Exiled Uyghurs Targeted by Sophisticated Spear Phishing Campaign
Recent findings by researchers at the Citizen Lab reveal a troubling spear phishing campaign specifically targeting members of the exiled Uyghur community. This campaign appears to be intricately designed to deploy surveillance malware against several representatives of the Uyghur populace, particularly those affiliated with the World Uyghur Congress (WUC).
In March 2025, senior leaders within the WUC received notifications from Google, alerting them that their accounts had allegedly been targeted in attacks that were believed to be backed by a government entity. The WUC, established in Munich, serves as an international platform aimed at representing the collective interests of the Uyghur people, both within their native Xinjiang and abroad.
The meticulous forensic analysis conducted by the Citizen Lab indicates that this phishing campaign utilized a trojanized version of an open-source word processing and spell-check tool tailored for the Uyghur language. The ultimate objective was to deliver Windows-based malware capable of conducting remote surveillance on the targeted users. Noteworthy is the observation that, while the spyware itself showcased only moderate complexity, the attackers displayed an extensive understanding of their target community. This level of insight is indicative of their preparation, as they invested considerable effort into ensuring that the malicious delivery mechanism came across as credible and legitimate.
Interestingly, the malware was developed by a reputable figure within the Uyghur community, someone known to several WUC members. This fact not only augmented the credibility of the malware delivery but also indicated a high level of customization in targeting these specific individuals. Additionally, technical artifacts gathered during the investigation suggested that the attackers had commenced groundwork for the campaign as early as May 2024. This evidence leads to the conclusion that the operation was both well-planned and executed over an extended timeline.
The Citizen Lab researchers strongly suspect that the perpetrators are aligned with the Chinese government, a conclusion drawn from the methodology and objectives evident in the attack.
Intricate Kill Chain: Phishing Emails and Malware Delivery
The spear phishing emails sent to senior WUC members impersonated a trusted contact from a partner organization, containing deceptive Google Drive links. Upon clicking these links, recipients would unknowingly download a password-protected .rar archive file.
Within this archive resided a hijacked version of a legitimate Uyghur language text editor, known as UyghurEditPP. Upon execution, this trojanized application revealed a backdoor that would profile the user’s system, relay gathered information back to a remote command-and-control (C2) server, and hold the potential to introduce additional harmful plugins.
Specifically, the malware was designed to collect a variety of information from the infected system, including machine name, username, IP address, operating system version, and MD5 hashes of the aforementioned details along with hard disk serial numbers. Once the malware operator confirmed that they were tracking a legitimate target, they could execute multiple tasks, such as downloading files from, uploading files to, or running commands on the affected devices.
Command-and-Control Infrastructure: Two Distinct Clusters
The C2 infrastructure employed in this campaign was segregated into two separate clusters. The first consisted of domains created by adversaries, such as gheyret[.]com, gheyret[.]net, and uheyret[.]com, which impersonated the developer of UyghurEditPP. It is believed that this cluster was actively used from June to February 2024.
In contrast, the second cluster specifically targeted WUC members, utilizing subdomains registered through Dynu Services, a dynamic DNS provider based in Arizona. These subdomains cleverly incorporated Uyghur-specific terms without any direct reference to the tool or its developer, functioning from December 2024 through March 2025. Despite these differences, both clusters relied on the same Microsoft certificate and shared IPs, linked to Choopa LLC—a hosting provider often associated with cyber threat activities.
The existence of these two distinct clusters raises pertinent questions about whether their creation reflected a shift in strategic approach or if they represented two separate campaigns aimed at diverse segments within the Uyghur community.
Attribution: Evidence of State Affiliation
The Citizen Lab report highlights that the malicious campaign targeting WUC members was lacking in technical sophistication; it did not employ zero-day exploits or advanced spyware. Nevertheless, it exhibited a significant degree of social engineering prowess, underlining the attackers’ deep familiarity with the Uyghur community.
While the researchers could not definitively identify the attackers, their techniques and strategic targeting strongly imply alignment with the Chinese state. For over a decade, WUC members have endured cyber attacks, ranging from DDoS assaults on their digital platforms to phishing attempts that employ sophisticated social engineering to exfiltrate sensitive data.
The authors of the Citizen Lab report recommend that nations hosting exiled communities disseminate information about the specific dangers they face and provide tangible support to help mitigate the threats and consequences of transnational repression.
Furthermore, the researchers advocated for standardizing practices similar to those implemented by companies like Google and Apple, which issue notifications for individuals targeted by state actors. Such measures should be expanded across all digital service providers catering to vulnerable communities, to ensure better protection against these insidious threats.