |---|---|---| |WhatsApp|com.WhatsApp2Plus|| |Whoscall|gogolook.callgogolook2|| |WiFi Password Master_v1.4|com.example.dat.a8andoserverx|| |Windy|com.windyty.android|| |Wise|com.transferwise.android|| |YoWhatsApp|com.yowhatsapp|| |YouTube Downloader|dentex.youtube.downloader|| |Zom|im.zom.messenger|| |iQuran Lite|com.guidedways.iQuran|| Page **28** of **30** ----- |ر ەلرەسەئ قىلزاۋائ|com.ewlat.eserler|Col3| |---|---|---| |نائرۇق قىلزاۋائ|com.c9.utilim|| |ىچزىئ|com.yelken.izchi|| |ەچرۇغيۇئ APK ىچۈگىدزىئ|com.uygur.apkstore|| |نائرۇق ەچرۇغيۇئ|com.c9.uyghurquran|| |م يركلا نآرقلا|com.maher4web.quran|| |رەلرىكىز|com.my.newproject5|| |مىرەك نائرۇق|ru.omdevelopment.ref.quranuyghur.fre e|| |ىتىغۇل پاقىھۇك|com.kuhiqap.lughitim|| |چۈگزۈگرىك رۇن|com.nur.ime|| |《心灵法门》念佛机|com.guanyincitta.chant|| Page **29** of **30** ----- |汉藏英辞典|com.dacd.dictionary|Col3| |---|---|---| |藏历基本数据|com.example.astronomicalcalendarap p|| |阳光藏汉翻译|com.tibetan.translate|| Page **30** of **30** -----