{ "id": "f60a456d-1c8a-4cb4-bce9-158cdeccb1ee", "created_at": "2026-04-06T00:19:21.778355Z", "updated_at": "2026-04-10T13:11:33.985673Z", "deleted_at": null, "sha1_hash": "f3fab3a9e9317eab7dae6829a25c2aa0737027a1", "title": "EvilBamboo Targets Mobile Devices in Multi-year Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3545178, "plain_text": "EvilBamboo Targets Mobile Devices in Multi-year Campaign\r\nBy mindgrub\r\nPublished: 2023-09-22 · Archived: 2026-04-05 20:14:12 UTC\r\nVolexity has identified several long-running and currently active campaigns undertaken by the threat actor\r\nVolexity tracks as EvilBamboo (formerly named Evil Eye) targeting Tibetan, Uyghur, and Taiwanese individuals\r\nand organizations. These targets represent three of the Five Poisonous Groups of Chinese Communist Party\r\n(CCP).\r\nVolexity has tracked the activities of EvilBamboo for more than five years and continues to observe new\r\ncampaigns from this threat actor. In September 2019, Volexity described the deployment of a reconnaissance\r\nframework and custom Android malware targeting both the Uyghur and Tibetan communities. In April 2020,\r\nVolexity detailed attacks by this threat actor against iOS devices, using a Safari exploit to infect Uyghur users with\r\ncustom iOS malware.\r\nKey highlights from Volexity’s recent investigations include the following:\r\nAndroid targeting: Development of three custom Android malware families, BADBAZAAR,\r\nBADSIGNAL, and BADSOLAR, to infect CCP adversaries is ongoing.\r\nFake websites and social media profiles: The attacker has created fake Tibetan websites, along with\r\nsocial media profiles, likely used to deploy browser-based exploits against targeted users.\r\nBuilding communities to facilitate malware distribution: Partly through impersonating existing popular\r\ncommunities, the attacker has built communities on online platforms, such as Telegram, to aid in\r\ndistribution of their malware.\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 1 of 17\n\niOS apps: Volexity discovered credible evidence of malicious iOS apps being successfully distributed via\r\nApple’s App Store.\r\nDeployment of custom JavaScript profiling framework: Volexity observed the use of a custom JS\r\nprofiling toolkit by the attackers specifically geared towards identifying devices running iOS and believes\r\nthis could have been used to selectively deliver malware. Volexity also encountered evidence suggesting\r\ncontinued use of IRONSQUIRREL.\r\nWith a high level of confidence, Volexity attributes this activity to EvilBamboo, a threat actor operating in the\r\ninterest of the Chinese state. The content in this blog is the amalgamation of several reports sent to Volexity Threat\r\nIntelligence customers in June 2023 and presented at LABScon 2023.\r\nAndroid Malware: A Tale of Three BAD Brothers\r\nVolexity continues to predominantly track EvilBamboo’s campaigns through their prolific use of Android\r\nspyware. EvilBamboo currently employs at least three different Android spyware families, which Volexity tracks\r\nas BADBAZAAR, BADSIGNAL, and BADSOLAR. Each is inserted as a backdoor into legitimate applications.\r\nA recent blog post by ESET discusses BADSIGNAL, which they track under the name “BADBAZAAR”, a\r\nmoniker first used in a 2022 report by Lookout. While the two malware families do share some code, they also\r\nappear to be divergent in their development and functionality. Both naming decisions are reasonable, but the\r\nreader should be aware of conflicting naming decisions regarding this malware.\r\nThe table below summarizes key findings related to each of the families discussed in this post:\r\nCapability BADSOLAR BADBAZAAR BADSIGNAL\r\nDeployed in two stages X X\r\nAndroRAT function names X\r\nInteracts with host app to exfiltrate data X\r\nReal-time SMS stealing X\r\nGetOperatorName() and DeviceInfo()\r\nfunctions (see paragraph below)\r\nX X X\r\nSSL Pinning X\r\nC2 via RAW socket X X\r\nC2 Via HTTP Rest API X\r\nShared via Telegram X X\r\nHas dedicated website X X\r\nSuspected iOS variant X\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 2 of 17\n\nCapability BADSOLAR BADBAZAAR BADSIGNAL\r\nObserved targeting Tibetans\r\nUyghurs, Taiwanese,\r\nTibetans \u0026 beyond\r\nUyghurs\r\nThe crux of the links between these families from a malware code point of view lies in two functions,\r\nGetOperatorName() and DeviceInfo(). The first function, GetOperatorName(), is used to get the GSM operator\r\n(Figure 1). The second function, DeviceInfo(), is used to generate the JSON object containing the information of\r\nthe infected terminal.