{ "id": "04b4ada0-042e-407e-9d3c-beaefc5de4ba", "created_at": "2026-04-06T01:31:25.313749Z", "updated_at": "2026-04-10T03:35:29.110383Z", "deleted_at": null, "sha1_hash": "dffdf77953dbb9f4064eb0997f5219a58b9ad24a", "title": "NCSC and partners share guidance for communities at high risk of digital surveillance", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35250, "plain_text": "NCSC and partners share guidance for communities at high risk of\r\ndigital surveillance\r\nPublished: 2025-04-09 · Archived: 2026-04-06 01:11:19 UTC\r\nCYBER experts have shared new advice today (Wednesday) to help protect individuals from the threat of digital\r\nsurveillance posed by spyware apps. \r\nIn new advisories, the National Cyber Security Centre (NCSC) – a part of GCHQ – and agencies in Australia,\r\nCanada, Germany, New Zealand and the United States have revealed details about how malicious cyber actors are\r\nusing two forms of spyware to target individuals in Uyghur, Tibetan and Taiwanese communities as well as civil\r\nsociety groups. \r\nThe malicious software – dubbed MOONSHINE and BADBAZAAR – hide malicious functions inside otherwise\r\nlegitimate apps in a technique known as ‘trojanising’. \r\nOnce installed, the apps have been observed variously accessing functions including microphones, cameras,\r\nmessages, photos, and location data, including real-time tracking, without the user being aware. \r\nThe advisories warn that the apps specifically target individuals internationally who are connected to topics that\r\nare considered by the Chinese state to pose a threat to its stability, with some designed to appeal directly to victims\r\nor imitate popular apps. \r\nExamples include ‘Tibet One’ and Audio Quran apps that have supported targets’ native languages and were\r\npromoted in online forums frequented by intended users, as well as some apps imitating the likes of legitimate\r\nbrands such as Whatsapp and Skype.  \r\nIndividuals at risk of being targeted by these spyware apps are strongly encouraged to follow new advice to help\r\nprotect their devices and data.\r\nBoth advisories have been developed in collaboration with industry experts from the NCSC’s Cyber League.   \r\nNCSC Director of Operations Paul Chichester said: \r\n\"With our international and industry partners, we are committed to helping equip individuals at risk of online\r\nsurveillance with the information they need to counter spyware threats.\"\r\n\"We are seeing a rise in digital threats designed to silence, monitor, and intimidate communities across borders,\r\nand the use of these two forms of spyware is clearly unacceptable.\"\r\n\"The NCSC urges people at higher risk to exercise heightened vigilance and follow our practical advice outlined\r\nin the advisory to help keep their devices and data safe.\"\r\nA second advisory contains technical analysis of the spyware as well as steps that app store operators, developers,\r\nand social media companies can take to keep their users safe. \r\nhttps://www.ncsc.gov.uk/news/ncsc-partners-share-guidance-for-communities-at-high-risk-of-digital-surveillance\r\nPage 1 of 2\n\nThe individuals most at risk include anyone connected to: Taiwanese independence; Tibetan rights; Uyghur\r\nMuslims and other ethnic minorities in or from China’s Xinjiang Uyghur Autonomous Region; democracy\r\nadvocacy, including Hong Kong, and the Falun Gong spiritual movement. \r\nSource: https://www.ncsc.gov.uk/news/ncsc-partners-share-guidance-for-communities-at-high-risk-of-digital-surveillance\r\nhttps://www.ncsc.gov.uk/news/ncsc-partners-share-guidance-for-communities-at-high-risk-of-digital-surveillance\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.ncsc.gov.uk/news/ncsc-partners-share-guidance-for-communities-at-high-risk-of-digital-surveillance" ], "report_names": [ "ncsc-partners-share-guidance-for-communities-at-high-risk-of-digital-surveillance" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439085, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dffdf77953dbb9f4064eb0997f5219a58b9ad24a.pdf", "text": "https://archive.orkl.eu/dffdf77953dbb9f4064eb0997f5219a58b9ad24a.txt", "img": "https://archive.orkl.eu/dffdf77953dbb9f4064eb0997f5219a58b9ad24a.jpg" } }