\r\nFigure 1. GetOperatorName() function\r\nBoth functions appear to be derived from a public source, as versions of each function are present in other APKs\r\nonline. However, Volexity was unable to find either function in its exact form in the public domain. For example,\r\nDeviceInfo() is remarkably similar to one available from a public GitHub page, while GetOperatorName() is\r\nsimilar to several publicly available code snippets. Searching for any APK containing both functions yielded only\r\nmalware related to the developer of these applications.\r\nIn addition to this key code overlap, Volexity was also able to link use of the different malware families together\r\nthrough analysis of attacker infrastructure patterns \u0026 distribution methods.\r\nAnalysis of each of the malware families is given in an Appendix.\r\nMobile Malware Distribution\r\nForum Threads\r\nSince at least January 17, 2023, EvilBamboo has been targeting Taiwanese users via distribution of\r\nBADBAZAAR through multiple threads on a Taiwanese APK sharing forum. The main thread has over 100,000\r\nviews and claims to be sharing a cracked version of the popular Whoscall Android application. The legitimate\r\nWhoscall app helps identify spam calls and messages. Its Taiwanese-based developer, Gogolook Co. Ltd, claims\r\nthe app has had over 100 million downloads.\r\nA translated screenshot from the thread is included below (Figure 2).\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 3 of 17\n\nFigure 2. Screenshot of the thread on a Taiwanese APK sharing forum promoting Whoscall\r\nAt the bottom of the forum post, a link is included for users to download the App. This link, which is updated each\r\ntime EvilBamboo releases a new version of the APK, leads to a QR code that currently leads to a Dropbox link\r\nhosting the latest version of the APK. In the past, the link has led to a Google Drive URL run by an account called\r\n“TibetOne”.\r\nFake Websites and Social Media\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 4 of 17\n\nA primary method EvilBamboo uses to support distribution of its Android spyware is establishing websites that\r\nlend legitimacy to their apps. Since January 16, 2023, EvilBamboo has distributed the BADSIGNAL spyware\r\nthrough a fake website, www.signalplus[.]org, that was created to aid in the distribution of BADSIGNAL. As the\r\nname suggests, it is a backdoored version of the Signal app (Figures 3)\r\nFigure 3. Website www.signalplus[.]org used to distribute BADSIGNAL\r\nIn addition to the backdoored version of Signal, Volexity uncovered historic samples where BADSIGNAL code\r\nwas used to backdoor other applications. Two notable examples of this involve backdooring the Telegram\r\napplication. As with the Signal variant, EvilBamboo created fake websites to distribute these samples,\r\nwww.flygram[.]org (Figure 4) and www.groupgram[.]org. There is also a promotional YouTube video for the\r\nbackdoored FlyGram app. These samples appear to have been active since June 2020, and they implement the\r\nsame style of command-and-control (C2) communication through a REST API on port 4432.\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 5 of 17\n\nFigure 4. Fake www.flygram[.]orgused to distribute BADSIGNAL\r\nThe Telegram variants implement the same API endpoints as the Signal variants to gather information from the\r\ndevice and they implement a proxy. Due to misconfiguration of the C2 server, it was possible to enumerate the\r\nAPI endpoints used by the FlyGram variant, which showed the threat actor had configured API endpoints for an\r\niOS version of the app (Figure 5).\r\nFigure 5. API endpoints indicating the existence of an iOS version of BADSIGNAL\r\nVolexity was not able to confirm the existence of a BADSIGNAL iOS app, but the existence of API endpoints, as\r\nwell as the “Apple” link on the main page of their fake website, suggests this was at least in development, if not\r\nalready implemented in the wild.\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 6 of 17\n\nAnother site created to assist with distribution of malware is allwhatsapp[.]net, which hosts variations of\r\nBADBAZAAR (Figure 6).\r\nFigure 6. Fake website allwhatsapp[.]net\r\nIn addition to the allwhatsapp[.]net website, there is a corresponding Telegram channel for the AllWhatsApp\r\ncommunity. The threat actor also attempted to use Reddit to advertise the app from /r/whatsapp (Figure 7).\r\nFigure 7. A post on Reddit in /r/whatsapp promoting allwhatsapp[.]net\r\nTelegram-based Distribution\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 7 of 17\n\nAs shown in Figure 7, there are often supporting Telegram groups used to share the latest version of any given\r\napplication EvilBamboo is pushing. Sometimes these groups are themed around a specific application, but on\r\nother occasions they are themed around a category of applications. While it may seem unusual to download apps\r\nfrom a source like this, it is not an uncommon practice, particularly where users may speak languages (such as\r\nTibetan or Uyghur) not commonly supported by the official versions of apps. In Figure 7, a user named\r\n“kimeOmar” was advertising the AllWhatsApp application. In Figure 8, the same user can be seen on /r/Tibet\r\ngiving positive feedback to a post from “tenzinnima” that advertised Telegram channel “Tibetanmaptalk”.\r\nFigure 8. Post on Reddit in /r/Tibet with interaction between personas in different clusters\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 8 of 17\n\nThe post asks for a Tibetan translation of map software named AlpineQuest, which is backdoored with\r\nBADBAZAAR and contains a link to dedicated Telegram channel “Tibetanmaptalk”, discussing the translation of\r\nthe application. Messages in this group have also been used to distribute applications backdoored with the\r\nBADSOLAR malware.\r\nThe “Tibetanmaptalk” group also had messages shared to it that were originally posted in the Telegram group\r\n“Tibetanphone”, which appears to be impersonating the legitimate @TibetComputer channel on YouTube. Since\r\nNovember 8, 2020, EvilBamboo has been targeting individuals of Tibetan ethnicity via distribution of Android\r\nspyware through this group. To date, more than 120 backdoored APKs have been shared through this group, the\r\nmost recent being only a few days before this blog’s release.\r\nIn addition to Android apps, one message in the group contained a link to an iOS application named “TibetOne”\r\navailable in the Apple App Store. The application had already been removed from the Apple App Store by the time\r\nof analysis.\r\nFigure 9. “TibetOne” app that was previously available in the Apple App Store.\r\nSince the application was removed from the Apple App Store, it is not possible to confirm if it was malicious.\r\nHowever, Volexity assesses that it is likely the iOS application was malicious based on the following:\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 9 of 17\n\nAll Android applications posted on same Telegram group contain malicious code.\r\nIt has since been removed from the Apple App Store, likely by Apple after it was identified as a malicious\r\napplication.\r\nIt is unknown to which malware family the malicious iOS application belongs.\r\nA summary of the known channels used to distribute EvilBamboo malware is given in the table below:\r\nChannel Name Subscriber Count\r\nallwhatsapp_net 4,917\r\ntibetanmaptalk 25\r\nalpinequest_tel 1,926\r\ntibetanfree 47\r\ntibetanphone 628\r\nfreetibet1 189\r\nuyapk1 1,367\r\nprayerforholiness 31\r\nFake Websites Leading to Malicious JavaScript\r\nA user who routinely shares BADSOLAR samples via the “Tibetanphone” Telegram group also shared a link to\r\nignitetibet[.]net. This website is currently active and hosted on infrastructure (45.154.12[.]80) that has overlaps\r\nwith uyghurinfo[.]net, which also shares a distinct registration pattern with several of the BADSOLAR C2\r\ndomains. Further, the same IP address hosts a website that has a simple survey regarding Taiwan’s independence\r\ntw.tinmf[.]org.\r\nOne article published on ignitetibet[.]net in March 2023 attempts to load two additional resources (Figure 10).\r\nFigure 10. Additional resources loaded when viewing a March 2023 article posted on ignitetibet[.]net\r\nThe request to the URL on port 9001 received no response at the time of analysis; however, the second resource\r\n(jquery.min.js) loaded an obfuscated profiling script, which Volexity refers to as JMASK. JMASK is a custom\r\nprofiler that is minified and obfuscated through the use of Unicode declarations of each string, which are declared\r\nin reverse. In summary, the purpose of JMASK is as follows:\r\nCollect basic device information, such as the time zone, language, and screen resolution.\r\nList the user’s Ethereum accounts if they are running the MetaMask extension. The technique used to do\r\nthis will not work in MetaMask extension versions newer than Q2 2020.\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 10 of 17\n\nFingerprint the browser using canvas-based fingerprinting. Curiously, the implementation fills the canvas\r\nused for fingerprinting with a reference to a Chinese-language Github account named “Eular” (Figure 11).\r\nIt is unclear why this string was chosen.\r\nFigure 11. Canvas function used to fingerprint a user’s browser referencing a Chinese-language Github account\r\nnamed “Eular”\r\nThere is no automated loading of any additional JavaScript. Instead, Volexity hypothesizes that the profiling script\r\nwas used to produce lists of potentially valid victim IP addresses, and that access to the likely exploitation code on\r\nport 9001 was gated based on this list. Another page on ignitetibet[.]net contained an iframe element linking to\r\nhxxps://jindjjdtc[.]com/HxtDp2fORTSU.html. At the time of analysis, this link was not live.\r\nBased on the URI schema used, Volexity assesses with low confidence that this URL hosted IRONSQUIRREL\r\ndue its similarity to other in-the-wild URIs used by EvilBamboo which hosted the same framework. In later\r\nversions of JMASK observed, the script was adjusted to specifically identify specific versions of Apple devices\r\nrendering the page based on a publicly available project.\r\nA third site of note, tibetone[.]org, shares the same registration pattern as the BADSOLAR C2 and\r\nuyghurinfo[.]net. This site is promoted on Reddit and Twitter by the same personas mentioned previously that\r\npromoted BADBAZAAR and BADSOLAR. This site also appeared as the name of a likely malicious iOS app\r\nassociated with BADSOLAR, as well as a Google account used to distribute the BADBAZAAR variant targeting\r\nTaiwanese individuals. The site has associated Facebook and YouTube accounts that are likely controlled by\r\nEvilBamboo as part of their effort to create communities to distribute malicious applications.\r\nAll three sites appear to be run by EvilBamboo. They contain a mix of content copied from legitimate websites\r\nand bespoke pieces to lend legitimacy to their campaigns targeting Uyghur and Tibetan individuals. A summary of\r\nthe links between these sites and the wider campaign are shown below (Figure 12).\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 11 of 17\n\nFigure 12. Summary of some of the links discovered in Volexity’s EvilBamboo research\r\nConclusion\r\nThis blog details a series of long-running campaigns by the EvilBamboo threat actor targeting groups of interest\r\nthat are seen as a threat by the CCP, both domestically and internationally. These campaigns largely rely on users\r\ninstalling backdoored apps, which highlights both the importance of only installing apps from trusted authors and\r\nthe lack of effective security mechanisms to stop backdoored apps making their way on to official app stores. It is\r\nworth noting that for some users, installing applications from untrusted sources is not unusual, as often their\r\nlanguage is not officially supported by application developers.\r\nCompromise of mobile devices enables the collection of large amounts of highly sensitive information about\r\nindividuals, which can put them— and those close to them— at risk. EvilBamboo is actively using three mobile\r\nspyware families, BADBAZAAR, BADSIGNAL and BADSOLAR, as part of their active collection apparatus to\r\nsurveil these individuals and presumably weaponize this information to further their objectives against these\r\ntargeted ethnicities.\r\nEvilBamboo’s creation of fake websites, and the personas tailored to the specific groups they target, has been a\r\nkey aspect of their operations, enabling them to build trusted communities that provide further avenues to target\r\nindividuals with their spyware or for other exploitation. The threat actor has co-opted the trust users have in\r\nlegitimate platforms, such as YouTube, Reddit, Twitter, Instagram, Facebook, and other online forums, to add\r\nlegitimacy to these operations. A list of the profiles on these platforms observed is given here.\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 12 of 17\n\nTo detect and investigate the attacks discussed, Volexity recommends the following:\r\nUse the YARA rules provided here to detect related activity.\r\nBlock the IOCs provided here.\r\nVolexity’s Threat Intelligence research, such as the content from this blog, is published to customers via\r\nits Threat Intelligence Service and was covered by a series of TIBs published in June 2023. Volexity\r\nNetwork Security Monitoring customers are also covered automatically through signatures and\r\ndeployed detections from the threats and IOCs described in this post.\r\nIf you are interested in learning more about these products and services, please do not hesitate to\r\ncontact us.\r\nAppendix\r\nBADBAZAAR Analysis\r\nCredit for first identifying BADBAZAAR belongs to Lookout. Their November 2022 blogpost detailed its use to\r\ntarget Uyghur and other individuals of Muslim faith. Many samples discovered by Volexity in its research do not\r\ndeviate significantly from Lookout’s existing writeup. However, one variation shared in the context of the\r\nWhosCall application is worth describing.\r\nThe latest versions shared on apk[.]tw contain a new variant of BADBAZAAR with additional capabilities that\r\nallow EvilBamboo to automatically update the app. This updater functionality is implemented through the\r\njudgeUpdateOrNotfunction (Figure 13), which checks the installed malware version through the\r\ncom.whoscall.update.CompleteReceiverclass. Based on this, the code includes functions to check the version_url\r\nto see if the currently installed version of the app is the latest version (judgeUpdateOrNot), and if it should attempt\r\nto update the app (sbDownload).\r\nFigure 13. judgeUpdateOrNot function\r\nThis functionality is separate from the main logic flow of the malicious code, which still looks to download a\r\nsecond-stage implant in the form of a JAR file. The second stage contains the main malicious capabilities of the\r\nspyware and allows the threat actor to issue commands to do the following:\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 13 of 17\n\nGet SMS messages stored on the terminal.\r\nGet call logs.\r\nGet the device information, such as the IMEI, IMSI, time zone, Wi-Fi details, etc.\r\nTake photos.\r\nGet the contacts list.\r\nGet the installed apps.\r\nList and get stored files and pictures on the device.\r\nGet the location of the device.\r\nEach compromised device is identified by its DeviceID. In addition to these commands, the operator receives the\r\nuser’s SMS messages in real time, which are automatically forwarded to the C2 server. Volexity hypothesizes that\r\nthe purpose of this real-time SMS theft is to target Multi-Factor Authentication (MFA) using SMS technology.\r\nBADSOLAR Analysis\r\nBADSOLAR is a malware family that is backdoored into legitimate Android applications. It appears to be used\r\nprimarily with apps that are themed as Tibetan, ranging from prayer apps to Tibetan dictionaries. The malicious\r\ncode is executed through the creation of a service in the MainActivity class (Figure 14).\r\nFigure 14. MainActivity class\r\nThis ultimately executes the BADSOLAR loader that is located in the com.SolARCS.SolClient class, which\r\nserves as the inspiration behind the name of the spyware family. The C2 is stored as an encrypted string that is\r\ndecoded using the DES algorithm, using the key yhnrfv (Figure 15).\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 14 of 17\n\nFigure 15. C2 stored as an encrypted string which is decoded using the key yhnrfv\r\nThe decrypted C2 address for all known samples of BADSOLAR is comeflxyr[.]com. The loader’s main function\r\nis to download a JAR file from the C2 server and load it by using the DexClassLoader() class. The screenshot\r\nbelow shows the loading of the CommandExecute() method located in the downloaded JAR file (Figure 16).\r\nFigure 16. Loading of the CommandExecute() method\r\nThe second-stage implant is based on the open-source AndroRAT, available on GitHub. While BADSOLAR’s\r\ndeveloper has added some capabilities and modified the code, the original code was clearly forked from\r\nAndroRAT. The C2 address is encrypted using the same algorithm and key previously described for the loader.\r\nThe method names are not obfuscated, and the functions closely match their names:\r\nFunction Description\r\nAdvancedSystemInfo Get information on the terminal, such as battery details and device temperature.\r\nCallLogLister Get the call history with the date, duration, and name of the associated to the caller.\r\nContactsLister Get contacts information.\r\nDeviceInfo\r\nGet device information, such as the MAC, operator, vendor, model, IMEI, IMSI,\r\ntime zone, etc.\r\nDirLister List the files on the device.\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 15 of 17\n\nFunction Description\r\nFileDownloader Upload a file to the C2 server.\r\nGetDeviceInfos Get the IMEI, SIM serial number, and phone number of the device.\r\nGPSListener Get the location.\r\nPhotoTaker Take a picture.\r\nSMSLister Get stored SMS messages.\r\nUDPThread Communicate with UDP (port 137).\r\nWifiUtils\r\nGet the Wi-Fi details, such as the IP, SSID, BSSID, MAC, and DNS servers. The\r\nmalware is also able to list the APR table by using ip neigh show.\r\nSystemInfo Execute most of the functions listed in this table.\r\nBADSIGNAL Analysis\r\nIn contrast to BADBAZAAR and BADSOLAR, BADSIGNAL does not download a second-stage payload.\r\nInstead, all capabilities are included in the main APK. The malicious code is loaded by extending the legitimate\r\nPassPhraseRequiredActivity class in org.thoughtcrime.securesms.MainActivity. BADSIGNAL uses a REST API\r\non port 4432 as part of its C2 communication, with the following endpoints:\r\nEndpoint Description\r\n/api/Location Used to exfiltrate the location and the Wi-Fi information\r\n/api/QRCode\r\nSilently sends a QR Code to the device and adds the operator’s device in the Signal device\r\nlist; more information can be found in the official documentation\r\n/api/Proxy\r\nUsed to get a proxy server for Signal; more information of Signal proxy can be found in\r\nthe official documentation\r\n/api/values\r\nUsed to exfiltrate the details on the compromised device (IMEI, version, phone operator,\r\nmodel, vendor, IMSI, etc.), but also Signal data such as the Signal PIN\r\n/api/clientLogin\r\nUsed to exfiltrate the values sent to /api/Location and the values sent to /api/values in a\r\nsingle request\r\nThe generic information stolen and sent to /api/values uses the same code as BADBAZAAR and BADSOLAR.\r\nOne of the most interesting aspects of BADSIGNAL is how it interacts with the Signal application it has\r\nbackdoored. The threat actor silently links a new device to the user’s Signal account, steals the Signal PIN code,\r\nand forces the use of a Signal proxy server. This enables EvilBamboo to read any new messages sent through the\r\nlegitimate Signal app.\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 16 of 17\n\nSource: https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nhttps://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/" ], "report_names": [ "evilbamboo-targets-mobile-devices-in-multi-year-campaign" ], "threat_actors": [ { "id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea", "created_at": "2022-10-25T16:07:23.597455Z", "updated_at": "2026-04-10T02:00:04.683154Z", "deleted_at": null, "main_name": "Evil Eye", "aliases": [], "source_name": "ETDA:Evil Eye", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434761, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f3fab3a9e9317eab7dae6829a25c2aa0737027a1.pdf", "text": "https://archive.orkl.eu/f3fab3a9e9317eab7dae6829a25c2aa0737027a1.txt", "img": "https://archive.orkl.eu/f3fab3a9e9317eab7dae6829a25c2aa0737027a1.jpg" } }